Copyright Albert Wu 2008. This work is the intellectual property of the author. Permission is...
-
Upload
darrell-charles -
Category
Documents
-
view
218 -
download
0
Transcript of Copyright Albert Wu 2008. This work is the intellectual property of the author. Permission is...
Copyright Albert Wu 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Spring Roles: Moving Forward on an Access Management Strategy
Albert WuUniversity of California Los Angeles
NMI-EDIT, Internet2 MACE, EDUCAUSE Net@EDU Identity Management Workgroup
EDUCAUSE Southwest Regional 2008Tuesday, April 1, 2008
• What is Access Management?
• Surveying Access Management Practices
• What is UCLA Doing with Access Management?
Today
This session is brought to you by Internet2, Educause, and the NMI-EDIT Consortium.
What is Access Management?
I want to automatically give all students enrolled in CS143 access to my lab, the class web sites, and software in the lab.
I don’t want to run around getting access to everything for my classes. I want what I need, where and when I need it.
What is Access Management?
I want to create a project group and when I invite someone to join that group, they immediately have all related access. …And When I join that group, I want immediate access to all relevant resources.
I want to quickly grant my assistant access while I’m away rather than loan her my access!”
What is Access Management?
I want to run a review process in which students, faculty, staff and administrators review and approve different components and different points in the process.”
Before I terminate this person, I want to make sure all their current access is revoked throughout the campus.
Access Management
• Who has access?
• How do we reliably grant and revoke access?
• How do I delegate my access to another?
Surveying Access Management Practices
• 2 Questionnaires
• 8 Universities
• comprehensive research institutions
• public and private
• 7,000 – 51,000 students, faculty and staff
• Respondents were asked to include a small campus group in answering the questions.
Internet2 lead a survey with support from the EDUCAUSE Identity Management Working Group
Survey One: Tell Us About You
• What are your access management initiatives?
• Which factors drove the launch of the initiatives?
• What are your plans?
• What are the expected new capabilities?
• How will other know when it’s time to launch access management initiatives?
An open-ended questionnaire asking:
Themes and Recommendations
1. Audience/end-users
2. Policy/Auditing
3. Business process/Work flow
4. Architecture
5. Data use/Protection
6. Project management
Audience & End Users
An access management system should have a friendly user interface and a high degree of usability, accommodating a wide range of potential users.
Policy and Auditing
Develop policies related to access control, ensure that the system will do what it is intended to, and define the roles of central IT and distributed IT offices.
Business Process / Work Flow
• Focus on people/how they get their work done
• Distribute control and management of groups
• Distributed authorization is in
• Reduced administration by local IT groups
Architecture
• Create groups-based authorization system
• Streamline management
• Support standards
• Anticipate substantial increase in the demand for groups and collaboration
• Think flexible design
• Focus on security, of course
Data Use / Protection
The access management system will leverage existing institutional data and make it easy to incorporate new data (mainly from end-users).
• Reduce need for special accounts
• Reduce duplication of effort to manage access
• Gather new/additional data
• Widely distributed, common access management interface
Project Management
Effective access management systems are likely implemented in stages with broad campus involvement.
• Implementation in stages
• Broad campus involvement
• Implementation is project focused, management of the system is more operationally focused.
Survey Two: Infrastructure Maturity
• Data stewardship• Identity Management System Coverage• IT Infrastructure and Planning • Data sharing and re-use• Groups and Access Management • Access Management Enabled Policy Enforcement• Access Management Audit
Self-assessment measuring the maturity of policy, infrastructure, and operational practices:
Per-institution average score forthe Infrastructure Maturity Survey
0.0
1.0
2.0
3.0
4.0
5.0
6.0
7.0
8.0
9.0
10.0
1. D
ata
Stewar
dship
2. P
eople
in Id
M S
ys.
3. O
ther
ent
ities i
n Id
M
4. IT
infra
strctu
re
5. D
ata
shar
ing/re
-use
6. E
nrich
ing ID
thro
ugh
grou
ps
7. B
asic
Acces
s Mgm
t
8. P
olicy
cont
rol/p
riv. m
gmt.
9. M
anag
ing A
cces
s Mgm
t. da
ta
Main Category
Ave
rag
e R
esp
on
se
1
2
3
4
5
6
7
Participant recommendation
The problem areas demonstrated by the graphs indicate areas where Internet2 & EDUCAUSE could help with outreach and educational activities
• Policy control
• Managing access management data
How will colleagues at other institutions know when to consider access management initiatives?
Access Management Tripwires
• Applications are using different sets of group access rules
• Multiple systems require common access information
• There is the institutional will/desire to proceed
• A global identifier for users is in place
• An identity management infrastructure exists
• There is a demand to collaborate with other institutions
• There is a need to quickly provide access to electronic resources
Access Management @ UCLA
• Distributed security administration based on departmental/financial hierarchy
• Manages access for key administrative applications
• Early attempt at enterprise permission management
• Value-based, explicit permissions
• Permission management is a business function
DACSS
Access Management @ UCLA
• Academic delegation hierarchy
• Access by position in workflow
• Download members data from data warehouse
• Explicit permissions within each application
• Students can delegate access to personal data and permission to pay tuition to parents
Class Web Sites, Academic Applications, and Others
What is IAMUCLA?
• Identity & Access Management @ UCLA
• Who wants to access a resource? (Authentication)
• Does the person have permission? (Authorization)
IAMUCLA
• Enterprise Directory
• Common Logon ID
• Web Single Sign-on
• Enterprise Group/Permission Management
Before IAMUCLA
Departmental Intranet
User logs into each application separately using different logon IDs
Permissions managed separately in individual applications
URSA
Class Web Sites
Discussions
Service Requests
Budgeting
Research Proposal Tracking
Applications kept separate user identity data
… and others
URSA
RATSMyUCLA
Travel Express
Financial Web Reports
many other web apps
IAMUCLA Phase I
ISIS/Shibboleth: Web Single Sign-On
Enterprise Directory
User logs in using UCLA Logon ID
ED supplies user identity data
Permissions managed separately in individual applications
At a Threshold
• CCLE – Faculty & Students
• DAT – Faculty & Staff
• IWE – Students & Parents
• GRID – Researchers at UCLA & other campuses
• Clinical Research – Physicians & Students
• Research collaboration – Faculty & Students at UCLA and other campuses
A window of opportunity for a new way to handle permissions
Several new applications are emerging with new and large communities of users
IAMUCLA Phase II
URSA
RATSMyUCLA
Travel Express
Financial Web Reports
many other web apps
ISIS/Shibboleth: Web Single Sign-On
User logs in using UCLA Logon ID
Permission Management Tools Enterprise Directory
ED delivers user identity, groups, and permissions data via Shibbolethmanages permissions once
and replicates the same permissions data to
non-web systems
Phase II Deliverables
• Deploy enterprise-wide, 24x7 permissions management system
• Provide cross-campus integration for all applications
• Support access delegation
• Provide support for local integration
1. Audience/end-users
2. Policy/Auditing
3. Business process/Work flow
4. Architecture
5. Data use/Protection
6. Project management
Lessons So Far
• Access management is a business function• Distributed security administration works• Access management is not intuitive.
Education is important. • Controllers and auditors are your friends • Foster user communities; provide regular training
Lessons So Far
• Leverage Standards• Architect for extensibility • Timing is key. Catch the applications at critical update
cycle• Deploy in stages• Design for the end user
• trained security administrators (bulk security administration)• every day users (self-delegation)• auditors and managers (reports, alerts, analysis)• help desk staff
Internet2 Middleware | http://middleware.internet2.eduIAMUCLA Web Site | https://spaces.ais.ucla.edu/iamucla
Albert Wu | [email protected]