Russian Escort Service in Delhi 11k Hotel Foreigner Russian Call Girls in Delhi
Unc cause 2010 Identity and Access Mgmt Panel
1. Identity and Access Management
Updates on IAM in the System
Mark Scheible, NC State University
Lynn Franz, Western Carolina University
Jan Tax, UNC-Chapel Hill
Steven Hopper, UNC-GA
2. Introductions
Mark Scheible
Manager, Identity and Access Management
NC State University
Lynn Franz
Application Development & Data Management
Western Carolina University
Jan Tax
Identity and Access Management
UNC Chapel Hill
Steven Hopper
Director of Online Services & CTO for UNC Online
UNC General Administration
3. Identity and
Access
Management
“Identity Management has evolved
to include policies, procedures and
the broad spectrum of technologies
required to establish institutional
identity management (IdM)
systems” –
(EDUCAUSE IAM Working Group)
4. Identity and
Access
Management
• Identity Vetting & Proofing - making sure the
information provided about an individual (e.g.
name, DOB, address, phone number,
degree(s) earned, etc.) is accurate and
verified, and insuring a credential is issued to
the appropriate person
• Credentialing - the issuing of a “username
and password” for authentication purposes
• Directories – database(s) containing
information associated with individuals and
resources (in this context, identity data or
“attributes”)
• Authentication Services – used to
authenticate someone (the login process)
• Authorization Services – used to determine
what access an individual has to applications,
resources, etc., based on who they are, or
their membership in a group
Major areas of interest
6. Panel
Discussion • Identity Population Utilization
(Lynn Franz)
• Group Management
(Jan Tax)
• Federated Identity Management
(Steven Hopper)
Each of our panelists
will touch on a different
aspect of IAM …
8. Where we started…
First decision:
Banner is the data
source of record.
It drives access to
IT resources and
services.
9. One of the first tasks was to look at
the various populations…
A solid understanding of organizational roles is key for
creating and maintaining identity and access
management.
10. At the highest level, our data consisted of three populations.
11. Each population consisted of further sub-categories.
STUDENT
Intending
Student?
Cullowhee
Commuter?
Currently
Enrolled?
Continuing?
Former
Student?
Future
Student?
12. This foundation is the core of our Identity Management
processing.
Group
Group Members
Further Sub-Group
Memberships
We defined and created a scalable mechanism for identifying,
creating, and managing those groups.
14. If the Role definition changes, it’s changed in ONE place.
Consumption of the Role is not interrupted.
Role definitions are consistent across consumers.
Security
Groups and
Distribution
Lists
Reports
Database
Database
Role
Luminis
RolesInterfaces
between data
sources, on
or off campus
15. Roles can be defined, re-defined, and sub-grouped.
Meanwhile, the organization keeps rolling along…
Staff or
(Full/Part-Time)
Faculty
Graduate Assistant
(Teaching and Lab)
Graduate
Assistant (Non-
Teaching, Non-
Lab)
Student Worker
Hourly or
Temporary
Worker
Cullowhee
Commuter
Guest
or Consultant
16. We had to make another key decision…
Banner allows for one external username association with one individual.
One individual may exist in multiple roles!
Should these have the same external username?
Sally Sue
Student accounts (email hosted off campus) and Non-Student
accounts (email hosted on site) would have unique external
usernames. Both are provisioned in Active Directory. A Banner mod
was necessary for this association.
17. This simple SQL statement returns the Active Student member information.
( Banner PIDM, Role, Active Directory External Username )
The
Blackboard
integration
components
can be easily
associated
using a single
point of
reference for
group
membership…
18. How do all these roles fit with the larger picture?
Identity
Management
Banner
Other
Systems
With the foundation in place…
19. Active Directory Outlook Properties Sync
Online Directory uses a Banner database view.
People review their information and send
corrections to HR using an Online Correction
Form.
Banner data feeds to Active Directory and Outlook
Properties are updated.
20. Oracle packages using DBMS_LDAP functionality are used
for the updates behind the scenes...
21. Outlook Properties provide the campus with reliable contact data, which
can be consumed by other applications (such as the help desk ticketing
system, Paw-Print, and Shibboleth).
Supervisor
Name
22. Method for managing roles that are not data driven from Banner.
Automation and management of these roles requires additional data to be
stored in Oracle tables. The tables also provide audit information and access
control. Roles are managed by individual “owners”, who can assign
“managers”. The owners and managers add/remove members, as defined by
privilege assignments.
Manually Managed Roles
Committees
Organizations
Digital Millennium Copyright
Act Offenders
Registered Exchange Active
Sync User
23. Automated AD Security Groups
Automated Distribution Groups (in progress)
With automated and manual roles in place…
25. HR Intake/Outtake Interface
As individuals enter and exit HR positions, automated processes will provide accurate and
timely account information (for create, terminate, and modify actions).
•No Affiliation
with
University
•Not a Student,
Guest, or
Employee
Not
Affiliated
•University
Identity/Email
•Access to
University
Information
Resources
Affiliated
•No longer
Affiliated with
University
•No Access to
University
Information
Systems
Not
Affiliated
Position
Change
(Personnel
Action)
Health
Services
Gym Usage
Parking
PermitsLibrary
Cat Card
Personnel action events will be consumed by other organization entities.
26. Establishment of a practice for managing non-person accounts. These accounts
must receive approval and have a WCU sponsor.
Examples of these accounts are email accounts for various groups such as
Athletics (baseball@wcu.edu) and departments (admission@wcu.edu).
Non-Person Account Management
27. Campus Security Request Process
Provide users on campus one method/location for
requesting additional security and authorization to university
systems and resources.
Provost
Office
Finance
Facilities
28. Along the way there have been some internal automations that
have streamlined IT processes.
This WayManagementIdentity
o Managing INB Users
o Managing Banner Security
o Banner Self-Service Password Changer (AD authentication for INB accounts)
o Help Desk unlock of Banner Accounts
o Reports
29. help us move toward our future goal of Role Based Access.
Identity role definitions, automated processes, and better internal and
external procedures …
31. Challenges…. Culture change is necessary… and
sometimes very difficult to achieve.
Ownership and governance must belong to
the stakeholders. (Not an IT problem!)
It is time consuming to review and define
the various organizational business entities.
There are some tough issues to tackle (for
example, account management of non-
person accounts).
Processes have to be set up for managing
identities.
Boundaries, for how groups can and can’t
be used, need to be defined and enforced.
32. Removing bad data and standardizing data
definitions provides better access for data
consumption.
As data consumption increases, it is easier
to identify and resolve problems.
Paves the way to help identify business
processes that need to be reviewed and
refined.
Readily highlights auditing concerns.
Systems that are not automated immediately
can still utilize role information by seeing a
person’s role information and adjusting
local security to fit the roles.
Provides framework for retiring old systems
and implementing new systems.
Rewards….
33. Proactive:
• looking at campus-wide scope for 1 – 10 years down the road
• reviewing institutional business level processes
Process:
• creating well-defined procedures
• implementing data driven events
Prevention:
• decreasing resource issues through greater efficiencies
• removing frustrations due to old, outdated business processes
• warding off security threats and problems with solid role-based identity
Following the 3 P’s to
success….
36. Background
o UNC-CH has a heterogenous IAM environment
o Centrally managed directories and authentication:
• OpenLDAP, Kerberos, Shibboleth SSO
• Active Directory
• Oracle OID and OSSO
o Distributed/school/departmental directories and
authentication systems
o Lots of changes going on
• new ERP
• Email shift from in-house IMAP to Exchange and Live@Edu
o Want to have consistency across environments
(and to reduce the number of environments over time!)
37. Central IdM system
Person data is managed by a homegrown system that
aggregates data from multiple sources
o Inbound connectors
Bio/demo data – PeopleSoft is single source
Affiliation data – multiple sources (for now)
• Pre-Student/Student – 20+ categories
• Faculty/Staff – 5 subcategories
• Affiliates – 10 subcategories
o Outbound connectors
• OpenLDAP – white pages, applications
• Active Directory – Exchange, applications
• Oracle Internet Directory – Calendar, AppServer
38. Authorization
Access decisions can be based on a
person’s attributes …
Classification (faculty/staff/student)
Department
Entitlements
… or on memberships in groups
Automatic (members defined by a filter or expression)
Manual (members managed by a person)
Composite
Groups are a very versatile mechanism
39. Groups Management
o Want to manage groups centrally, not have locally
managed groups in each environment
Reduces security risk (timely removal)
Increases productivity (timely access)
o Ideally, a single point of management for the
enterprise
o Allow delegation for managing groups as much as
possible
o Provide consistent replication of groups data across
different directories/environments/applications
40. Grouper
o Internet2 Middleware project – a toolkit for managing groups
(http://grouper.internet2.edu)
o Integrates with an existing Identity Management system
o Handles the set logic used to combine groups
o Flexible configuration for sources – JDBC, JNDI
o Create/maintain groups with SQL queries
o LDAP connector to provision directories
o Access to group data with Web Services, .NET, PHP
o Command line interface to Java API & tools
o Lite UI delivered with product can be reskinned
41. Grouper @ UNC-CH
Grouper is used to provision groups to the two main directory systems:
ldap.unc.edu:
• ou=groups,dc=unc,dc=edu
ad.unc.edu:
• ou=groups,ou=identity,dc=ad,dc=unc,dc=edu
o MDG_ distribution groups
o MSG_ security groups
Existing uses of LDAP groups managed by Grouper
Carolina Content Management
• Roles and content-specific rights
Web Services Manager
• Web services mapped to group of authorized clients
Misc. Application Access Control
• Determines what app. capabilities they have
LDAP Access Control
• Membership makes categories of directory data visible
42. Case Study: Migrate ITS AppServer
from Oracle to GlassFish
o Oracle AppServer had its own IAM environment
Oracle SSO (OSSO) and Internet Directory (OID)
Used OID groups for access control
o Move to GlassFish AppServer
Supports groups for access control via LDAP realm concept, but
requires LDAP authentication
Desire to use Shibboleth SSO for authentication
o Process
Move OID groups into Grouper and sync to LDAP
Configure Shibboleth to pass specific group memberships to application
o Results
GlassFish uses campus standards for access management
Oracle SSO and OID are decommissioned
43. Identity and Access Management
UNC Identity Federation Update
Steven Hopper
UNC-GA
44. UNC Identity
Federation
Background
o August 2008
Production federation
(Shibboleth)
17 UNC institutions (Identity
Providers)
Inter-institutional Registration
(Service Provider)
WAYF
Development federation for
testing, etc.
45. Existing Services
o Foundation for all system-wide application development.
o Examples include:
GA Services (inter-institutional registration, exam proctoring,
www.northcarolina.edu, ActiveCollab)
RAMSeS (sponsored programs and research management tool from
UNC-CH.
SciQuest (eProcurement)
VCL (Virtual Computing Lab at NCSU)
MCNC/NCREN (Videoconference scheduling, network status tools, etc)
46. Vendor
Integration o Encouraging vendors to
Shibboleth-enable applications
o InCommon - vendors are
hesitant to join
Cost (upfront and recurring)
Arduous joining process
(legal)
Want to pass joining costs
back to UNC
Often not feasible given tight
implementation timelines
47. Solution:
Affiliates
Federation o Create a 3rd “Affiliates
Federation”
Production
Development
Affiliates
o Create a streamlined (and
free) process for vendors to
join
o Allows campus Identity
Providers to have a separate
“handle” when making
attribute release decision.
48. Affiliations Federation
Membership
o Current Members
PeopleAdmin: HR Applicant Tracking
SciQuest: eProcurement
o Prospective Members
ZimRide: Car Pooling
Qualtrics: Survey & Feedback Software
52. LDAP
Updates people
data in:
ou=People
LDAP ties together Person and Groups data
Directory
Master
(Idm)
write ou=people
ou=groups
Reads people data
so they can be
added to groups
Grouper
(Idm)
Updates group
data in:
ou=Groups
read
write
53. LDAP
Updates people
data in:
ou=People
Populating LDAP with Person Data
Peoplesoft
HRIS
AffiliateWeb
EpaWeb
Directory
Master
(Idm)
ou=people
ou=groups
Directory Master aggregates person data
updates from various sources and
synchronizes this data to the directory
DB
54. LDAP
Reads people data
so they can be
added to groups
Populating LDAP with Groups Data
Grouper
(Idm)
ou=people
ou=groups
Updates group
data in:
ou=Groups
Grouper stores group information natively
in a relational database, but also writes
groups data to the directory…
DB
Admin/user
Admin/user
Admin/user
Delegated Grouper
users
55. Shib IdP
(IdM)
IdP queries LDAP for
membership information
Browser/
App
IdP synthesizes attrib isMemberOf from
group membership and app config (eg.
limits to relevant groups)
LDAP Person Attributes Delivered with Shib IdP
LDAP
ou=people
ou=groups
IdP queries LDAP for
person attributes
Idp asserts combined
person attributes,
including isMemberOf
IdP uses person attributes directly, but
releases only those configured for each
application