View
215
Download
0
Category
Tags:
Preview:
Citation preview
Directory Design: Campus Directory Design: Campus Identifiers and NamespaceIdentifiers and Namespace
Tom Barton
University of Chicago
CAMP Directory Workshop Feb 3-6, 2004
Copyright Tom Barton 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
CAMP Directory Workshop Feb 3-6, 2004
If core middleware is plumbing, this talk is about how to really understand the sewage it transports
CAMP Directory Workshop Feb 3-6, 2004
Architectural decision factorsArchitectural decision factors
Abilityto execute
Technique
Mission
CAMP Directory Workshop Feb 3-6, 2004
What we’re trying to accomplishWhat we’re trying to accomplish
Reduce burden on end users to access online services
Reduce burden on IT organizations to operate multitude of online services
Increase security Enable online service for our constituents
earlier in their affiliation with us, wherever they are, and forever
Participate in new, inter-organizational, collaborative architectures
CAMP Directory Workshop Feb 3-6, 2004
TerminologyTerminology
Identity: set of attributes about and identifiers referring to a person. Operationalized as a “person object”.
Authentication: process used to associate a user with an identity. Often a login process.
Authorization: process of determining if policy permits an intended action to proceed.
Customization: presentation of user interface tailored to user’s identity. Subsumes personalization.
CAMP Directory Workshop Feb 3-6, 2004
What identity management isWhat identity management is
Integration of information about people (and other actors) from multiple sources
Processes that transform source data, maintain information about assigned information resources, derive affiliation information, and place resultant data where it can be of use
Locus for implementation of policies concerning visibility and privacy of identity information and entitlement policies
CAMP Directory Workshop Feb 3-6, 2004
It’s identity It’s identity managementmanagement, silly!, silly!
Because an authentication process binds a person with an identity, and
Because the level of assurance of the authentication process together with the attributes of that identity form the basis for access to be granted the person,
It Follows That access control effectiveness is limited by identity management practice.
Components of the whole access management system:
3. authentication4. authorization
1. identity management2. credential distribution
CAMP Directory Workshop Feb 3-6, 2004
Comparative service architecturesComparative service architectures
StovepipeStovepipe (or silosilo): Application performs its own authentication and consults its own database for authorization and customization attributes.
application
authNattributes
groups
CAMP Directory Workshop Feb 3-6, 2004
Comparative service architecturesComparative service architectures
IntegratedIntegrated: Suite of applications refer authentication to and obtain attributes for authorization and customization from common infrastructure services.
application 1authenticationservice
attribute/groupservice application N
• •
•
CAMP Directory Workshop Feb 3-6, 2004
Comparative service architecturesComparative service architectures
Stovepipes are run by separate offices– Environment is more challenging to users,
who may need to contact each office to arrange for service and remember several sets of credentials
– Any life cycle management of service specific resources is undertaken by each service specific office independently
– Per-service identifiers and security practices make it more difficult to achieve a given level of security across the enterprise
CAMP Directory Workshop Feb 3-6, 2004
Comparative service architecturesComparative service architectures
Common identity management processes are coordinated by a central office– Attributes known by the organization about a
member can be integrated and made available to applications, easing the burden on end-users and on IT shops
– Automated & consistent life cycle resource management becomes possible across all integrated applications
– Common identifiers across integrated applications helps make a more secure user environment
CAMP Directory Workshop Feb 3-6, 2004
Core middleware for an Core middleware for an integrated architectureintegrated architecture
CAMP Directory Workshop Feb 3-6, 2004
Typical usesTypical uses
Provisioning & run-time authentication and authorization for common “baskets” of services: email (reading & sending), calendar, shell & cluster accounts, network access services, myriad web apps, LMS, library databases, home directories,… .
Online account initialization & self-administration Provisioning associated IT operations with identity
data for their infrastructure Distributing management of identity data across
authoritative sources, manual or automated, central or distributed
CAMP Directory Workshop Feb 3-6, 2004
Identifier discoveryIdentifier discovery
First cut black box analysis of what’s to be built Core middleware will convey identity information
from authoritative sources to applications, so …– Find out who assigns what identifiers to which
constituencies for what purposes– Find out which applications or services use which
identifiers and are intended to serve which constituencies
– Make the rounds of IT shops, larger ones first. Ask what they do and what their top issues are
Assess mission, ability to execute, & existing technique
CAMP Directory Workshop Feb 3-6, 2004
Two identifier survey matricesTwo identifier survey matrices
ID mapping table– Columns: ID name, Early Harvest
equivalent, primary use, characteristics, who assigns, who gets one, where stored, format
– Characteristics: lucency (vs. opacity), persistence (revokable?, reassignable?), unique within <scope>, intelligence (subfields?), granularity, extensibility, visibility
CAMP Directory Workshop Feb 3-6, 2004
Abbreviated ID mapping tableAbbreviated ID mapping tablehttp://middleware.internet2.edu/earlyadopters/identifier-mappings/http://middleware.internet2.edu/earlyadopters/identifier-mappings/
Fundamental IDFundamental ID Who Assigns?Who Assigns? Who Gets One?Who Gets One?id Central IT Peopleuniversal_userID Central IT Peopleuid guest registrars guestsemail Central IT PeopleclusterID Central IT Shell account opt-inssisID Registrar Students & instructorshrsID HR StafffrsID Controller Holders of budget rolesadsID Marketing & Adv Graduates, other donorsaprID Provost FacultyoperatorID Controller ERP security principalspatronID Library Library patrons
CAMP Directory Workshop Feb 3-6, 2004
Characteristics exampleCharacteristics example sisID characteristics
– Government assigned SSN or assigned by Registrar– Opaque– Persistence: revokable & reassignable– Unique among all values of sisID at one time– Intelligence: no subfields– Granularity: one per person– Not extensible– Visibility: some limits on when displayed or presented
SSN on campus – effectively a locally assigned identifier!– Foreign students– many points of operational authority– sisID is NOT named “SSN”!
CAMP Directory Workshop Feb 3-6, 2004
Constituencies & services matrixConstituencies & services matrix
For each constituency you discover, note the different identifiers assigned to them
For each service you discover, note the identifiers it does or might use for each constituency
Keep a running legend of identifiers discovered by this process
Look for – Gaps between present and desired service levels– Complexity of present environment, opportunities for
simplification
CAMP Directory Workshop Feb 3-6, 2004
Constituencies & services matrixConstituencies & services matrix
legend: ISO, UCID, CNetID, StuID,
legend: UCHID, Personal info, RegID, Other
students faculty staff alums expected
who has what, or will have, that we get
I,U,(C),S,P,R
I,U,(C),P,R
I,U,(C),P,R(U),(C),P,R
(U),(C),P,R
Payroll U,O(acf2)
Student system U,C,S
Provost ops O(ssn)
Purchasing C C
Alumni community U,C U,C U,C
Financials O(acf2)
Credit Union U U U
Time/Attendance U,P
CAMP Directory Workshop Feb 3-6, 2004
Constituencies & services matrixConstituencies & services matrix
legend: ISO, UCID, CNetID, StuID,
legend: UCHID, Personal info, RegID, Other
students faculty alums hospital patrons guests
who has what, or will have, that we get
I,U,(C),S,P,R
I,U,(C),P,R
(U),(C),P,R
(C),H,P,R
(I),(C),(O)?
C,R,(O)
phonebook U,C,S,P U,C,P P H,P
email C C C
net access C C C C,H C C
labs I,C I,C ? I,C C
lib DBs C C ? C,H C ?
LMS, eReserves C C
web services U,C,R U,C,R U,C,R C,H,R
CNet site I,U,C,P I,U,C,P U,C,P C,O C,O
CAMP Directory Workshop Feb 3-6, 2004
Identifier discovery reduxIdentifier discovery redux
How hard is this environment for end-users? Should you reduce the number of namespaces
in use? Is simplification worth the effort?
– Unification of namespaces can be painful & requires serious organizational cooperation and commitment
More important than the technical details is the establishment of ongoing relationships between architect and people who assign and design uses for fundamental identifiers.
CAMP Directory Workshop Feb 3-6, 2004
PS: Personal IdentifiersPS: Personal Identifiers
Who maintains name, birthday, SSN?1. Registrar
2. Human Resources
3. Bursar
4. ID Office
5. Law School
6. University College
7. Library
8. Regents Online Degree Program
9. Central IT
10. Controller
11. Marketing & Advancement
12. Academic Personnel Records
13. Telecom/Network Services
14. Intensive English for Internationals
This is an irrational business practice!
CAMP Directory Workshop Feb 3-6, 2004
Source systems: Source systems: identifier semanticsidentifier semantics
Affiliations – Which source systems define which affiliations? How?– How do constituents become engaged in their various affiliations
with the U? How disengaged? Associated attributes
– What other attributes of value to online services are maintained in which source systems?
– How are they maintained, for what purposes? Are they reliable? Metadata
– (De-)Assignment process; persistence; visibility; versions;…– What encumbrances/obligations/policies pertain?– Updatable (in source system)?
Forever iterate over these considerations as more applications are added
CAMP Directory Workshop Feb 3-6, 2004
Registry identifiers Registry identifiers classesclasses
Fundamental IDs – Permanent, unreleased
registry ID
– Permanent pvid?
– Versions?
– Source & consumer foreign keys: crosswalk (Rosetta Stone)
All is hidden from view
Personal IDs …– External IDs: name,
bday, ...
– Q&As
– Account init code
– Answer “Is this a new person?”
– Provide unique-ification
CAMP Directory Workshop Feb 3-6, 2004
Registry identifier Registry identifier classesclasses
Authoritative identifiers – Username(s)?– Attributes for provisioning
processes– Specific to consuming
technology?– Specific to consuming org?
Affiliations– Common or “major” values
derived from authoritative sources
Affiliations …– Course, program,
organization related identifiers
– Life cycles of affiliations?– Notable subclasses of
major affiliations?– Group memberships?
Multiple namespaces? – For registry objects?– For consumer systems?
CAMP Directory Workshop Feb 3-6, 2004
Consumer identifier Consumer identifier issuesissues
Fundamental IDs– Choice of RDN (LDAP consumers only)– Store/use pvid? As a key field?– Persistence, visibility, opacity, …
Potential interaction with privacy policy Representation of attributes
– Determined by application use cases– Consumer specific selection & transformation?– Overloading issues:
cn: name of person, name of group, name of service account, name of …
uid: orthogonal sets of usernames?
All is potentially exposed
CAMP Directory Workshop Feb 3-6, 2004
Service - identifier Service - identifier boundary conditionsboundary conditions
Ability to use or be provisioned with a user identifier authoritatively located in the enterprise directory is a requirement for integration into this architecture
Service requirements determine representation of attributes
Service requirements may determine sources of authority for attributes, and hence operational requirements for identity management infrastructure
CAMP Directory Workshop Feb 3-6, 2004
Stresses on a commonStresses on a commonusername spaceusername space
Least common denominator format requirements Number of persons assigned one (prospects,
alums, parents, sibs, patrons, donors?)– Will all the good ones be taken?
Persistence - forever? Shared administration of portions of user
namespace might drive adoption of orthogonal name subspaces
– Closely affiliated org (hospital?) – Guest registration
Recommended