Integrating Applications with the Integrating Applications with the DirectoryDirectory

Andrea BeesingAndrea Beesing

CIT/Integration and DeliveryCIT/Integration and Delivery

June 25, 2002June 25, 2002

Authentication/Authentication/Authorization/AccessAuthorization/Access

AuthenticationAuthentication– What: Verifying the identity of the userWhat: Verifying the identity of the user– How: KerberosHow: Kerberos

AuthorizationAuthorization– What: Verifying user has authority to run application or What: Verifying user has authority to run application or

business processbusiness process– How: Permit Server/Application (current) How: Permit Server/Application (current) Directory Directory

(future)(future) Access (to Data)Access (to Data)

– What: Determining data user can manipulate/view with the What: Determining data user can manipulate/view with the application or business processapplication or business process

– How: Application-specificHow: Application-specific

Directory for Authorization – Directory for Authorization – HowHow

Directory has a “Group” object which holds Directory has a “Group” object which holds a membership lista membership list

Need to map each role to one or more Need to map each role to one or more groupsgroups

Application simply queries directory (via Application simply queries directory (via LDAP) as to groups user is a member of to LDAP) as to groups user is a member of to learn what roles a user haslearn what roles a user has

Directory for Authorization – Directory for Authorization – BenefitsBenefits

Streamlines the maintenance of application Streamlines the maintenance of application security across campussecurity across campus– Associating a person with a role or group is Associating a person with a role or group is

done once, not within each applicationdone once, not within each application– Simplifies task of removing access when an Simplifies task of removing access when an

individual changes statusindividual changes status

Best Practices to Start WithBest Practices to Start With

Keep it simpleKeep it simple– Use directory to define membershipUse directory to define membership– Data access rules defined within applicationData access rules defined within application

Begin with definition of global groups/roles Begin with definition of global groups/roles (student, staff, faculty, payrep)(student, staff, faculty, payrep)

Avoid proprietary schemasAvoid proprietary schemas

IssuesIssues

Directory must be more fully populatedDirectory must be more fully populated How is membership in groups/roles How is membership in groups/roles

maintainedmaintained– Driven from central systemDriven from central system– Determined by local unitDetermined by local unit– To what extent can it be automated?To what extent can it be automated?

Can a generic distributed application be Can a generic distributed application be designed for memberships that require designed for memberships that require manual maintenance?manual maintenance?

Big Issue – The NetID QuestionBig Issue – The NetID Question

What about people who don’t qualify for What about people who don’t qualify for NetIDs?NetIDs?

What is “legitimizing” ID for inclusion in What is “legitimizing” ID for inclusion in the directory?the directory?– NetIDNetID– PeopleSoft EmplIDPeopleSoft EmplID– Guest or temporary (“dirty”) IDGuest or temporary (“dirty”) ID

Driver is HR/Payroll/Alumni Driver is HR/Payroll/Alumni Affairs suite of ApplicationsAffairs suite of Applications

This suite includesThis suite includes– PeopleSoft HR/Payroll/Contributor RelationsPeopleSoft HR/Payroll/Contributor Relations– Actuate, BrioActuate, Brio– Colts, Kronos, PEDL, SES, EEColts, Kronos, PEDL, SES, EE– CU ConnectCU Connect

PeopleSoft 8, Actuate and Brio allow PeopleSoft 8, Actuate and Brio allow mapping of roles to directory groupsmapping of roles to directory groups

Getting StartedGetting Started

Admin units must agree on definitions of Admin units must agree on definitions of global groups and rolesglobal groups and roles

Admin units must agree on how Admin units must agree on how membership in groups and roles is membership in groups and roles is maintainedmaintained

Technical team must work with developers Technical team must work with developers and security administrators to help them and security administrators to help them understand how each application interfaces understand how each application interfaces with the directorywith the directory