Permits and authorization @ cornell l.jpg
This presentation is the property of its rightful owner.
Sponsored Links
1 / 15

Permits and Authorization @ Cornell PowerPoint PPT Presentation


  • 81 Views
  • Uploaded on
  • Presentation posted in: General

Permits and Authorization @ Cornell . Panel Discussion Talking Points - Centralized Authorization Services at Cornell University Tom Parker And the Identity Management Team at Cornell University [email protected] Got a Permit? .

Download Presentation

Permits and Authorization @ Cornell

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Permits and authorization @ cornell l.jpg

Permits and Authorization @ Cornell

Panel Discussion Talking Points - Centralized Authorization Services at Cornell University

Tom Parker

And the Identity Management Team at Cornell University

[email protected]

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


Got a permit l.jpg

Got a Permit?

  • Central Authorization at Cornell is generically handled by something called the Permit Server

  • The Permit Server maps groups of NetIDs to “permits”

  • A permit is just a string token, such as “cit.staff” or “cu.student”

  • On the permit server, we might see something like this table:

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


Got a permit3 l.jpg

Got a Permit?

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


How are they obtained l.jpg

How are they Obtained?

  • Through the hiring process (staff)

  • Through the admissions process (students)

  • Individuals wishing to restrict a specialized service may request ownership of a permit

    • They are given tools for managing it

    • They decide when to assign or revoke a permit for a particular user

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


Group authorization l.jpg

Group Authorization

  • Users at Cornell are often put into “groups”

    • Students

    • Staff

    • Chess Club Members

  • These groups can be big or small

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


Group authorization cont l.jpg

Group Authorization (cont)

  • Some are maintained by central IT staff

    • Who are the students?

    • Who are the staff?

  • Others are maintained at a departmental level

    • Who are the Human Ecology students?

    • Who can download certain licensed software?

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


Back to the permit server l.jpg

Back to the Permit Server

  • The permit server allows us to create these groups

  • It houses a simple key-value database where the “key” is the group identifier and the “value” is the list of Kerberos principals (NetIDs) associated with that group

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


Used by applications l.jpg

Used by Applications

  • A service or resource may be restricted to users who hold specific permits

  • Various applications (including CUWebAuth, our Apache module for doing web based authentication) know how to query the permit server and thus utilize the central authorization system

  • Application administrators can choose to utilize centrally maintained permits, or they may opt to administer their own permit

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


With plenty of elbow grease l.jpg

With plenty of elbow grease

  • Regardless of whether or not a permit is centrally or locally maintained, the permit is maintained manually

  • Home grown provisioning scripts cause a basic set of permits to be issued when IDs are created

  • Regularly scheduled “clean up” processes are in place to remove permits when a user’s association with the university changes (student graduates, student changes to employee, employee changes to student, or termination)

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


And tribal knowledge l.jpg

And tribal knowledge

  • Aside from the centrally maintained permits, all permit “owners” are responsible for issuing permits to new members of a group and removing them when appropriate

  • Currently there is no capability of automatically populating permits based on directory information

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


Furthermore l.jpg

Furthermore…

  • Cornell has multiple datamarts and would like to make available roles and row level authorization information for use by reporting tools (Brio, for example) without having to store this information in each individual datamart

  • An Authorization Directory is a logical repository for this information

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


Slide12 l.jpg

And…

  • Some staff at Cornell make a practice of sharing their NetID passwords because there are no mechanisms for designating proxies to act in their place

  • This is a significant security risk and will soon be counter to University policy

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


Slide13 l.jpg

Also…

  • It may be desirable to do negative authorizations. For example, an institution may want to offer a service to all active students within the United States due to export or other laws

  • Identifying and excluding the smaller group (say, those in Transylvania) may be the way to do the authorization

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


And while we re at it l.jpg

And while we’re at it..

  • As the institution evolves its identity management infrastructure, but before it is prepared to implement privilege management systems, it may be desirable as an interim step to have templates for documenting business rules for authorization

    • This should keep us busy for awhile : )

  • Then when the institution is positioned to implement this piece of the infrastructure, the work of defining the business rules will have been largely completed

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


Right now we are l.jpg

Right now we are

  • Considering two directories:

    • One for public white page information which includes user-modified attributes

    • A second, separate directory, for the purpose of Authorization and doing other interesting stuff

  • Whether two directories is a solution, or a migration path, will likely be a lively debate

  • We’re here looking for some good ideas..

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.


  • Login