Emerging from the mists requirements for supporting vos
This presentation is the property of its rightful owner.
Sponsored Links
1 / 14

Emerging from the mists: Requirements for supporting VOs PowerPoint PPT Presentation


  • 35 Views
  • Uploaded on
  • Presentation posted in: General

Emerging from the mists: Requirements for supporting VOs. http://arch.doit.wisc.edu/keith/camp/ voReqs-050701-01.ppt Keith Hazelton ([email protected]) Sr. IT Architect, University of Wisconsin-Madison Internet2 MACE Advanced CAMP, Denver, July 1, 2005.

Download Presentation

Emerging from the mists: Requirements for supporting VOs

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Emerging from the mists requirements for supporting vos

Emerging from the mists: Requirements for supporting VOs

http://arch.doit.wisc.edu/keith/camp/

voReqs-050701-01.ppt

Keith Hazelton ([email protected])

Sr. IT Architect, University of Wisconsin-Madison

Internet2 MACE

Advanced CAMP, Denver, July 1, 2005


Federated identity access management fiam

Federated Identity & Access Management(FIAM)

  • FIAM: Self-predicting term in Latin:

    “I will be made”

    • root meaning: to make:

    • passive voice,

    • indicative mood,

    • future tense

      God bless the VO known as WIKIpedia

2


Vo challenges i heard at camp

VO challenges I heard at CAMP

  • VO support utilities must be as easy to use as

    • managing a local collaboration team

    • sharing applications on a single host

  • …or else?

  • Or else the latter is exactly how it will be done

3


Vo challenges i heard at camp1

VO challenges I heard at CAMP

  • For both ScienceGateway & Vivarium:

  • IdPs and SPs in a given VO will need mechanisms by which they

    • come to agreements on

    • manage

    • and use

      information.

  • What information?

4


Vo challenges i heard at camp2

VO challenges I heard at CAMP

  • Well, MINIMALLY, information re:

  • what user affiliations/groups there are (IdP)

  • what resource/host-level privileges members of those affiliations should have (SP)

  • what (SAML) attribute & values will express those affiliations/groups (IdP/SP agreement)

5


Managing roles privileges the internet2 way

Managing Roles & Privileges:The Internet2 way

Role-Based Access Control (RBAC) model

  • Users are placed into groups

  • Privileges are assigned to groups

  • Groups can be arranged into hierarchies to effectively bestow privileges

  • Signet manages privileges

  • Grouper manages, well, groups

Grouper

Signet

6


Maximal case model from signet business view

MAXIMAL case:Model from Signet Business View

Course Support

Add/Drop students

Student Admin

Which term

Schedule Classes

Which campus

Process Applicants

Financial Aid

For school…

Award Scholarships

From Fund…

Manage Accounts

For fund…

Patient Records

Protocol A

Clinical Trial

Read/Write

Materials Control

Qty/day

Manage Grant

Administration

$ constraints

Lab Access

Hours

Categories

Subsystems

Functions

Limits

organizing

actions

7


Vo challenges i heard at camp3

VO challenges I heard at CAMP

  • MAXIMALLY, information re:

  • what subsystems there are

  • what functions in what organizing categories there are

  • what affiliations/groups have those categories/functions on those subsystems

  • what resource/host-level privileges are required to perform those functions

8


Vo challenges i heard at camp4

VO challenges I heard at CAMP

  • And information re:

  • what attributes will express those groups and privileges

  • which party will maintain the registries and delivery services for which bits of this information

  • Signet suggested these categories of information

9


Bold conclusion for debate

Bold Conclusion (for debate)

  • IdP site should manage users, groups/affiliations

  • SP site should manage system-level permissions and what groups/affiliations get which ones

  • That’s it! (for MINIMAL entry-level case)

10


Bold conclusion maximal case for debate

Bold Conclusion MAXIMAL case (for debate)

  • IdP site should manage users, groups/affiliations

  • SP site should manage system-level permissions

  • Both must agree on subsystems and categories of functions down to syntax and semantics of attributes/expressions

  • IdP should maintain map from user/group to function

  • SP should maintain map from function to permissions

11


Vo challenges i heard at camp5

VO challenges I heard at CAMP

  • MUST have: Delegable IAM admin services

  • with absolutely no dependencies on the specific institutional home base of

  • the users

  • the administrator(s)

  • the service(s)

12


Vo challenges i heard at camp6

VO challenges I heard at CAMP

  • Users make requests that service providers approve or deny.

  • The decision will sometimes depend on amalgamated bits of identity info….

  • …for which a variety of IdPs are the authoritative source.

  • Whose job is it to overcome identity fragmentation at the federation level?

13


Emerging from the mists requirements for supporting vos

Q & A

14


  • Login