1 / 15

Permits and Authorization @ Cornell

Permits and Authorization @ Cornell . Panel Discussion Talking Points - Centralized Authorization Services at Cornell University Tom Parker And the Identity Management Team at Cornell University jtp5@cornell.edu. Got a Permit? .

Gabriel
Download Presentation

Permits and Authorization @ Cornell

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Permits and Authorization @ Cornell Panel Discussion Talking Points - Centralized Authorization Services at Cornell University Tom Parker And the Identity Management Team at Cornell University jtp5@cornell.edu Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

  2. Got a Permit? • Central Authorization at Cornell is generically handled by something called the Permit Server • The Permit Server maps groups of NetIDs to “permits” • A permit is just a string token, such as “cit.staff” or “cu.student” • On the permit server, we might see something like this table: Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

  3. Got a Permit? Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

  4. How are they Obtained? • Through the hiring process (staff) • Through the admissions process (students) • Individuals wishing to restrict a specialized service may request ownership of a permit • They are given tools for managing it • They decide when to assign or revoke a permit for a particular user Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

  5. Group Authorization • Users at Cornell are often put into “groups” • Students • Staff • Chess Club Members • These groups can be big or small Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

  6. Group Authorization (cont) • Some are maintained by central IT staff • Who are the students? • Who are the staff? • Others are maintained at a departmental level • Who are the Human Ecology students? • Who can download certain licensed software? Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

  7. Back to the Permit Server • The permit server allows us to create these groups • It houses a simple key-value database where the “key” is the group identifier and the “value” is the list of Kerberos principals (NetIDs) associated with that group Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

  8. Used by Applications • A service or resource may be restricted to users who hold specific permits • Various applications (including CUWebAuth, our Apache module for doing web based authentication) know how to query the permit server and thus utilize the central authorization system • Application administrators can choose to utilize centrally maintained permits, or they may opt to administer their own permit Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

  9. With plenty of elbow grease • Regardless of whether or not a permit is centrally or locally maintained, the permit is maintained manually • Home grown provisioning scripts cause a basic set of permits to be issued when IDs are created • Regularly scheduled “clean up” processes are in place to remove permits when a user’s association with the university changes (student graduates, student changes to employee, employee changes to student, or termination) Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

  10. And tribal knowledge • Aside from the centrally maintained permits, all permit “owners” are responsible for issuing permits to new members of a group and removing them when appropriate • Currently there is no capability of automatically populating permits based on directory information Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

  11. Furthermore… • Cornell has multiple datamarts and would like to make available roles and row level authorization information for use by reporting tools (Brio, for example) without having to store this information in each individual datamart • An Authorization Directory is a logical repository for this information Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

  12. And… • Some staff at Cornell make a practice of sharing their NetID passwords because there are no mechanisms for designating proxies to act in their place • This is a significant security risk and will soon be counter to University policy Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

  13. Also… • It may be desirable to do negative authorizations. For example, an institution may want to offer a service to all active students within the United States due to export or other laws • Identifying and excluding the smaller group (say, those in Transylvania) may be the way to do the authorization Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

  14. And while we’re at it.. • As the institution evolves its identity management infrastructure, but before it is prepared to implement privilege management systems, it may be desirable as an interim step to have templates for documenting business rules for authorization • This should keep us busy for awhile : ) • Then when the institution is positioned to implement this piece of the infrastructure, the work of defining the business rules will have been largely completed Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

  15. Right now we are • Considering two directories: • One for public white page information which includes user-modified attributes • A second, separate directory, for the purpose of Authorization and doing other interesting stuff • Whether two directories is a solution, or a migration path, will likely be a lively debate • We’re here looking for some good ideas.. Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

More Related