1、Categorizing Access Management Challenges,Rob Carter, Duke University Scott Fullerton, University of Wisconsin,Overview,Whats all the fuss about, anyway? Maybe theres an approach we can use Overview and survey of higher ed use cases Breakin up big rocks Trying the approach on for size Some edge case
2、s from out in the wild,Whats all the fuss about?,Why is access management like the weather? Everyone talks about it, but (almost) no one seems to be doing anything about it But why,Whats all the fuss about?,Access management is a complex problem Lots of moving parts; lots of stakeholders; high stake
3、s Viewed monolithically, it can seem utterly intractable Access management is difficult to sell Everyone wants it, but no one wants to deal with it The problem space is huge Every resource, every application, has a need for access management,Whats all the fuss about?,How do you solve a problem like
4、Maria? Maria, who is the Dean of Medicine and wants to implement what she thinks is a simple rule In the campus purchasing system principal investigators should be able to approve purchases,Whats all the fuss about?,How do you solve a problem like Maria? Maria, who is the dean of Medicine and wants
5、to implement what she thinks is a simple rule In the campus purchasing system principal investigators should be able to approve purchases up to $100,000 for research projects,Whats all the fuss about?,How do you solve a problem like Maria? Maria, who is the dean of Medicine and wants to implement wh
6、at she thinks is a simple rule In the campus purchasing system principal investigators should be able to approve purchases up to $100,000 for research projects provided they have completed training on University purchasing processes and have filed the appropriate conflict of interest documentation,W
7、hats all the fuss about?,How do you solve a problem like Maria? Maria, who is the dean of Medicine and wants to implement what she thinks is a simple rule In the campus purchasing system principal investigators should be able to approve purchases up to $100,000 for research projects provided they ha
8、ve completed training on University purchasing processes and have filed the appropriate conflict of interest documentation until July 1, 2010,Whats all the fuss about?,The large print giveth (and the small print taketh away) And thats only one of thousands of scenarios,Whats all the fuss about?,its
9、no wonder the problem can seem intractable,Maybe theres an approach,Start from use cases or user stories Usually short (at least to begin with) Describe scenarios in terms the actors understand Help define the problem space as well as provide fodder for analysis Help ensure that solutions actually a
10、ddress real world problems,Maybe theres an approach,Evaluate, analyze, and decompose Try to break down use cases into common constituent parts Evaluate the breakdown; identify unique features and possibly some common features,Maybe theres an approach,Compare, abstract, and organize Look for similari
11、ties across cases Even dramatically different situations may yield to similar treatment Start to categorize the similarities; taxonomize,Maybe theres an approach,Identify classes of solutions; lather, rinse, repeat Consider the resources you might use to build solutions, and start to associate poten
12、tial solutions with categories of problems, applying one or more solutions associated with the category to new problems identified in that category, refining your categories and solutions as you gain experience, or to quota Zippy the Pinhead: “If it WIGGLES, SQUISH it!”,Maybe theres an approach,Use
13、Case Survey,If you didnt get to see them https:/spaces.internet2.edu/display/CAMPJune2009/Use+Cases+Organized+by+Area+of+Interest Use cases categorized by where they arise Good for surveying purposes,Use Case Survey,Business Operations Cases Deal With,Money, budgets, purchases, accounts Human Resour
14、ces and management Employee relationships Employee identities,Business Operations Cases Address,Organizational structure Delegation PCI compliance Audit,Use Case Survey,Academic / Research Cases Deal With,Learners, instructors, facultyClasses, registration Research products Collaborators Pedagogy Ev
15、aluation (testing, grading),Academic / Research Cases Address,Faculty hierarchy Course hierarchy FERPA Research collaboration Accreditation,Use Case Survey,Residential Life Cases Deal With,Students, staff, advisors Housing Safety Physical access,Residential Life Cases Address,Multiple affiliations T
16、ransient privileges Short privilege lifecycles,Use Case Survey,Library Use Cases Deal With,Patrons, Librarians Catalogs and collections Collaborators Professional organizations,Library Use Cases Address,Privacy Anonymity Blended identity Federations,Use Case Survey,Medical Center Use Cases Deal With
17、,Physicians, nurses, patients Medical records Referrals and consultations Controlled substances,Medical Center Use Cases Address,Urgency and Expediency Credentialing and qualifications HIPAA Oversight,Use Case Survey,Use cases from these six areas seem disjoint Different actors and objects Different
18、 activities Different concerns and complexities But of course, we wouldnt be talking,Analytic Approach,Lines of decomposition Subjects Grantor, grantee, resource Functions or Permissions Approve, update, authorize, add, delete, view, etc. Constraints Time limits; extents; scope,Analytic Approach,Sub
19、jects How are they (or could they be identified?) Ad Hoc List? Authoritative Source? Algorithmic? Self-described? Are they singleton or multiple?,Analytic Approach,Functions or Permissions Are permissions Singletons? Collections? Are permissions defined by Business role or activity? Inheritance or d
20、elegation? Ad hoc or Fiat? (but not GM ),Analytic Approach,Constraints Are grants to be limited in time? in scope? in extent? Are limits controlled by Fiat? Business role? Hierarchical position? Prerequisites?,Categorization,We might imagine, then, using this decomposition to classify use cases base
21、d on some common features, eg.: Single grantor, single grantee, single permission by fiat with no constraints (I give my car keys to my wife) Single grantor, multiple grantees identified by authoritative sources, multiple permissions by business role with no constraints (I allow my students into my
22、wiki without restriction) Multiple grantors identified by , multiple grantees identified ad hoc, single permission with no constraints (Deans can designate visitors who have access to the faculty club pool),Categorization,Business Case #4 Wellness Program Participation - A universitys HR department
23、offers a health and wellness program for university staff and faculty. The program is entirely voluntary. Participation requires a commitment by the employee to engage in a short online health awareness exercise, in return for which the university offers participants discounts on services at the uni
24、versity health club as well as periodic special offers from area business deemed by the university to be offering wellness-supporting services. A new employee in the physical plant hears about the program during an HR orientation and visits a web site to sign up. Once enrolled in the program, the em
25、ployee has access to the programs web portal and receives weekly email reminders about training opportunities and special offers.,Authority rests with HR department (business role) Grantor and grantee are the same, self-identified but constrained by authoritative source (only staff and faculty) Depe
26、nding on IAM implementation, could be algorithmic (eg., by eduPersonAffiliation) or more ad hoc (HR provides eligible “staff” and “faculty” lists) Constraint: the grantee must accept terms and conditions of the program before being enrolled.,Categorization,Academic Case #5 FERPA Information Restrict
27、ed - Under federal regulations, certain educational records information about students may be categorized as “directory information“ and may be disclosed by institutions without prior consent from students. Students reserve the right under FERPA, however, to have disclosure of their directory inform
28、ation blocked upon request. An undergraduate Engineer becomes concerned that a high-school acquaintance may be stalking her, and wishes to have her contact information (name, address, email address, telephone number) blocked from view. The Registrar considers those data elements to be directory info
29、rmation under FERPA, and discloses them by default. The student visits a FERPA portal system and marks those data elements as FERPA protected information in her records. Subsequently, applications that access student educational information and IdM data about students refuse to allow access to the s
30、tudents contact information except when the requester is identified as having an academic need to see the information.,Authority rests with the Registrar (business role) Grantor is self-identified but constrained by authoritative source (only students may exert FERPA rights) Depending on IAM impleme
31、ntation, could be algorithmic (eg., by eduPersonAffiliation) or more ad hoc (Registrar may provide a list of covered students) Constraint: grantees must identify (in some unspecified fashion) an academic need for information,Categorization,Academic Case #5 Authority rests with the Registrar (busines
32、s role) Grantor is self-identified but constrained by authoritative source (only students may exert FERPA rights) Depending on IAM implementation, could be algorithmic (eg., by eduPersonAffiliation) or more ad hoc (Registrar may provide a list of covered students) Constraint: grantees must be identi
33、fy (in some unspecified fashion) an academic need for information,Business Case #4 Authority rests with HR department (business role) Grantor and grantee are the same, self-identified but constrained by authoritative source (only staff and faculty) Depending on IAM implementation, could be algorithm
34、ic (eg., by eduPersonAffiliation) or more ad hoc (HR provides eligible “staff” and “faculty” lists) Constraint: the grantee must accept terms and conditions of the program before being enrolled.,Categorization,Business Case #3 Clery Notification - Richard is the institutions Vice President of Public
35、 Safety, and as such, he is authorized within an emergency notification system to approve Clery Act notifications which will be sent via multiple venues to the entire campus community. Richard schedules a two week vacation in Europe. He delegates his Clery role to the Chief of Campus Police, Trish,
36、during his two week absence, allowing her to approve Clery notices in his stead. When a pair or armed robberies is reported outside a student dormitory one week later, Trish is able to approve a Clery notification for distribution on Richards behalf. Upon his return from vacation, Richard revokes th
37、e delegation of his Clery role, and Trish loses her ability to approve Clery notices in the system.,Authority rests with the single grantor, who is identified by an authoritative source and whose authority comes from his business role (VP of Public Safety) Single grantee is identified by organizatio
38、nal hierarchy (as Richards direct report) and by fiat (he designates her as such). Single permission assigned ad hoc (approve Clery notifications) Constraints: 2-week time limit Note: this is a case of delegation Richard is conferring his privilege on Trish,Categorization,Academic Case #3 TA Grade A
39、ccess - A university uses its LMS to handle mid-term grade reporting - faculty enter grades for assignments and mid-term quizzes and exams in the LMS, where students can review them online and track their progress until the end of the term. The LMS automatically assigns grade entry privileges to ins
40、tructors (as identified by the student registration system). Professor Gamow chooses to have one of his graduate students act as TA for his EM Fields course and delegates his grade reporting privileges in the LMS to his student. The student is then able to report grades for students in the EM Fields
41、 class within the LMS. When final grades are due, Professor Gamow reports them to the Registrar based on information previously reported in the LMS.,Authority rests with the single grantor, who is identified by an authoritative source and whose authority comes from his job function (faculty, instruc
42、tor for EM Fields) Single grantee is identified by organizational hierarchy (as Prof. Gamows graduate student) and by fiat (he designates her as such). Single permission assigned ad hoc (in the LMS, report grades for students in the class) Constraints: none expressed Note: this is a case of delegati
43、on Gamow is conferring his privilege on the TA,Categorization,Medical Case #1 Chart Access by Consulting Physician - Hospital rules interpret HIPAA privacy regulations to dictate that only those medical staff and faculty directly involved in the care of an individual patient should have access to vi
44、ew that patients medical records during treatment. Faculty in the medical school may have access to depersonalized medical data for purposes of research and instruction, but may only view personally identifiable medical information if referred a patient by an attending physician. An attending physic
45、ian in the ER is treating a patient with symptoms of West Nile viral infection, and needs a consultation from an Infectious Disease specialist in the Medical School. The attending instigates a consultation and referral process which grants the ID specialist temporary access to view the patients medi
46、cal records. Once the consultation is complete, the ID specialists access is revoked automatically. .,Authority rests with the single grantor, who is identified by current job function (admitting physician for a given patient). Single grantee is identified by fiat (the attending specifically calls o
47、ut the consultation) but limited by business role (must be medical staff or faculty) Single privilege assigned ad hoc (view rights to the single patients medical record) Constraints: when consultation is completed, privilege is revoked. Note: this is a case of delegation and also (possibly) a case o
48、f automated workflow (the attending designates the faculty member as a consultant, which in turn triggers the actual privilege being granted).,Categorization,Five disparate use cases drawn from three different areas of the enterprise involving people in vastly different environments Striking similar
49、ities two cases boil down to almost the same underlying situation (a self-identified member of an organizationally managed group exercises an opt in/out option to gain or restrict other privileges) Three other cases boil down to almost the same situation (a grantor with authority based on job functi
50、on delegates his own privilege to a specific grantee selected from a set constrained by organizational hierarchy for a limited time).,Solutions,In the first two cases, we might imagine that similar solutions might be applied, perhaps an ad hoc list mechanism for opt-in/opt-out recording with access
51、to update ones preference limited by membership in an official, dynamic group In the second three cases, we might similarly imagine some sort of ad hoc list mechanism to designate the grantee some representation of organizational hierarchy to constrain the designationperhaps in the form of a group some time-based triggering mechanism (a cron tasker, perhaps) which can be used to trigger time-based limitations,
