Network Information Center, University of Chinese Academy of Sciences Dr. Zha Daren

Transcription

1 Network Information Center, University of Chinese Academy of Sciences Dr. Zha Daren

2 The first graduate school in China with the ratification of the State Council Backed by 117 institutes of the Chinese Academy of Sciences (CAS) Headquartered in Beijing with 4 campuses Yuquanlu, Zhongguancun, Olympic Village and Yanqihu 109,882 graduate students earned a master s degree or/and doctoral degree from UCAS, almost half of them are Ph.D. awardees(from 1981 to 2013) In 2013, UCAS conferred doctoral degrees to 5188 students and master s degrees to 4,966 students

3 Course credit transfer LIFE Admission Campus life Campus culture Lifelong learning FINANCE Campus card Research Database Alumni supervisor Study analysis Job- Hunting Research Degree Registration Medical care ERP/OA Thesis Course Selection Resource STUDY Score crossdisciplinary supervisor

4 A user have multiple accounts for each of the applications or services (Local apps, organization cloud apps, external apps) Users must remember all the accounts and use them to log in each of the application Every applications must implement its own identity management and access management mechanism Users information may be inconsistent in different applications When a user leave the organization, some applications delete the user s account, some applications may be not

5 Every sub-organizations or the headquarter use its own integrated identity and access management approach Manage local users in a IAM system Support SSO across local applications Support federated SSO between applications from different sub-organizations defects Different IAM system may not interoperate very well Users information inconsistent problem still exist Some organizations may have not enough IT support person to maintain the IAM system

6 Build a identity and access management cloud for the UCAS(include suborganizations and the headquarter) Manage all users from the organization Support SSO across all applications inside the organization Support federated SSO with external applications and services The IAM cloud may extend to support multiple large organizations simultaneously

7

8 Manage organizations, applications, users, user groups in a single tree Use the same naming rule App.x.y.z User.a.c.d.e Support management delegation A admin manage orgs, users and groups in a subtree userinfo:id,name,f/m,account, login_time,organization code, department code,service list

9 Web app administrator Web app console Web app owner Organizational user, Managed by HR web app user Web app developer Web app portal Web app owner Including developer, temporary user Web app personal space Managed by managers Web app administrator App user outside of UCAS Web app user Web app store Web app user Managed by the application administrator Web app developer Web app owner SEP ROLES Web app user Users unified management Web app user Web app user Web app developer Web app owner Web app user Users unified management Web app user

10 User groups are used to Manage user s entitlement, which are passed to applications for authorization Manage policy. Users belongs to the same user group have the same policy on user management, password management, etc User group composition Some specific users Users from some other user groups Users match some attribute expression organization = xyz && type == employ && age > 30

11 Support SSO across applications inside the organization, include local applications of each sub-organization and cloud application of the organization Support federated SSO between application inside the organization and applications external, such as Goole App Using Shibboleth and SAML as the main SSO solutions

12 Administrators specify the attribute release to each application Release name, , entitlement information to internal applications Release none or few information to external applications User confirm the attribute release to each application He may deny to release some specific attribute to a application

13 IAM cloud provide application level authorization Determine which user can access which applications Applications handle their fine-grained access control, but IAM cloud provide various information to assist decision User attributes User entitlements Security policies

14 A security policy define how users are managed, how they login, etc in the IAM cloud Several level of security policies are defined Applications may use the policies to allow or deny user access

15