Privilege and Access Management. Jan Tax Identity Management Specialist UNC Chapel Hill



Similar documents
Configuring User Identification via Active Directory

IDENTITY MANAGEMENT ROLLOUT: IN A HURRY. Jason Blackader, UNIX Systems Administrator

Best Practices for Libraries and Library Service Providers

Three Case Studies in Access Management

How To Authenticate With Ezproxy On A University Campus (For A Non Profit)

Please return this document to when complete.

Using MailStore to Archive MDaemon

ipad or iphone with Junos Pulse and Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Typical Directory Implementations at Institutions in Higher Education

External Authentication with CiscoSecure ACS. Authenticating Users Using. SecurAccess Server. by SecurEnvoy

Three Campus Case Studies: Managing Access with Grouper

Set up a VPN Connection on Windows

Using Grouper: Newcastle University case studies. Richard James Caleb Racey

Remote Access. A Service Guide for Colleges. An overview of the opt-in Remote Access service provided by Ontario College Library Service

How To Integrate Watchguard Xtm With Secur Access With Watchguard And Safepower 2Factor Authentication On A Watchguard 2T (V2) On A 2Tv 2Tm (V1.2) With A 2F

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

USING ESPRESSO [ESTABLISHING SUGGESTED PRACTICES REGARDING SINGLE SIGN ON] TO STREAMLINE ACCESS

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

ZyWALL OTP Co works with Active Directory Not Only Enhances Password Security but Also Simplifies Account Management

VPN SOFTWARE - WINDOWS XP & WINDOWS 64-BIT INSTALLATION AND CONFIGURATION INSTRUCTIONS

Avatier Identity Management Suite

Remote Unix Lab Environment (RULE)

4 - TexShare and HARLiC CARDS ( Online Application Form) 5 REMOTE ACCESS TO DATABASES

VERALAB LDAP Configuration Guide

External Authentication with Checkpoint R75.40 Authenticating Users Using SecurAccess Server by SecurEnvoy

SFCC Network Storage Tutorial. Prepared by Information Technology Services (ITS)

Websense Support Webinar: Questions and Answers

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Identity and Access Management (IAM) Roadmap DRAFT v2. North Carolina State University

Authentication Methods

Centrify Cloud Connector Deployment Guide

Mapping Network Shares

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Oracle Sales Cloud Securing Oracle Sales Cloud. Release 10

Certificate Management

Using a Combination Proxy Server / PURL Server for Off-Campus Access to Restricted Databases: A Solution for the University of Iowa

Parallels Mac Management v4.0

Open Directory. Contents. Before You Start 2. Configuring Rumpus 3. Testing Accessible Directory Service Access 4. Specifying Home Folders 4

Shibboleth and Library Resources

THE FIJI GOVERNMENT INFORMATION TECHNOLOGY DATABASE CREDENTIALS POLICY. Version

S P I E Information Environments Shibboleth and Its Integration into Security Architectures. EDUCAUSE & Internet 2 Security Professionals Conference

Trust but Verify: Best Practices for Monitoring Privileged Users

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

EM Single Sign On 1.2 (1018)

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Campus VPN. Version 1.0 September 22, 2008

Microsoft Active Directory Authentication with SonicOS 3.0 Enhanced and SonicOS SC 1.0 (CSM 2100CF)

Demystifying Privilege and Access Management Strategies for Local, Federated, and Cloud Environments

Introduction to Endpoint Security

Using different Security Policies on Group Level for AD within one Portal. SSL-VPN Security on Group Level. Introduction

LDAP and Active Directory Guide

External authentication with Astaro AG Astaro Security Gateway UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

Identity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics

External authentication with Fortinet Fortigate UTM appliances Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Windows 2008 Server with Routing and Remote Access Service Authenticating Users Using SecurAccess Server by SecurEnvoy

Citrix Receiver for Mobile Devices Troubleshooting Guide

IT Governance Committee Review and Recommendation

Development and deployment of integrated attribute based access control for collaboration

Shibboleth User Verification Customer Implementation Guide Version 3.5

Steps to setup authentication and enrolment through LDAP protocol

How To Set Up An Openfire With Libap On A Cdd (Dns) On A Pc Or Mac Or Ipad (Dnt) On An Ipad Or Ipa (Dn) On Your Pc Or Ipo (D

External Authentication with Cisco ASA Authenticating Users Using SecurAccess Server by SecurEnvoy

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

Off-Campus Piratedrive Connection Using VPN

Configuring Outlook for Windows to use your Exchange

Dell SonicWALL and SecurEnvoy Integration Guide. Authenticating Users Using SecurAccess Server by SecurEnvoy

SecurEnvoy Windows Login Agent

Parent Single Sign-On Quick Reference Guide

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

Configuring Single Sign-on for WebVPN

Enabling Applications to Use Your Identity Management System

Is your mainframe less secure than your file server? Malcolm Trigg Solutions Consultant 24 th February 2016

Quickstart guide to Configuring WebTitan

Background Deployment 3.1 (1003) Installation and Administration Guide

Owner of the content within this article is Written by Marc Grote

Getting Started with Clearlogin A Guide for Administrators V1.01

Identity Management. Manager, Identity Management. Academic Technology Services. Michigan State University Board of Trustees

ADFS for. LogMeIn and join.me authentication

SonicWALL Security Quick Start Guide. Version 4.6

System/Service Type Function Data Maintenance Retention Period

Setting Up Jive for SharePoint Online and Office 365. Introduction 2

Administration Guide BES12. Version 12.3

Single Sign-On. Document Scope. Single Sign-On

VPN AND CITRIX INSTALLATION GUIDE

Active Directory Requirements and Setup

Transcription:

Privilege and Access Management Jan Tax Identity Management Specialist UNC Chapel Hill

The Big Picture

Overview of Presentation Start with the basics of access management definitions stages and evolution Go over the use of user attributes, group memberships and entitlements to govern access to applications. Finish with an example of a recent request from an application developer that illustrates some of the techniques. Thanks to the Internet2 MACE-paccman Working Group for much of material used in this presentation https://spaces.internet2.edu/display/macepaccman/home

What is Access Management? Access Management is the set of policy-based and technology-based practices for controlling access to resources Definitions, for the purposes of this presentation: o Subject is a person or a service acting a person's behalf o Resource is a part of a system which needs to be protected by authorization o Group is a collection of Subjects o Privilege is an action that a Subject can perform on a Resource o Role is a collection of privileges Access management can get very complicated Categorizing Access Management Use Cases(Rob Carter and Scott Fullerton, June 2009 CAMP in Philadelphia) Let's look at the progression...

Stages of Access Management 1. Authentication only -- if you can login, you get everything 2. A user agreement saying you won't abuse the information you see (e.g. sysadmins) 3. Access control lists/tables (subject, privilege) hard-coded within each application 4. Access control lists/tables (subject, privilege) hard-coded within each application, combined with user attributes from central LDAP/ WS/DB/SSO 5. Access control lists managed outside the application by a central system (e.g. Grouper) and provided to the application 6. A rule-based, centralized service that can be consulted by applications to make grant or deny access decisions (e.g. XACMLbased) Most applications are in stages 3-5.

Stages of Access Management Access management is still in the early stages of maturity access is managed mostly at the application level movement toward centralizing/externalizing access management using directories (LDAP/AD) and group management systems (Grouper) centralization simplifies data management and can ease revocation of privileges -- do it in one place instead of in each application provisioning access is an alternative for applications that can't make direct use of the central identity and access management systems

Evolution of Access Management Access management is an ongoing process Start by using a single attribute -- affiliation -- and let applications use it to make access decisions. The eduperson LDAP schema defines a standard set of values for affiliation: member employee student faculty staff alum Add centrally-managed user attributes, group memberships derived from data provided by "systems of record" o student, employee type o departmental affiliations o course enrollments Allow application owners to manage their own groups

Groups Groups can be managed directly in LDAP or AD, or by a group management system such as Grouper. UNC Chapel Hill uses Grouper to manage: dynamic groups calculated from System of Record data cn: unc:org:3103:staff cn: unc:org:3103:employee cn: unc:org:3103:member application-specific groups managed with Grouper application cn: unc:app:its:grouper:admin cn: unc:app:its:grouper:users Groups are published to a separate groups container in LDAP. Group memberships can be provided by Shibboleth when a user authenticates for an agreed-upon set of groups.

Example: Group memberships UNC's content management system (CCM) uses group memberships retrieved from LDAP to control the type of access (rwda) to a document path. cn: unc:3103:comm:ccm:account:r:priv/its/comm/int/stationery cn: unc:3103:comm:ccm:account:r:priv/its/comm/int/media cn: unc:3103:comm:ccm:account:r:priv/km/its_resnet/student cn: unc:3103:comm:ccm:account:r:priv/its/ec cn: unc:3103:comm:ccm:account:rw:priv/km/its_idm cn: unc:3103:comm:ccm:account:rw:km/its_idm cn: unc:3103:comm:ccm:account:rwd:its/eapps/idm cn: unc:3103:comm:ccm:account:rwd:its/support/idm Grouper is used to manage the group structure and updates the LDAP directory when changes are made.

Entitlements Entitlements are an alternative to groups, useful in federated applications dealing with multiple identity providers Groups tend to put access control logic in the application application must have knowledge about meaning of group names names are not consistent across institutions Entitlements tend to put access control logic in the central system (attribute authority) can be calculated from group memberships

Example: Library Entitlement College and University Libraries contract for access to content from electronic resource providers Proxy servers (e.g. EZProxy) are used to allow access to the electronic resource providers from on-campus IP addresses From off-campus, either VPN to campus or... Shibboleth authentication + entitlement allows access from on- or off-campus edupersonentitlement: urn:mace:dir:entitlement:common-lib-terms Library resource providers have agreed to honor this entitlement, which is defined on each campus to include people covered by license terms.

Example: Grad School Apps Access Applications running in an application server needed to be access controlled Shibboleth is used for authentication and attribute retrieval in this case, but the mechanism could be LDAP/AD or something else Combinations of user attributes, group memberships, local table/list are used to govern access for each application

Application Restrict to Attributes Required Values Allow Deny Fellowships Database Graduate School Staff ismemberof unc:org:3901:staff Graduate School staff Other departments staff Any students Footprints Admin Graduate School Staff Enumerated by userid List of allowed userids Users whose userids are listed Any other users VPHD Graduate students uncstudenttype GRAD ABD GRAD DDG GRAD FX GRAD GD GRAD GM GRAD II GRAD MDP GRAD SPG GRAD Any graduate students in any department or program Any non-graduate students Funding Handbook Faculty/Staff (not students) employeetype EPA Faculty EPA Non-Faculty SPA Permanent faculty or staff from any department Students Student-employees of any department Temporary employees of any department

Questions/Comments? Jan Tax UNC Chapel Hill tax@unc.edu

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information