copyright albert wu 2008. this work is the intellectual property of the author. permission is...

Copyright Albert Wu 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Spring Roles: Moving Forward on an Access Management Strategy

Albert WuUniversity of California Los Angeles

NMI-EDIT, Internet2 MACE, EDUCAUSE Net@EDU Identity Management Workgroup

EDUCAUSE Southwest Regional 2008Tuesday, April 1, 2008

• What is Access Management?

• Surveying Access Management Practices

• What is UCLA Doing with Access Management?

Today

This session is brought to you by Internet2, Educause, and the NMI-EDIT Consortium.

What is Access Management?

I want to automatically give all students enrolled in CS143 access to my lab, the class web sites, and software in the lab.

I don’t want to run around getting access to everything for my classes. I want what I need, where and when I need it.

What is Access Management?

I want to create a project group and when I invite someone to join that group, they immediately have all related access. …And When I join that group, I want immediate access to all relevant resources.

I want to quickly grant my assistant access while I’m away rather than loan her my access!”

What is Access Management?

I want to run a review process in which students, faculty, staff and administrators review and approve different components and different points in the process.”

Before I terminate this person, I want to make sure all their current access is revoked throughout the campus.

Access Management

• Who has access?

• How do we reliably grant and revoke access?

• How do I delegate my access to another?

Surveying Access Management Practices

• 2 Questionnaires

• 8 Universities

• comprehensive research institutions

• public and private

• 7,000 – 51,000 students, faculty and staff

• Respondents were asked to include a small campus group in answering the questions.

Internet2 lead a survey with support from the EDUCAUSE Identity Management Working Group

Survey One: Tell Us About You

• What are your access management initiatives?

• Which factors drove the launch of the initiatives?

• What are your plans?

• What are the expected new capabilities?

• How will other know when it’s time to launch access management initiatives?

An open-ended questionnaire asking:

Themes and Recommendations

1. Audience/end-users

2. Policy/Auditing

3. Business process/Work flow

4. Architecture

5. Data use/Protection

6. Project management

Audience & End Users

An access management system should have a friendly user interface and a high degree of usability, accommodating a wide range of potential users.

Policy and Auditing

Develop policies related to access control, ensure that the system will do what it is intended to, and define the roles of central IT and distributed IT offices.

Business Process / Work Flow

• Focus on people/how they get their work done

• Distribute control and management of groups

• Distributed authorization is in

• Reduced administration by local IT groups

Architecture

• Create groups-based authorization system

• Streamline management

• Support standards

• Anticipate substantial increase in the demand for groups and collaboration

• Think flexible design

• Focus on security, of course

Data Use / Protection

The access management system will leverage existing institutional data and make it easy to incorporate new data (mainly from end-users).

• Reduce need for special accounts

• Reduce duplication of effort to manage access

• Gather new/additional data

• Widely distributed, common access management interface

Project Management

Effective access management systems are likely implemented in stages with broad campus involvement.

• Implementation in stages

• Broad campus involvement

• Implementation is project focused, management of the system is more operationally focused.

Survey Two: Infrastructure Maturity

• Data stewardship• Identity Management System Coverage• IT Infrastructure and Planning • Data sharing and re-use• Groups and Access Management • Access Management Enabled Policy Enforcement• Access Management Audit

Self-assessment measuring the maturity of policy, infrastructure, and operational practices:

Per-institution average score forthe Infrastructure Maturity Survey

0.0

1.0

2.0

3.0

4.0

5.0

6.0

7.0

8.0

9.0

10.0

1. D

ata

Stewar

dship

2. P

eople

in Id

M S

ys.

3. O

ther

ent

ities i

n Id

M

4. IT

infra

strctu

re

5. D

ata

shar

ing/re

-use

6. E

nrich

ing ID

thro

ugh

grou

ps

7. B

asic

Acces

s Mgm

t

8. P

olicy

cont

rol/p

riv. m

gmt.

9. M

anag

ing A

cces

s Mgm

t. da

ta

Main Category

Ave

rag

e R

esp

on

se

1

2

3

4

5

6

7

Participant recommendation

The problem areas demonstrated by the graphs indicate areas where Internet2 & EDUCAUSE could help with outreach and educational activities

• Policy control

• Managing access management data

How will colleagues at other institutions know when to consider access management initiatives?

Access Management Tripwires

• Applications are using different sets of group access rules

• Multiple systems require common access information

• There is the institutional will/desire to proceed

• A global identifier for users is in place

• An identity management infrastructure exists

• There is a demand to collaborate with other institutions

• There is a need to quickly provide access to electronic resources

Access Management @ UCLA

• Distributed security administration based on departmental/financial hierarchy

• Manages access for key administrative applications

• Early attempt at enterprise permission management

• Value-based, explicit permissions

• Permission management is a business function

DACSS

Access Management @ UCLA

• Academic delegation hierarchy

• Access by position in workflow

• Download members data from data warehouse

• Explicit permissions within each application

• Students can delegate access to personal data and permission to pay tuition to parents

Class Web Sites, Academic Applications, and Others

What is IAMUCLA?

• Identity & Access Management @ UCLA

• Who wants to access a resource? (Authentication)

• Does the person have permission? (Authorization)

IAMUCLA

• Enterprise Directory

• Common Logon ID

• Web Single Sign-on

• Enterprise Group/Permission Management

Before IAMUCLA

Departmental Intranet

User logs into each application separately using different logon IDs

Permissions managed separately in individual applications

URSA

Class Web Sites

Discussions

Service Requests

Budgeting

Research Proposal Tracking

Applications kept separate user identity data

… and others

URSA

RATSMyUCLA

Travel Express

Financial Web Reports

many other web apps

IAMUCLA Phase I

ISIS/Shibboleth: Web Single Sign-On

Enterprise Directory

User logs in using UCLA Logon ID

ED supplies user identity data

Permissions managed separately in individual applications

At a Threshold

• CCLE – Faculty & Students

• DAT – Faculty & Staff

• IWE – Students & Parents

• GRID – Researchers at UCLA & other campuses

• Clinical Research – Physicians & Students

• Research collaboration – Faculty & Students at UCLA and other campuses

A window of opportunity for a new way to handle permissions

Several new applications are emerging with new and large communities of users

IAMUCLA Phase II

URSA

RATSMyUCLA

Travel Express

Financial Web Reports

many other web apps

ISIS/Shibboleth: Web Single Sign-On

User logs in using UCLA Logon ID

Permission Management Tools Enterprise Directory

ED delivers user identity, groups, and permissions data via Shibbolethmanages permissions once

and replicates the same permissions data to

non-web systems

Phase II Deliverables

• Deploy enterprise-wide, 24x7 permissions management system

• Provide cross-campus integration for all applications

• Support access delegation

• Provide support for local integration

1. Audience/end-users

2. Policy/Auditing

3. Business process/Work flow

4. Architecture

5. Data use/Protection

6. Project management

Lessons So Far

• Access management is a business function• Distributed security administration works• Access management is not intuitive.

Education is important. • Controllers and auditors are your friends • Foster user communities; provide regular training

Lessons So Far

• Leverage Standards• Architect for extensibility • Timing is key. Catch the applications at critical update

cycle• Deploy in stages• Design for the end user

• trained security administrators (bulk security administration)• every day users (self-delegation)• auditors and managers (reports, alerts, analysis)• help desk staff

Internet2 Middleware | http://middleware.internet2.eduIAMUCLA Web Site | https://spaces.ais.ucla.edu/iamucla

Albert Wu | albertwu@ucla.edu