logging in or signing up identifiers Berta Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 31 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: January 09, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Identifiers and Name Space Considerations : Identifiers and Name Space Considerations Dr. Tom Barton Copyright Tom Barton, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.What we’re trying to accomplish: What we’re trying to accomplish Simplify what users must know to access to online services. Enable IT organization to efficiently provide multitude of online services. Increase security. Enable online service for our constituents earlier in their affiliation with us, wherever they are, and forever. Participate in new, inter-organizational, collaborative architectures.Terminology: Terminology Identity: set of attributes about a person. Operationalized as a “person object”. Authentication: process used to associate a user with an identity. Often a login process. Authorization: process of determining if policy permits an intended action to proceed. Customization: presentation of user interface tailored to user’s identity. Subsumes personalization.Comparative service architectures: Comparative service architectures Stovepipe (or silo): Service performs its own authentication and consults its own database for authorization and customization attributes. service authN attributes Comparative service architectures: Comparative service architectures Stovepipes are run by separate offices. Environment is more challenging to users, who may need to contact each office to arrange for service and remember several sets of credentials. Any life cycle management of service specific resources must be undertaken by service specific office. Per-service identifiers and security practices make it more difficult to achieve a given level of security across the enterprise.Comparative service architectures: Comparative service architectures Integrated: Suite of services refer authentication to and obtain attributes for authorization and customization from enterprise infrastructure services. Service 1 authentication service attribute service Service N • • • Comparative service architectures: Comparative service architectures Enterprise authentication & attribute services are provisioned by a central office. All attributes known by the organization about a person can be integrated and made appropriately available to services. Automated life cycle resource management is across the enterprise is facilitated. Common identifiers across integrated services enables an easier and more secure user environment.Core middleware for an integrated architecture: Core middleware for an integrated architectureExamples: Examples Common “basket” of services: email (reading & sending), calendar, shell & cluster accounts, network access services, myriad web apps, LMS, library databases, home directories,… . Remote account initialization & admitted students Academic Personnel Records Leverages common security & data architectureNMI Roadmap GPS: NMI Roadmap GPS Preceding slides sketched the overall technical architecture. Now we’ll dig into the identifiers that are fundamental to providing integration… Source system identifiers: Source system identifiers Affiliations: Which source systems define which affiliations? How? How do constituents become engaged in their various affiliations with the U? How disengaged? Associated attributes: What other attributes of value to online services are maintained in which source systems? How are they maintained, for what purposes? Are they reliable? Metadata: (De-)Assignment process; persistence; visibility; versions;… What encumbrances/obligations/policies pertain? Updatable (in source system)? Forever iterate over these considerations Registry identifiers: Registry identifiers Fundamental IDs Permanent, unreleased guid. Permanent pvid? Versions? Source join & consumer crosswalk. Derived identifiers username(s). Attributes for provisioning processes. Consumer specific? Affiliations Derived. Course, program, org related identifiers & objects. Group memberships. Namespace issues Multiple namespaces? For registry objects? For consumer systems? Overloading. Format. All is hidden from view Consumer identifiers: Consumer identifiers Fundamental IDs Persistence, visibility, opacity, … Potential interaction with privacy policy Store/use pvid? Choice of naming components (LDAP only). Representation of attributes Application use cases Overloading & namespace collision. E.g.s: cn: name of person, name of group, name of … uid: orthogonal sets of usernames? Consumer specific selection & transformation All is potentially exposed Service identifiers: Service identifiers Ability to use or be provisioned with a user identifier derived in the metadirectory is a requirement for integration into this architecture. Attribute schema Conventions for syntax & semantics Stresses on a common username space: Least common denominator format requirements. Number of persons assigned one (alums?, parents?, sibs?, patrons?, donors?). Duration of assignment: forever? Potential for shared administration of portions of username space might drive creation of orthogonal namespaces. Eg, OS usernames, uids, gids w/ nss-ldap. University “guest” registration. Username & related namespace issues Identifier Discovery: Identifier Discovery Identify the identifiers, starting with key source systems and prevalent or important services. ID Mapping Table columns: ID name, Primary Use, who assigns, who gets one, where stored, format. characteristics: opaque/transparent, lucent?, reassignable?, revokable?, unique within <scope>. More important than the technical details is the establishment of ongoing relationships between architect and people who assign and use fundamental identifiers.Abbreviated ID Mapping Table http://middleware.internet2.edu/earlyadopters/identifier-mappings/: Abbreviated ID Mapping Table http://middleware.internet2.edu/earlyadopters/identifier-mappings/PS: Personal Identifiers: PS: Personal Identifiers Who maintains name, birthday, SSN? Registrar Human Resources Bursar ID Office Law School University College Library Regents Online Degree Program Central IT Controller Marketing & Advancement Academic Personnel Records Telecom/Network Services Intensive English for Internationals This is an irrational business practice!Common security & data architecture: Common security & data architecture data warehouse i n t e l l i g e n c e Common Reporting Tool You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
identifiers Berta Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 31 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: January 09, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Identifiers and Name Space Considerations : Identifiers and Name Space Considerations Dr. Tom Barton Copyright Tom Barton, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.What we’re trying to accomplish: What we’re trying to accomplish Simplify what users must know to access to online services. Enable IT organization to efficiently provide multitude of online services. Increase security. Enable online service for our constituents earlier in their affiliation with us, wherever they are, and forever. Participate in new, inter-organizational, collaborative architectures.Terminology: Terminology Identity: set of attributes about a person. Operationalized as a “person object”. Authentication: process used to associate a user with an identity. Often a login process. Authorization: process of determining if policy permits an intended action to proceed. Customization: presentation of user interface tailored to user’s identity. Subsumes personalization.Comparative service architectures: Comparative service architectures Stovepipe (or silo): Service performs its own authentication and consults its own database for authorization and customization attributes. service authN attributes Comparative service architectures: Comparative service architectures Stovepipes are run by separate offices. Environment is more challenging to users, who may need to contact each office to arrange for service and remember several sets of credentials. Any life cycle management of service specific resources must be undertaken by service specific office. Per-service identifiers and security practices make it more difficult to achieve a given level of security across the enterprise.Comparative service architectures: Comparative service architectures Integrated: Suite of services refer authentication to and obtain attributes for authorization and customization from enterprise infrastructure services. Service 1 authentication service attribute service Service N • • • Comparative service architectures: Comparative service architectures Enterprise authentication & attribute services are provisioned by a central office. All attributes known by the organization about a person can be integrated and made appropriately available to services. Automated life cycle resource management is across the enterprise is facilitated. Common identifiers across integrated services enables an easier and more secure user environment.Core middleware for an integrated architecture: Core middleware for an integrated architectureExamples: Examples Common “basket” of services: email (reading & sending), calendar, shell & cluster accounts, network access services, myriad web apps, LMS, library databases, home directories,… . Remote account initialization & admitted students Academic Personnel Records Leverages common security & data architectureNMI Roadmap GPS: NMI Roadmap GPS Preceding slides sketched the overall technical architecture. Now we’ll dig into the identifiers that are fundamental to providing integration… Source system identifiers: Source system identifiers Affiliations: Which source systems define which affiliations? How? How do constituents become engaged in their various affiliations with the U? How disengaged? Associated attributes: What other attributes of value to online services are maintained in which source systems? How are they maintained, for what purposes? Are they reliable? Metadata: (De-)Assignment process; persistence; visibility; versions;… What encumbrances/obligations/policies pertain? Updatable (in source system)? Forever iterate over these considerations Registry identifiers: Registry identifiers Fundamental IDs Permanent, unreleased guid. Permanent pvid? Versions? Source join & consumer crosswalk. Derived identifiers username(s). Attributes for provisioning processes. Consumer specific? Affiliations Derived. Course, program, org related identifiers & objects. Group memberships. Namespace issues Multiple namespaces? For registry objects? For consumer systems? Overloading. Format. All is hidden from view Consumer identifiers: Consumer identifiers Fundamental IDs Persistence, visibility, opacity, … Potential interaction with privacy policy Store/use pvid? Choice of naming components (LDAP only). Representation of attributes Application use cases Overloading & namespace collision. E.g.s: cn: name of person, name of group, name of … uid: orthogonal sets of usernames? Consumer specific selection & transformation All is potentially exposed Service identifiers: Service identifiers Ability to use or be provisioned with a user identifier derived in the metadirectory is a requirement for integration into this architecture. Attribute schema Conventions for syntax & semantics Stresses on a common username space: Least common denominator format requirements. Number of persons assigned one (alums?, parents?, sibs?, patrons?, donors?). Duration of assignment: forever? Potential for shared administration of portions of username space might drive creation of orthogonal namespaces. Eg, OS usernames, uids, gids w/ nss-ldap. University “guest” registration. Username & related namespace issues Identifier Discovery: Identifier Discovery Identify the identifiers, starting with key source systems and prevalent or important services. ID Mapping Table columns: ID name, Primary Use, who assigns, who gets one, where stored, format. characteristics: opaque/transparent, lucent?, reassignable?, revokable?, unique within <scope>. More important than the technical details is the establishment of ongoing relationships between architect and people who assign and use fundamental identifiers.Abbreviated ID Mapping Table http://middleware.internet2.edu/earlyadopters/identifier-mappings/: Abbreviated ID Mapping Table http://middleware.internet2.edu/earlyadopters/identifier-mappings/PS: Personal Identifiers: PS: Personal Identifiers Who maintains name, birthday, SSN? Registrar Human Resources Bursar ID Office Law School University College Library Regents Online Degree Program Central IT Controller Marketing & Advancement Academic Personnel Records Telecom/Network Services Intensive English for Internationals This is an irrational business practice!Common security & data architecture: Common security & data architecture data warehouse i n t e l l i g e n c e Common Reporting Tool