Categorizing Access Management Challenges Rob Carter, Duke University Scott Fullerton, University of Wisconsin Overview Whats all the fuss about, anyway? Maybe theres an approach we can use Overview and survey of higher ed use cases Breakin up big rocks Trying the approach on for size Some edge cases from out in the wild Whats all the fuss about? Why is access management like the weather? Everyone talks about it, but (almost) no one seems to be doing anything about it But why Whats all the fuss about? Access management is a complex problem Lots of moving parts; lots of stakeholders; high stakes Viewed monolithically, it can seem utterly intractable Access management is difficult to sell Everyone wants it, but no one wants to deal with it The problem space is huge Every resource, every application, has a need for access management Whats all the fuss about? How do you solve a problem like Maria? Maria, who is the Dean of Medicine and wants to implement what she thinks is a simple rule In the campus purchasing system principal investigators should be able to approve purchases Whats all the fuss about? How do you solve a problem like Maria? Maria, who is the dean of Medicine and wants to implement what she thinks is a simple rule In the campus purchasing system principal investigators should be able to approve purchases up to $100,000 for research projects Whats all the fuss about? How do you solve a problem like Maria? Maria, who is the dean of Medicine and wants to implement what she thinks is a simple rule In the campus purchasing system principal investigators should be able to approve purchases up to $100,000 for research projects provided they have completed training on University purchasing processes and have filed the appropriate conflict of interest documentation Whats all the fuss about? How do you solve a problem like Maria? Maria, who is the dean of Medicine and wants to implement what she thinks is a simple rule In the campus purchasing system principal investigators should be able to approve purchases up to $100,000 for research projects provided they have completed training on University purchasing processes and have filed the appropriate conflict of interest documentation until July 1, 2010 Whats all the fuss about? The large print giveth (and the small print taketh away) And thats only one of thousands of scenarios Whats all the fuss about? its no wonder the problem can seem intractable Maybe theres an approach Start from use cases or user stories Usually short (at least to begin with) Describe scenarios in terms the actors understand Help define the problem space as well as provide fodder for analysis Help ensure that solutions actually address real world problems Maybe theres an approach Evaluate, analyze, and decompose Try to break down use cases into common constituent parts Evaluate the breakdown; identify unique features and possibly some common features Maybe theres an approach Compare, abstract, and organize Look for similarities across cases Even dramatically different situations may yield to similar treatment Start to categorize the similarities; taxonomize Maybe theres an approach Identify classes of solutions; lather, rinse, repeat Consider the resources you might use to build solutions, and start to associate potential solutions with categories of problems, applying one or more solutions associated with the category to new problems identified in that category, refining your categories and solutions as you gain experience, or to quota Zippy the Pinhead: If it WIGGLES, SQUISH it! Maybe theres an approach Use Case Survey If you didnt get to see them https://spaces.internet2.edu/display/CAMPJune2009/Use+C ases+Organized+by+Area+of+Interest https://spaces.internet2.edu/display/CAMPJune2009/Use+C ases+Organized+by+Area+of+Interest Use cases categorized by where they arise Good for surveying purposes Use Case Survey Business Operations Cases Deal With Money, budgets, purchases, accounts Human Resources and management Employee relationships Employee identities Business Operations Cases Address Organizational structure Delegation PCI compliance Audit Use Case Survey Academic / Research Cases Deal With Learners, instructors, faculty Classes, registration Research products Collaborators Pedagogy Evaluation (testing, grading) Academic / Research Cases Address Faculty hierarchy Course hierarchy FERPA Research collaboration Accreditation Use Case Survey Residential Life Cases Deal With Students, staff, advisors Housing Safety Physical access Residential Life Cases Address Multiple affiliations Transient privileges Short privilege lifecycles Use Case Survey Library Use Cases Deal With Patrons, Librarians Catalogs and collections Collaborators Professional organizations Library Use Cases Address Privacy Anonymity Blended identity Federations Use Case Survey Medical Center Use Cases Deal With Physicians, nurses, patients Medical records Referrals and consultations Controlled substances Medical Center Use Cases Address Urgency and Expediency Credentialing and qualifications HIPAA Oversight Use Case Survey Use cases from these six areas seem disjoint Different actors and objects Different activities Different concerns and complexities But of course, we wouldnt be talking Analytic Approach Lines of decomposition Subjects Grantor, grantee, resource Functions or Permissions Approve, update, authorize, add, delete, view, etc. Constraints Time limits; extents; scope Analytic Approach Subjects How are they (or could they be identified?) Ad Hoc List? Authoritative Source? Algorithmic? Self-described? Are they singleton or multiple? Analytic Approach Functions or Permissions Are permissions Singletons? Collections? Are permissions defined by Business role or activity? Inheritance or delegation? Ad hoc or Fiat? (but not GM ) Analytic Approach Constraints Are grants to be limited in time? in scope? in extent? Are limits controlled by Fiat? Business role? Hierarchical position? Prerequisites? Categorization We might imagine, then, using this decomposition to classify use cases based on some common features, eg.: Single grantor, single grantee, single permission by fiat with no constraints (I give my car keys to my wife) Single grantor, multiple grantees identified by authoritative sources, multiple permissions by business role with no constraints (I allow my students into my wiki without restriction) Multiple grantors identified by, multiple grantees identified ad hoc, single permission with no constraints (Deans can designate visitors who have access to the faculty club pool) Categorization Business Case #4 Wellness Program Participation - A university's HR department offers a health and wellness program for university staff and faculty. The program is entirely voluntary. Participation requires a commitment by the employee to engage in a short online health awareness exercise, in return for which the university offers participants discounts on services at the university health club as well as periodic special offers from area business deemed by the university to be offering wellness-supporting services. A new employee in the physical plant hears about the program during an HR orientation and visits a web site to sign up. Once enrolled in the program, the employee has access to the program's web portal and receives weeklyreminders about training opportunities and special offers. Authority rests with HR department (business role) Grantor and grantee are the same, self- identified but constrained by authoritative source (only staff and faculty) Depending on IAM implementation, could be algorithmic (eg., by eduPersonAffiliation) or more ad hoc (HR provides eligible staff and faculty lists) Constraint: the grantee must accept terms and conditions of the program before being enrolled. Categorization Academic Case #5 FERPA Information Restricted - Under federal regulations, certain educational records information about students may be categorized as "directory information" and may be disclosed by institutions without prior consent from students. Students reserve the right under FERPA, however, to have disclosure of their directory information blocked upon request. An undergraduate Engineer becomes concerned that a high-school acquaintance may be stalking her, and wishes to have her contact information (name, address,address, telephone number) blocked from view. The Registrar considers those data elements to be directory information under FERPA, and discloses them by default. The student visits a FERPA portal system and marks those data elements as FERPA protected information in her records. Subsequently, applications that access student educational information and IdM data about students refuse to allow access to the student's contact information except when the requester is identified as having an academic need to see the information. Authority rests with the Registrar (business role) Grantor is self-identified but constrained by authoritative source (only students may exert FERPA rights) Depending on IAM implementation, could be algorithmic (eg., by eduPersonAffiliation) or more ad hoc (Registrar may provide a list of covered students) Constraint: grantees must identify (in some unspecified fashion) an academic need for information Categorization Academic Case #5 Authority rests with the Registrar (business role) Grantor is self-identified but constrained by authoritative source (only students may exert FERPA rights) Depending on IAM implementation, could be algorithmic (eg., by eduPersonAffiliation) or more ad hoc (Registrar may provide a list of covered students) Constraint: grantees must be identify (in some unspecified fashion) an academic need for information Business Case #4 Authority rests with HR department (business role) Grantor and grantee are the same, self- identified but constrained by authoritative source (only staff and faculty) Depending on IAM implementation, could be algorithmic (eg., by eduPersonAffiliation) or more ad hoc (HR provides eligible staff and faculty lists) Constraint: the grantee must accept terms and conditions of the program before being enrolled. Categorization Business Case #3 Clery Notification - Richard is the institutions Vice President of Public Safety, and as such, he is authorized within an emergency notification system to approve Clery Act notifications which will be sent via multiple venues to the entire campus community. Richard schedules a two week vacation in Europe. He delegates his Clery role to the Chief of Campus Police, Trish, during his two week absence, allowing her to approve Clery notices in his stead. When a pair or armed robberies is reported outside a student dormitory one week later, Trish is able to approve a Clery notification for distribution on Richard's behalf. Upon his return from vacation, Richard revokes the delegation of his Clery role, and Trish loses her ability to approve Clery notices in the system. Authority rests with the single grantor, who is identified by an authoritative source and whose authority comes from his business role (VP of Public Safety) Single grantee is identified by organizational hierarchy (as Richards direct report) and by fiat (he designates her as such). Single permission assigned ad hoc (approve Clery notifications) Constraints: 2-week time limit Note: this is a case of delegation Richard is conferring his privilege on Trish Categorization Academic Case #3 TA Grade Access - A university uses its LMS to handle mid-term grade reporting - faculty enter grades for assignments and mid-term quizzes and exams in the LMS, where students can review them online and track their progress until the end of the term. The LMS automatically assigns grade entry privileges to instructors (as identified by the student registration system). Professor Gamow chooses to have one of his graduate students act as TA for his EM Fields course and delegates his grade reporting privileges in the LMS to his student. The student is then able to report grades for students in the EM Fields class within the LMS. When final grades are due, Professor Gamow reports them to the Registrar based on information previously reported in the LMS. Authority rests with the single grantor, who is identified by an authoritative source and whose authority comes from his job function (faculty, instructor for EM Fields) Single grantee is identified by organizational hierarchy (as Prof. Gamows graduate student) and by fiat (he designates her as such). Single permission assigned ad hoc (in the LMS, report grades for students in the class) Constraints: none expressed Note: this is a case of delegation Gamow is conferring his privilege on the TA Categorization Medical Case #1 Chart Access by Consulting Physician - Hospital rules interpret HIPAA privacy regulations to dictate that only those medical staff and faculty directly involved in the care of an individual patient should have access to view that patient's medical records during treatment. Faculty in the medical school may have access to depersonalized medical data for purposes of research and instruction, but may only view personally identifiable medical information if referred a patient by an attending physician. An attending physician in the ER is treating a patient with symptoms of West Nile viral infection, and needs a consultation from an Infectious Disease specialist in the Medical School. The attending instigates a consultation and referral process which grants the ID specialist temporary access to view the patient's medical records. Once the consultation is complete, the ID specialist's access is revoked automatically.. Authority rests with the single grantor, who is identified by current job function (admitting physician for a given patient). Single grantee is identified by fiat (the attending specifically calls out the consultation) but limited by business role (must be medical staff or faculty) Single privilege assigned ad hoc (view rights to the single patients medical record) Constraints: when consultation is completed, privilege is revoked. Note: this is a case of delegation and also (possibly) a case of automated workflow (the attending designates the faculty member as a consultant, which in turn triggers the actual privilege being granted). Categorization Five disparate use cases drawn from three different areas of the enterprise involving people in vastly different environments Striking similarities two cases boil down to almost the same underlying situation (a self-identified member of an organizationally managed group exercises an opt in/out option to gain or restrict other privileges) Three other cases boil down to almost the same situation (a grantor with authority based on job function delegates his own privilege to a specific grantee selected from a set constrained by organizational hierarchy for a limited time). Solutions In the first two cases, we might imagine that similar solutions might be applied, perhaps an ad hoc list mechanism for opt-in/opt-out recording with access to update ones preference limited by membership in an official, dynamic group In the second three cases, we might similarly imagine some sort of ad hoc list mechanism to designate the grantee some representation of organizational hierarchy to constrain the designationperhaps in the form of a group some time-based triggering mechanism (a cron tasker, perhaps) which can be used to trigger time-based limitations Solutions Well spend time later today considering other use cases particularly those you have from your own experience Well spend more time tomorrow and Wednesday focusing on the solutions that may be applicable to different use cases Use Cases from the Edge The FFEL Student Loan Industry About Great Lakes and FFEL A taste of the industry Typical FFEL use cases Overlapping borrower views Meteor Great Lakes Higher Education Disclaimer The Federal Family Educational Loan (FFEL) Program About Great Lakes Great Lakes plays many roles Is a guarantor Is a lender servicer (many flavors) Is a guarantor servicer Them Great Lakes operations Support for the borrower Support for the school financial aid office Support for the serviced lender Support for the serviced guaranty agency A taste of the industry Coopetition: that cu- rayzy dance Close involvement with the Dept of Education A taste of the industry Very dynamic: radical changes to the environment practically every year. Typical FFEL/Great Lakes use cases B2B: Data in motion securely to the right entities Kuali dictum applies in spades: Most authorizations are scoped to a particular context. Very few entities can perform the same function in all cases School sees all their data Serviced guarantor sees all its data; Great Lakes sees none Lender sees all its borrowers, but only for loans it holds Borrower sees all her data irrespective of lender Great Lakes worker sees all data supporting the servicing and guaranty functions Meteor: a short summary A non-proprietary, open source software implementation that brings together data from multiple distributed databases from across the higher education financing community. Provides information on FFELP loans. Allows schools to resolve discrepancies by using real-time data that comes directly from loan holders databases How Meteor works Access Provider Authentication Agents Data Provider Index Provider Meteor and the National Student Clearinghouse Meteor integrated into Clearinghouse Student Self-Service application Schools that have entered into an electronic services agreement with the Clearinghouse can act as Authentication Agents For schools that wish to provide students with Meteor access, Meteor loan detail is incorporated into LoanLocator display Other edge cases? Campus book stores and class information University foundations wanting alumni information Other semi-independent entities, e.g., Student Unions State university systems Back from the edge Discussion