Double Header: Identity Management

Submitted by Tamara Adizes on May 27, 2009 - 12:52pm

Date:

May 26, 2009 - 1:30pm - 2:30pm

Location:

TechKnowFile 2009 Conference, Room MC 102

Presenter/Moderator:

Mark Hume

Presenter/Moderator:

Matt Wilks

Two perspectives on identity management in a distributed and complex higher education setting.

Who do you think you are? Enabling Access to E-Services with Roles

There are two dominant perspectives when approaching identity management – the security/policy view and the service-based view. Some systems demand the defined structure of the security/policy focus while many others will only flourish under a service-oriented framework. This presentation will show how a service-oriented roles system can facilitate service delivery by relieving online applications of the burden of client management. Examples from a wide variety of applications (Event Calendar, Object Repository, CMS, Application Profiles, File Sharing, Practicum Placement) will show how information drawn from a role-based system can be easily put to good use

Distributed Role Management

Having a set of centrally defined roles often proves insufficient to meet the diverse and changing needs of a decentralized institution. This presentation will present a prototype of a role based access control system that provides a distributed framework for creating and using roles. In the spirit of openness and collaboration that TechKnowFile represents, the source code of this prototype will be shared with the university community to foster exploration of this topic.

Login or register to post comments
530 reads

Comments

Distributed architecture

Submitted by Rouben on June 3, 2009 - 3:46pm.

Awesome presentation! Although I didn't attend it at TKF, I did get a sneak preview of it at OISE before TKF...

Anyway, my only comment about it is that in order to be successful, it has to be truly distributed by design. A monolithic, centralized implementation will not work, for scalability reasons alone. The design needs to be distributed, with multiple, redundant authoritative instances of this system referencing each other, much like DNS.

Just my $0.02.

My two cents

Submitted by Wesley Huang on June 3, 2009 - 10:33pm.

My two cents:

In a dynamic changing environment, role-based managment helps. While we always talk about identification, authentication, and authorization, seldom we discuss about the final element in a IDM solution: auditing and accountability. I agree that distributed role-based design would make easy for a sub-division to gain and maintain controls on IDM, however, I still don't fully buy into that since it still lacks of a well-define schema or solution on how accountability can be tracked and aduited to facility "Access Control" of UofT as a whole. On the other hand, there is a discussion with regards to how this distributed architecture works with SSO (Single Sign On) ; it would be great to explore.

The IDM of UofT is so far away from any compliance or standard. This makes me worry. I personally feel that role-base IDM should be the way to go, but still can't find a good one to fit into current UofT nature.

The power of related roles...

Submitted by Michael Moncada on June 16, 2009 - 9:06am.

These issues arise because of U of T's decentralized nature which unfortunately can and does lead to difficulties when it comes to trying to determine a one solution fits all framework. However this doesn't mean that a solution can't be found. I agree with Rouben it will have to be distributed to work efficiently, but it must also provide services that are relevant to the service consumer (I sound like an business textbook I know). I unfortunately could not attend the presentation (like Rouben) but was lucky enough to see the intended version before it was presented.

From what I remember (and please correct me if I am wrong) there are centralized "hard" and/or "soft" roles in the proposed architecture that are defined which can then be used to make up new roles that are more specific to whomever is using it. Thus it is possible to centrally define the concept of a Chair of Department and use that centrally defined role along with other potential combinations of pre-existing or new roles to derive a Chair of Science at U of T Scarborough. This newly created role may, or may not be a completely different role when compared to a Chair of Science at U of T Mississauga, but the point is that they can be different. Another advantage to this approach is that - while they can exist independently of one another - they are all still related back to a set of central defined roles of which can then be queried centrally i.e. for its "chairness" - leaving it up to the service consumer to ask the right questions to obtain the more context specific role information. In this way the accountability aspect is pushed onto the consumer (U of T Scarborough) where the definition of such a role becomes relevant rather than defining it as a central role where it makes less sense.

TKF Conference 2012: May 1st

Welcome to the home of the University of Toronto TechKnowFile conference. Check out upcoming events, presentation archives and presenter bios, along with articles, blogs and discussion forums focused on the U of T IT community and higher education computing.

Follow TechKnowFile

Stay up to date with the latest TKF news on Twitter, Facebook or via RSS feed:

Twitter Facebook RSS

Most Active Members

User	GeekPoints
Tamara Adizes	1453
Mardster	1330
Greg Mount	1237
Michael Moncada	661
Rouben	573
Steve Baroti	500
Avi Hyman	453
Mike Serafin	263
sianmeikle	174
Luke Barber	172