Spring 2012 Internet 2 Members Meeting/ April 23, 2012

Mace PaccmanWorking Group

THOMAS DOPIRAK KEITH HAZELTON CO-CHAIRS

2 – 4/23/12, © 2012 Internet2

MPWG  -­‐  Shoutout  

•       

Rob  Carter,  Emily  Eisbruch  Chris  Hyzer,    Steve  Olshansky,  Chris  Phillips,  Michael  Pelikan,  Mark  Scheible,  Bill  Thompson,  Heather  Flanagan,  Jim  Leous,  Boyd  Wilson,  Benn  Oshrin,  Mark  Rank  ,  Keith  Hazelton    ,  Tom  Dopirak    

Mace Paccman Working

" Welcome and Paccman’s Place in the Cosmos – Dopirak

" Glossaries and Toothbrushes – Dopirak " Recipe for Access Management – Chris Phillips and

others " Provisioning and OSIDMHE – Carter " Action Items and preview - All

Agenda

3 – © 2012

Paccman’s Place in the Cosmos

4 – © 2012

PACCMAN’S PLACE IN THE COSMOS !

•  Mace Paccman is a venue for tackling issues related to providing efficient and effective means for organizations and individuals to control access to computer-based resources. "

5 – 4/23/12, © 2012 Internet2

EVERYONE NEEDS A GLOSSARY – THE SIMPLE ONE

6 – © 2012

Term Definition

Action Describes the access to a resource e.g. "delete","add", "reserve". Often used interchanged with function and verb.

Group A set of subjects

Limit A constraint on a privilege that must be calculated at time of access

Privilege/Permission An expression of access to a resource

Resource A service, datum, or any other object for which access is controlled

Role A set of subjects and the set of privileges they all possess

Subject A person, or a service, acting on behalf of a person, or a set of subjects.

•  A Mace Glossary - https://spaces.internet2.edu/display/macepaccman/Another+Glossary+Page"

•  A glossary for the recipe - https://spaces.internet2.edu/display/macepaccman/Access+Management+Recipe++V2"

•  A very nuanced glossary - https://spaces.internet2.edu/display/macepaccman/MACE-paccman-glossary"

More Glossaries -- "

THE EVOLUTION OF ACCESS MANAGEMENT

8 – © 2012

Phase Description

None most physical controls If you can authenticate you get everything

Control by contract Same as above with a no abuse policy

Hard coded privilege tables at the resource What most application’s still do

The above + ldap calls for intrinsic attributes Mostly Affiliation but other eduPerson attributes apply

An attribute authority The resource can get any attribute that policy permits

An external yes/no authorization service An external service calculates whether access is permitted

A XACML PERSPECTIVE ON ACCESS MANAGEMENT- the policy access point

9 – © 2012

Terminology Comparable Shbboleth Component

Comparable Grouper Component

Policy Administration Point (PAP) – The location

which administrates the policies

Available on both the IdP and SP configurations in

XML files

The policies can be administered in the Grouper

UI, web service, loader configuration, ect.

A XACML PERSPECTIVE ON ACCESS MANAGEMENT- the policy decision point

10 – © 2012

Terminology Comparable Shibboleth Component

Comparable Grouper Component

Policy Decision Point (PDP) – The location which

evaluates and issues authorization decisions

Shibboleth IdP as the IdP may forward attributes to the

SP which are used in determining access

The Grouper web service can evaluate if someone is a member of a group/role, or

has certain privileges, etc. It can also take into account limits if applicable when

computing the result

AN XACML PERSPECTIVE ON ACCESS MANAGEMENT- the policy enforcement point

11 – © 2012

Terminology Comparable Shbboleth Component

Comparable Grouper Component

Policy Enforcement Points (PEP) – The

location which inercepts the user’s access

request to a resource and enforces the PDP

decision

Shibboleth SP module

You can use the Shibboleth SP module, or code in your application could make an LDAP call, or a web

service call to Grouper to check privileges (the GrouperClient- could

help via Java or command line)

A XACML PERSPECTIVE ON ACCESS MANAGEMENT – the policy information point

12 – © 2012

Terminology Comparable Shbboleth

Component

Comparable Grouper Component

Policy Information Points (PIP) – The

location which providers information the PDP

LDAP directory or SQL database connected to

the IdP

Grouper can pull data from external SQL database or LDAP

data sources via the Grouper loader and act a PIP for its clients via the Grouper web

service or through a provisioning method.

The Paccman Recipe

13 – © 2012

•  Assess!–  Create an inventory"

•  scope of access, span of control, magnitude"•  Recognize & Generalize!

–  Classify by known types or bespoke effort"•  Craft the Vision!

–  ‘now’ vs ‘ what it should or could be’"•  Opportunity to write the self-fulfilling prophecy"•  Have both short and long term goals"•  Demonstrate value at each step better than ‘big bang’"

–  Baseline for vision & values"•  How else will people know the context?"•  How else to know if you are in alignment?"

14 – © 2012

The Recipe for the Recipe

•  Staples of Access Control (AC)"– Group Based (GBAC)"– Role Based (RBAC)"– Entitlement based (EBAC)"– Attribute Based (ABAC*)"

•  Good to have, not always easy to get"– Naming conventions"– Governance & accountability"– Key processes identified & defined""* XACML refers to itself as ABAC at times"

Available Ingredients

15 – © 2012

Institution X has a central IT department with a manager and sys admins of which some have root. "

Illustrative Use Case: GBAC or [G^R^E]BAC?

16 – © 2012

Approach   Implementa/on   Benefits   Drawbacks  

GBAC   • 2  groups:  • Dept-­‐IT,  • hasRoot  

• Set  members  as  needed  

• Out  of  the  box  • ExisPng  (group)  tools  • Downstream  systems  could  digest  easier  

• No  relaPonships  can  be  inferred  • Scaling  challenge  groups  map  1:1  to  permissions  • Diverges  from  org  structure  to  mish  mash.  • Not  intuiPve  to  decode  meaning  of  groups    

[G^R^E]BAC   • 1  group  ‘Dept-­‐IT’  • 1  role  ‘sysadmin’  • 1  enPtlement  ‘hasRoot’  • Role  has  set  of  enPtlements  w/  ‘hasRoot’  

• Discrete  separaPon  of  org  membership,  role  and  job  funcPon  • ParPPons  span  of  control  decisions  to  that  which  is  relevant  • Minimal  elements  • Role  acts  as  container  for  enPtlement    • EnPtlements  can  stand  alone  • EnPtlements  can  be  subscoped  

• Not  all  systems  have  visibility  to  all  elements  • AdministraPon  of  environment  (what  should  be  a  group?  What  should  be  an  enPtlement?)  is  challenging  • Privacy    

17 – © 2012

Ubiquity

Granularity

Technique Ubiquity vs Technique Granularity

GBAC

EBAC

ABAC

RBAC

18 – © 2012

Dynamicly Calculated

Complexity

Dynamicism vs Complexity

GBAC EBAC

ABAC RBAC

19 – © 2012

???

???

What would you compare?

GBAC EBAC ABAC RBAC

Technique   Strengths   Weakness   Opportunity   Threats  

Group  

• Ubiquitous   • One  size  does  not  fit  all  

• Prevalence  of  ExisPng  tools:  Grouper,  AD  naPve  admin  

• Privacy,  hard  to  lock  endpoints  from  edibng.  

Role  

• Good  Aggregator  of  enPtlements  

• Not  as  ubiquitous  as  groups  therefore  less  UI  &  tools  

• Common  vocabulary  available  • Ability  to  aggregate  enPtlements  

• Hard  to  maintain  unless  dynamically  calculated  on  the  fly  

En/tlement  • Very  Fine  Grained,  Ability  to  subscope  

• InformaPon  leakage  in  single  form  

• Large,  can  go  down  to  as  fine  as  one  needs  (e.g.  see  field  X)  

• Delegated  admin  will  be  desirable  but  hard  to  come  by  

ACribute  

• All  about  exisPng  data  • Fed’n  Friendly  

• One  full  schema  does  not  existParity  &  semanPc  accuracy:  apps  and  fed2fed    

• Powerful  when  using  XACML  and  agributes  as  input.  

• Agribute  by  agribute  authenPcity  &  trust  by  whom  &  for  whom  needs  work  

20 – © 2012

SWOT on *BAC

21 – © 2012

Recipe Take Aways

•  It’s about techniques and inputs!–  Outcome of recipe will be what you can digest and support"–  Common techniques provide a yardstick of what are common themes"

•  Expect a blend of approaches"–  (ie, it’s not all group privilage & access mgt)"

•  Tailor the SWOT to your situation!–  change based on your perspective, abilities, and portfolio of apps"

"

It’s about how to choose not what to choose!

22 – © 2012

•  Tell us what you think…no really!"

•  Questions we have:"– Use cases are still valuable to collect, let us

know yours & if you feel you have solved a problem, we want to hear about it."

– Should paccman converge into OS4HEIDM-provisioning?"

23 – © 2012

Next Steps

24 – © 2012

See http://

middleware.internet2.e

du/paccman/

for details

WORKING GROUP CALLS

Working Group Calls are Alternate Thursdays 1PM Eastern

Subscribe to the mailing-list to get Agendas and Call-in information

25 – © 2012

Upcoming IAM Presentation

June 13 , 2012 – see www.incommon.org/iam-online for details

April 22, 2012 Mace Paccman Working Group

Thank you!

For more information,

please visit

http://middleware.internet2.edu/paccman/

EVERYONE NEEDS A GLOSSARY – THE MAC ONE

27 – © 2012

Term

Assertion Inheritance

Attribute InterFederation

Authority Level of Assurance

Privilege/Permission Provisioning

Consent Privilege-Set

Delegation

Deprovisioning

EVERYONE NEEDS A GLOSSARY – THE PACCMAN ONE

28 – © 2012

Term Claim

Privilege Assignment Rule

Implied Group Membership

Privilige Set Inheritence

Action Inheritence

Resource Inheritence