modeling the cross-organizational user access control decision space to facilitate secure...
Post on 21-Dec-2015
214 views
TRANSCRIPT
Modeling The Cross-organizational User Access Control Decision Space To Facilitate Secure Information Sharing
DHS Science & Technology DirectorateCommand, Control and Interoperability Branch
Problem?
2
Problem?
3
Problem?
4
What is needed
5
Share
Info
rmat
ion
Compliant with IA & Sharing Policy
6
Analysis
7
Policy ?
8
Policy ?
9
Policy Compliance?
10
Gerry Gebel, M. N. (2009). User Authorization. Burton Group: Identity and Privacy Strategy
Identity-BasedBasic Authorization
Declarative access by subject
Role-BasedCoarse-grained Authorization
Declarative access by category
Attribute-BasedFine-grained Authorization
Dynamic accessExternalized policy
Access Control
11
Ensuring that requested actions on resource are only granted in compliance with applicable policy
Adaptability
Policy
Authoritative SourcesAt
trib
ute
Alig
nmen
tAccessControl
AccessControl
Access Control Essentials
12
Why Concept Modeling?
Captures Information Requirements
Problem Specific & Technology-neutral
13
Why Concept Modeling?
Semantic Alignment
Identifies Business TermsEstablishes Semantic Consensus
14
Why Concept Modeling?Framework
Conceptual Foundation
15
Why Concept Modeling?Agility
Baselines Technology Insertion
16
Desired View
17
What is a Federal User?
Current View Desired View
18
What is a Federal User?
19
What is a Federal User?
Current View Desired View
identify
Affiliation
be a member
of
composed of
Technical Domain
Management
Position
Assignment Condition
Operational Domain
Skill
PersonSkill Certificate
Citizenship
PositionEntitlement
AffiliationCondition
Organization
Assignment Entitlement
Assignment
ICAM User Concept Model
Identity Credential
Activity
country identifier
be a subgroup
of
group
certify
becertified
by
need
beneeded
by
grant
begranted
by
be
be
be managed by
manage
be
be
be administered by
administer
issue
beissued
by
beidentified
by
technical domain identifier
level
position type occupation
assign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date
operational domain identifier
skill identifierskill level
person unique identifierbiometricsnamesbirthdatebirthplace
certificate unique identifiercertificate typecertificate namecertificate issue datecertificate expire datecertificate statuscertificate status datecertificate LOAcertification level
pos entitle identifierpos entitle permissionpos entitle start datepos entitle end datepos entitle statuspos entitle status date
affil cond typeaffil cond start dateaffil cond end dateaffil cond statusaffil cond status date
organization unique identifierrelationship to US governmentorganization names
assign entitle identifierassign entitle permissionassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
role
beneeded
by
need
person association with organizationperson unique affiliation identifier
credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA
activity identifierfunction
20
Management
be a member
of
composed of
Technical Domain
Position
Assignment Condition
Operational Domain
Skill
PersonSkill Certificate
Citizenship
AffiliationCondition
Organization
Assignment Entitlement
Assignment
ICAM User Concept Model
Affiliation
Identity Credential
Activity
country identifier
be a subgroup
of
group
certify
becertified
by
need
beneeded
by
grant
begranted
by
be
be
be managed by
manage
be
be
be administered by
administer
issue
beissued
by
identify
beidentified
by
technical domain identifier
level
position type occupation
assign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date
operational domain identifier
skill identifierskill level
person unique identifierbiometricsnamesbirthdatebirthplace
certificate unique identifiercertificate typecertificate namecertificate issue datecertificate expire datecertificate statuscertificate status datecertificate LOAcertification level
affil cond typeaffil cond start dateaffil cond end dateaffil cond statusaffil cond status date
organization unique identifierrelationship to US governmentorganization names
assign entitle identifierassign entitle permissionassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
role
beneeded
by
need
person association with organizationperson unique affiliation identifier
credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA
activity identifierfunction
PositionEntitlement
pos entitle identifierposl entitle permissionposl entitle start dateposl entitle end dateposl entitle statusposl entitle status date
21
be a member
of
composed of
Technical Domain
Management
Position
Assignment Condition
Operational Domain
Skill
PersonSkill Certificate
Citizenship
AffiliationCondition
Organization
Assignment Entitlement
Assignment
ICAM User Concept Model
Affiliation
Identity Credential
Activity
country identifier
be a subgroup
of
group
certify
becertified
by beneeded
by
grant
begranted
by
be
be
be managed by
manage
be
be
be administered by
administer
issue
beissued
by
identify
beidentified
by
technical domain identifier
level
position type occupation
assign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date
operational domain identifier
skill identifierskill level
person unique identifierbiometricsnamesbirthdatebirthplace
certificate unique identifiercertificate typecertificate namecertificate issue datecertificate expire datecertificate statuscertificate status datecertificate LOAcertification level
affil cond typeaffil cond start dateaffil cond end dateaffil cond statusaffil cond status date
organization unique identifierrelationship to US governmentorganization names
assign entitle identifierassign entitle permissionassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
role
beneeded
by
need
person association with organizationperson unique affiliation identifier
credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA
activity identifierfunction
need
PositionEntitlement
pos entitle identifierposl entitle permissionposl entitle start dateposl entitle end dateposl entitle statusposl entitle status date
22
be a member
of
composed of
Technical Domain
Management
Position
Assignment Condition
Operational Domain
Skill
PersonSkill Certificate
Citizenship
AffiliationCondition
Organization
Assignment Entitlement
ICAM User Concept Model
23
Affiliation
Identity Credential
Activity
country identifier
be a subgroup
of
group
certify
becertified
by beneeded
by
grant
begranted
by
be
be
be managed by
manage
be
be
be administered by
administer
issue
beissued
by
identify
beidentified
by
technical domain identifier
level
position type occupation
assign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date
operational domain identifier
skill identifierskill level
person unique identifierbiometricsnamesbirthdatebirthplace
certificate unique identifiercertificate typecertificate namecertificate issue datecertificate expire datecertificate statuscertificate status datecertificate LOAcertification level
affil cond typeaffil cond start dateaffil cond end dateaffil cond statusaffil cond status date
organization unique identifierrelationship to US governmentorganization names
assign entitle identifierassign entitle permissionassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
beneeded
by
need
person association with organizationperson unique affiliation identifier
credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA
activity identifierfunction
Assignment
role
need
PositionEntitlement
pos entitle identifierposl entitle permissionposl entitle start dateposl entitle end dateposl entitle statusposl entitle status date
be a member
of
composed of
Technical Domain
Management
Position
Assignment Condition
Operational Domain
Skill
PersonSkill Certificate
Citizenship
AffiliationCondition
Organization
Assignment Entitlement
Assignment
ICAM User Concept Model
24
Affiliation
Identity Credential
Activity
country identifier
be a subgroup
of
group
certify
becertified
by beneeded
by
grant
begranted
by
be
be
be managed by
manage
be
be
be administered by
administer
issue
beissued
by
identify
beidentified
by
technical domain identifier
level
position type occupation
assign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date
operational domain identifier
skill identifierskill level
person unique identifierbiometricsnamesbirthdatebirthplace
certificate unique identifiercertificate typecertificate namecertificate issue datecertificate expire datecertificate statuscertificate status datecertificate LOAcertification level
affil cond typeaffil cond start dateaffil cond end dateaffil cond statusaffil cond status date
organization unique identifierrelationship to US governmentorganization names
assign entitle identifierassign entitle permissionassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
role
beneeded
by
need
person association with organizationperson unique affiliation identifier
credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA
activity identifierfunction
PositionEntitlement
need
pos entitle identifierpos entitle permissionpos entitle start datepos entitle end datepos entitle statuspos entitle status date
composed of
Technical Domain
Management
Position
Assignment Condition
Operational Domain
Skill
PersonSkill Certificate
Citizenship
AffiliationCondition
Organization
Assignment Entitlement
Assignment
ICAM User Concept Model
25
Affiliation
Identity Credential
Activity
country identifier
be a subgroup
of
group
certify
becertified
by beneeded
by
grant
begranted
by
be
be
be managed by
manage
be
be
be administered by
administer
issue
beissued
by
identify
beidentified
by
technical domain identifier
level
position type occupation
assign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date
operational domain identifier
skill identifierskill level
person unique identifierbiometricsnamesbirthdatebirthplace
certificate unique identifiercertificate typecertificate namecertificate issue datecertificate expire datecertificate statuscertificate status datecertificate LOAcertification level
affil cond typeaffil cond start dateaffil cond end dateaffil cond statusaffil cond status date
organization unique identifierrelationship to US governmentorganization names
assign entitle identifierassign entitle permissionassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
role
beneeded
by
need
person association with organizationperson unique affiliation identifier
credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA
activity identifierfunction
be a member
ofbe a
member of
PositionEntitlement
need
pos entitle identifierposl entitle permissionposl entitle start dateposl entitle end dateposl entitle statusposl entitle status date
Affiliation
be a member
of
composed of
Technical Domain
Management
Position
Assignment Condition
Operational Domain
Skill
PersonSkill Certificate
Citizenship
PositionEntitlement
AffiliationCondition
Organization
Assignment Entitlement
Assignment
ICAM User Concept Model
26
Identity Credential
Activity
country identifier
be a subgroup
of
group
certify
becertified
by
need
beneeded
by
grant
begranted
by
be
be
be managed by
manage
be
be
be administered by
administer
issue
beissued
by
identify
beidentified
by
technical domain identifier
level
position type occupation
assign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date
operational domain identifier
skill identifierskill level
person unique identifierbiometricsnamesbirthdatebirthplace
certificate unique identifiercertificate typecertificate namecertificate issue datecertificate expire datecertificate statuscertificate status datecertificate LOAcertification level
affil cond typeaffil cond start dateaffil cond end dateaffil cond statusaffil cond status date
organization unique identifierrelationship to US governmentorganization names
assign entitle identifierassign entitle permissionassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
role
beneeded
by
need
person association with organizationperson unique affiliation identifier
credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA
activity identifierfunction
pos entitle identifierpos entitle permissionpos entitle start datepos entitle end datepos entitle statuspos entitle status date
* DHS, Defining User Attributes for ABAC, Waterman & Hammer 5/15/07
Primary Authority Attributes for Users
27
User Attribute Contract Mappings
• Reveal• Contract
• Concept utilization and specialization• Policy focus• Unused concepts • Purpose (AuthN, AuthZ, Security, Preference) coverage
• Organization and partner• Alignment • Discrepancies
• Support• Federation agreements• Semantic consensus• Policy analysis and development• Identify authoritative source requirements
28
be a member
of
composed of
Identity Credential
Employment Related Authority
grant
begranted
by
Technical DomainActivity
be
be
group
Employee / Other Group Membership
manage
Management
be
be
Employee
Assignment Condition
Operational Domain
Person
Citizenship
Employer
Skill
certify
becertified
by
Special License
be administered by
administer
Special Work Term
issue
beissued
by
identify
beidentified
by
technical domain identifieractivity identifierfunction
position type
Location Type assign cond start dateassign cond end dateassign cond statusassign cond status date
certificate unique identifiercertificate typecertificate namecertificate issue datecertificate expire datecertificate statuscertificate status datecertificate LOAcertification level
country identifier
credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA
affil cond typeaffil cond start dateaffil cond end dateaffil cond statusaffil cond status date
Employment TypeUnique identifier
Employment Activity
Authorized PurposePhysical Location
Key Mapped Primary Mapped Secondary Specialized Added
ClearanceActive Clearance
be
be
be
be
Sub-group
Direct Reports
Management Level
Job Name / Job Designation
Special Authorityassign entitle typeassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
Work Assignment
SkillSkill level
person unique identifier(Personal Characteristics)
organization unique identifierEmployer TypeEmployer Name
DRAFT 29
Waterman & Hammer Mapping
need
beneeded
by
beneeded
by
need
PositionEntitlement
pos entitle identifierposl entitle permissionposl entitle start dateposl entitle end dateposl entitle statusposl entitle status date
beneeded
by
be a member
of
composed of
Identity Credential
beutilized
by
Employment Related Authority
grant
begranted
by
Technical DomainActivity
be
be
group
Employee / Other Group Membership
manage
Management
be
be
Employee
Assignment Condition
Operational Domain
Person
Citizenship
Employer
Skill
certify
becertified
by
Special License
be administered by
administer
Special Work Term
issue
beissued
by
identify
beidentified
by
technical domain identifieractivity identifierfunction
position type
Location Type assign cond start dateassign cond end dateassign cond statusassign cond status date
certificate unique identifiercertificate typecertificate namecertificate issue datecertificate expire datecertificate statuscertificate status datecertificate LOAcertification level
country identifier
credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA
affil cond typeaffil cond start dateaffil cond end dateaffil cond statusaffil cond status date
Employment TypeUnique identifier
Employment Activity
Authorized PurposePhysical Location
Key Mapped Primary Mapped Secondary Specialized Added
ClearanceActive Clearance
be
be
be
be
Sub-group
Direct Reports
Management Level
Job Name / Job Designation
Special Authorityassign entitle typeassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
Work Assignment
SkillSkill level
person unique identifier(Personal Characteristics)
organization unique identifierEmployer TypeEmployer Name
DRAFT 30
Waterman & Hammer Values
Employee,Contractor,
Detail
Permanent, Temporary,
Virtual
Rater/Reviewer,Sworn Law
Enforcement Officer
Drive hazardous materials truck, prescribe narcotics
Probation,Disciplined,
Weekend ShiftVeteran, Volunteer,
Advisory Board Member
OPM Occupational Series
Supervisor,Program Lead,
Senior ExecutiveTeam Leader,Military Rank
State GovernmentLocal Government
Private industryForeign Government
Perform arrests, conduct criminal investigations,
system adminAl Queda,
Mexican Border,Enron Investigation,
etc.
need
beneeded
by
need
PositionEntitlement
pos entitle identifierposl entitle permissionposl entitle start dateposl entitle end dateposl entitle statusposl entitle status date
be a member
of
composed of
Assignment Entitlement
Technical DomainActivity
be
be
be a subgroup of
group
Affiliation
be managed by
manage
Management
be
be
Position
Assignment Condition
Operational Domain
PersonOrganization
Skill
becertified
by
Skill Certificate
be administered by
administer
AffiliationCondition
beissued
by
Identity Credential
identify
beidentified
by
technical domain identifier
level
esfCode
occupation
assign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date
nippSectorCode
skill identifierskill level
certificate unique identifiercertificationTypecertificationNamecertificationDate certificate expire datecertificate statuscertificate status datecertificate LOAcertification level
affil cond typeaffil cond start dateaffil cond end dateaffil cond statusaffil cond status date
credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA
employeeNumber (FASC-N PI)
assign entitle identifierassign entitle permissionassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
Assignment
Key Mapped Specialized Preference
Emergency Contact PreferenceemergencyContactPersonGivenNameemergencyContactPersonSurnameemergencyContactPersonTelephoneNumberemergencyContactPersonEmailemergencyContactPersonPreferenceIndicator
ClearancepersonSecurityClearanceclearanceDate
be
bebe
Contact PreferencetelephoneNumber
be
person unique identifierphotofingerprintImagepersonGivenNamepersonMiddleNamepersonSurnamepersonNameSuffixTextpersonSexCodebirthdatebirthplace
employeeRankText
organizationIdentifier (F-OI)organizationCategory (F-OC) organization name
personOrganizationAssociationCategory (FASC-N POA)
designatedRole
clearingAgency
certifyingauthority
issuingAgencyCode(FASC-N AC) usCitizen
Citizenship
personCitizenshipFIPS10-4Code
Federal ICAM BAE Mapping
DRAFT 31
PIV Card
chuidcardIssueDatecardExpirationDatecardStatuscardStatusDatechuidStatuschuidStatusDateissuedID (FASC-N CN)IssuingSystemCode (FASC-N SC)issuedSeries (FASC-N CS)issuedCredentialCode (FASC-N ICIcardAuthenticationCertificatekeyManagementCertificatedigitalSignatureCertificate
beneeded
by
beneeded
by
need
need
PositionEntitlement
pos entitle identifierposl entitle permissionposl entitle start dateposl entitle end dateposl entitle statusposl entitle status date
be a member
of
composed of
Assignment Entitlement
Technical DomainActivity
be
be
be a subgroup of
group
Affiliation
be managed by
manage
Management
be
be
Position
Assignment Condition
Operational Domain
PersonOrganization
Skill
becertified
by
Skill Certificate
be administered by
administer
AffiliationCondition
beissued
by
Identity Credential
identify
beidentified
by
technical domain identifier
level
esfCode
occupation
assign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date
nippSectorCode
skill identifierskill level
certificate unique identifiercertificationTypecertificationNamecertificationDate certificate expire datecertificate statuscertificate status datecertificate LOAcertification level
affil cond typeaffil cond start dateaffil cond end dateaffil cond statusaffil cond status date
credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA
employeeNumber (FASC-N PI)
assign entitle identifierassign entitle permissionassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
Assignment
Key Mapped Specialized Preference
Emergency Contact PreferenceemergencyContactPersonGivenNameemergencyContactPersonSurnameemergencyContactPersonTelephoneNumberemergencyContactPersonEmailemergencyContactPersonPreferenceIndicator
ClearancepersonSecurityClearanceclearanceDate
be
bebe
Contact PreferencetelephoneNumber
be
person unique identifierphotofingerprintImagepersonGivenNamepersonMiddleNamepersonSurnamepersonNameSuffixTextpersonSexCodebirthdatebirthplace
employeeRankText
organizationIdentifier (F-OI)organizationCategory (F-OC) organization name
personOrganizationAssociationCategory (FASC-N POA)
designatedRole
clearingAgency
certifyingauthority
issuingAgencyCode(FASC-N AC) usCitizen
Citizenship
personCitizenshipFIPS10-4Code
Federal ICAM BAE Values
DRAFT 32
PIV Card
chuidcardIssueDatecardExpirationDatecardStatuscardStatusDatechuidStatuschuidStatusDateissuedID (FASC-N CN)IssuingSystemCode (FASC-N SC)issuedSeries (FASC-N CS)issuedCredentialCode (FASC-N ICIcardAuthenticationCertificatekeyManagementCertificatedigitalSignatureCertificate
beneeded
by
beneeded
by
need
1 - Federal Government Agency2 - State Government Agency3 - Commercial Enterprise4 - Foreign Government
1 – Employee2 – Civil3 – Executive Staff4 – Uniformed Service5 – Contractor6 – Organizational Affiliate7 – Organizational Beneficiary
ACT - Active,SUS - SuspendedTER - Terminated
PRO-Provisional PER-Permanent
OC=1 – SP800-87 CodeOC=2 – State CodeOC=3 – Company CodeOC=4 – Country Code
1 Agriculture & Food2 Banking & Finance3 Chemical4 Commercial Facilities5 Dams6 Defense Industrial Base7 Emergency Services8 Energy9 Government Facilities10 Information Technology11 National Monuments & Icons12 Commercial Nuclear Reactors, Materials & Waste13 Postal & Shipping14 Public Health & Healthcare15 Telecommunications16 Transportation Systems17 Drinking Water & Water Treatment Systems18 Critical Manufacturing
SP800-87 Code(if FASC-N OC = 1)
need
PositionEntitlement
1 Transportation2 Communications3 Public Works & Engineering4 Firefighting5 Emergency Management6 Mass Care, Emergency Housing & Human Services7 Logistics Management and Resource Support 8 Public Health & Medical Services9 Search & Rescue10 Oil & Hazardous Materials Response11 Agriculture & Natural Resources12 Energy13 Public Safety & Security14 Long-Term Community Recovery15 External Affairs
pos entitle identifierposl entitle permissionposl entitle start dateposl entitle end dateposl entitle statusposl entitle status date
coiMmemberOf
coiUserGroupRef
administer
hsinCoiGroup
Assignment
Affiliation
Identity Credential
Assignment Entitlement
Organization
be
be
grant
begranted
by
Technical Domain
departmentName
group
be managed bymanage
Supervisor /Sponsor
Position
Assignment Condition
Person
Citizenship
Skill
certify
becertified
by
Skill Certificate
be administered by
AffiliationCondition
sponsorOrg
beissued
by
identify
beidentified
by
technical domain identifier
level
gidfunction
job title occupation
applicantOrgRoleFitCoiassign cond start dateassign cond end dateassign cond statusassign cond status date
skill identifierskill level
certificate unique identifiercertificate typecertificate namecertificate issue datecertificate expire datecertificate statuscertificate status datecertificate LOAcertification level
country identifier
affil cond typeaffil cond start dateaffil cond end dateaffil cond statusaffil cond status date
credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA
person association with organizationperson unique affiliation identifier
Contact InformationtelephoneNumberphoneExtensionstreet1Street2Street3email
localityNameStateOrProvinceNamepostalCodecouserUrlpreferedTimeZone
be
be
HISN Credential
uid/login nameuserPassworduniquePinloginSecurityQuesanswerSecurityQuestwoFactorModuleinvestigativeSource
Key Mapped Specialized Preference
appsreferenced app
be
be
person unique identifierBiometricspersonalTitlegivenNamemiddleNamesncnnameSuffixbirthDate, birthplacegender
jobRole
assign entitle identifierHSIN Accessassign entitle start dateassign entitle end dateuserActiveStatusassign entitle status date
organization unique identifierrelationship to US governmentname
DHS HSIN Mapping
DRAFT 33
beneeded
by
beneeded
by
need
be
be
ag
ency
OrO
rgan
izat
ion
Na
me
need
PositionEntitlement
pos entitle identifierposl entitle permissionposl entitle start dateposl entitle end dateposl entitle statusposl entitle status date
accessReason
Operational Domain
operational domain identifier
DOD DMDC EAS Mapping
DRAFT 34
be a member
of
composed of
Assignment Entitlement
grant
begranted
by
Technical DomainActivity
be
be
Duty Organization Sub-Code
group
Affiliation
be managed by
manage
Management
be
be
Position
Assignment Condition
Operational Domain
Person
Citizenship
Organization
Skill
certify
becertified
by
Skill Certificate
be administered by
AffiliationCondition
beissued
by
Identity Credential
identify
beidentified
by
technical domain identifier
levelassign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date
operational domain identifier
skill identifierskill level
certificate unique identifiercertificate typecertificate namecertificate issue datecertificate expire datecertificate statuscertificate status datecertificate LOAcertification level
Guard\Reserve Status Code affil cond start dateaffil cond end dateaffil cond statusaffil cond status date
credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA
DOD EDI PI / Enterprise User NameEnterprise Display Name
assign entitle identifierAssigned Clearance For Accessassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
Assignment
Duty Occupational Code
Key Mapped Specialized
Country Of Citizenship
person unique identifierBiometricsSSN (PN_ID)Person Last NamePerson First NamePerson Birth Datebirthplace
RankPay Plan, Pay Grade
Primary Occupational Code
Persona Type Code / Personnel Category Code
US Citizenship Status
Indicator Code
beneeded
by
beneeded
by
need
OMP Standard Code relationship to US governmentname
Ad
min
istr
ativ
e O
rgan
izat
ion
Co
de
Du
ty O
rga
niz
ati
on
C
od
e
be
be
CAC/PIVcard authentication certificatecard barcode idcredentialTypeCodefingerprintimageFASC-N
activity identifierfunction
issuingAgencyCode(FASC-N AC)
need
PositionEntitlement
DRAFT
pos entitle identifierposl entitle permissionClearance Eligibilityposl entitle end dateposl entitle statusposl entitle status date
be a member
of
composed of
Assignment Entitlement
grant
begranted
by
Technical DomainActivity
be
be
be a subgroup of
group
Affiliation
be managed by
manage
Management
be
be
Position
Assignment Condition
Operational Domain
Person
Citizenship
Organization
Skill
certify
becertified
by
Skill Certificate
be administered by
administer
AffiliationCondition
issuer_id
beissued
by
Id_Credential
identify
beidentified
by
technical domain identifier
level
position type occupation
assign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date
skill identifierskill level
certificate unique identifiercertificate typecertificate namecertificate issue datecertificate expire datecertificate statuscertificate status datecertificate LOAcertification level
country identifier
affil cond typeaffil cond start dateaffil cond end dateaffil cond statusaffil cond status date
serial numbercredential secretcredential name (DN,FASCN card id)create_timeexpirationstatuscredential status datecredential LOA
person association with organizationname (FASC-N person id)
assign entitle identifierassign entitle permissionassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
Assignment
esfCode
person unique identifierFingerprintFull namebirthdatebirthplace
organization unique identifierrelationship to US governmentorganization names
Key Mapped Specialized
nippSectorCode
role
DHS F/ERO Mapping
DRAFT 35
beneeded
by
beneeded
by
need
need
PositionEntitlement
DRAFT
pos entitle identifierposl entitle permissionposl entitle start dateposl entitle end dateposl entitle statusposl entitle status date
Affiliation
be a member
of
composed of
Technical Domain
Supervisor*
Employee / Assignment *
Assignment Condition
Operational Domain
Language
Person
Skill Certificate
Citizenship
Hire / Start
Employer / Assignment /Identity Provider*
Assignment Entitlement
Assignment
GFIPM V2 Concept Model
DRAFT 36
Electronic Identity
Activity
country identifier
be a subgroup
of
group
certify
becertified
by
need
beneeded
bygrant
be
be
be managed bymanage
be
be
be administered by
Organization Category Code
issue
beissued
by
identify
beidentified
by
technical domain identifier
Management Level
Position Name;Rank
Occupation Code; Affiliation Category Code;Occupation Category Code
assign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date
NIPP Sector Code
skill identifierprimary
person unique identifierPhoto, Signature,Fingerprint SetName PrefixGiven NameMiddle NameSur NameName SuffixFull NameCommon NameDisplay NameBirth dateSex, Race,Height, Weight, Eye Color, Hair Color,
certificate unique identifiercertificate typecertificate namecertificate issue datecertificate expire datecertificate statuscertificate status datecertificate LOAcertification level
affil cond typeStart DateEnd DateStatusaffil cond status date
ORI; IdGeneral Category CodeName; Sub Unit Name
assign entitle identifierassign entitle permissionassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
role
beneeded
by
need
Military Status Code; Employment Category CodeFederation Id1; Local Id2; Social Security Number3; Visa Number; Passport Id, Employee Id;
credential unique identifierEffective DateExpiration DateStatus CodeProofing Date Authentication LOA;Proofing LOA, CategoryPKI Certificate
activity identifierEmergency Support FunctionOrganization Category Code
Contact InformationTelephoneNumberFAX NumberPost Office BoxStreet AddressCity NameState Code
County CodeCountry CodePostal CodeTime ZoneEmail address
Driver’s License
Driver’s license Number
be
be
FederationResources
Federation Idfederation logon
LocalResources
Local IdNetwork logon
berepresented
by
represent
State Government – driver licenseU.S. Government – passportNCICMilitary Branch
Citizen Entry
Passport IdCountry Code
GFIPM:IDP:JNET:USER - federationSocial Security AdministrationEmployer – local
Non-citizenEntry
Visa NumberVisa Category
berepresented
by
represent
be
be
bebe
Emergency Contact InformationTelephoneNumberEmail
Full Name
ClearanceLevelEffective DateExpiration DateSanction
Sec
uri
ty C
lear
ance
G
ran
tin
g A
gen
cy
NCIC Certification
PositionEntitlement
pos entitle identifierposl entitle permissionposl entitle start dateposl entitle end dateposl entitle statusposl entitle status date
Point of ContactStreet Address, PO BoxCity Name, Postal Code,County, State, CountryURIFull Name,Email, Telephone Number
Legal Jurisdiction
Employment Jurisdiction
be
be
bebe
be
bebe
be
bebe
Key Mapped Specialized Preference
be administered by
Key Common DoD DMDC Federal ICAM BAE
ClearancepersonSecurityClearanceclearanceDate
clearingAgency
Federal ICAM BAE & DOD DMDC Mapping Overlay
DRAFT 37
CAC/PIV Card
chuidcardIssueDate/cardExpirationDatecardStatus/cardStatusDatechuidStatus/chuidStatusDateissuedID (FASC-N CN)IssuingSystemCode (FASC-N SC)issuedSeries (FASC-N CS)issuedCredentialCode (FASC-N ICIcardAuthenticationCertificatekeyManagementCertificatedigitalSignatureCertificate
be a member
of
composed of
Assignment Entitlement
Technical DomainActivity
be
be
group
Affiliation
be managed by
manage
Management
be
be
Position
Assignment Condition
Operational Domain
PersonOrganization
Skill
becertified
by
Skill Certificate
AffiliationCondition
beissued
by
Identity Credential
identify
beidentified
by
technical domain identifier
level
esfCode
occupation
assign cond typeassign cond start dateassign cond end dateassign cond statusassign cond status date
nippSectorCode
skill identifierskill level
certificate unique identifiercertificationTypecertificationNamecertificationDate certificate expire datecertificate statuscertificate status datecertificate LOAcertification level
affil cond start dateaffil cond end dateaffil cond statusaffil cond status date
credential unique identifiercredential secretcredential namecredential issue datecredential expire datecredential statuscredential status datecredential LOA
employeeNumber (FASC-N PI)Enterprise Display Name
assign entitle identifierassign entitle permissionassign entitle start dateassign entitle end dateassign entitle statusassign entitle status date
Assignment
be
bebe
be
photofingerprintImagepersonGivenNamepersonMiddleNamepersonSurnamepersonNameSuffixTextpersonSexCodeSSN (PN_ID)Person Birth Date birthplace
employeeRankTextPay Plan, Pay Grade
organizationIdentifier (F-OI)organizationCategory (F-OC) organization name
personOrganizationAssociationCategory (FASC-N POA)
designatedRole
certifyingauthority
issuingAgencyCode(FASC-N AC) usCitizen
Citizenship
personCitizenshipFIPS10-4Code
beneeded
by
beneeded
by
need
need
AffiliationEntitlement
affil entitle identifierClearance Eligibility entitle start dateaffil entitle end dateaffil entitle statusaffil entitle status date
Duty Organization Sub-Code
Du
ty O
rga
niz
ati
on
C
od
e
Ad
min
istr
ativ
e O
rgan
izat
ion
Co
de
Persona Type Code / Personnel Category Code
Primary Occupational Code
Guard\ReserveStatus Code
card barcode idcredentialTypeCode
Contact Information
38
• Karyn Higa-Smith (DHS S&T)– Program Manager, Identity Management– [email protected]
• Thomas Smith (JHU/APL)– Senior Engineer, DHS S&T IdM Testbed– [email protected]
• Maria Vachino (JHU/APL)– Senior Engineer, DHS S&T IdM Testbed– [email protected]
Backup Slides
Additional Information
40
IEEE HST 2010 Conference Proceedings:
Modeling the Federal User Identity, Credential, andAccess Management (ICAM) Decision Space toFacilitate Secure Information Sharing
Why A Conceptual Data Model?
• Captures Information Requirements• Problem specific• Technology-neutral • Information representation, not process or policy• Identifies business terms• Establishes contextual consensus• Expresses data semantics
• Artifacts• Entities• Attributes• Relationships• Identifiers• Problem Terms
Mind Your Business: Serving Business with Data Models that Focus Exclusively on Data, J. Maguire, 11-26-2008, Burton Group
41
Concept Data Model Uses
• Knowledge management• Framework for technology insertion – logical/physical
modeling• Establishes conceptual foundation• Baselines technological insertion
• Aligns organizational information perception• Identifies important & distinguishing information• Establishes artifacts – entities, attributes, relationships, identifiers,
problem terms• Improve productivity and agility• Semantic consensus
• Identifies schema translation requirements• Starting point for information sharing agreements
• Authoritative sources• Identifies policy information requirements
• Policy creation & refinement • Identifies information valued by the enterprise• Identifies policy overlaps and gaps
42