Chris Hoffman, Graduate Division
Each of us has experienced the problems that identity and access management systems attempt to resolve. As a user, I struggle with too many accounts and passwords, and it seems to take too long to gain appropriate access to systems. As a manager and supervisor, I have to rely on problematic bookkeeping to track the accounts and permissions of the people in my unit. And as a developer, I am too familiar with the problems of identifying people using my applications and managing the permissions that determine what information they can see and what operations they can perform. Not surprisingly, this problem is not unique to UC Berkeley. As the number of computer systems an individual needs to use grows, and as those systems perform increasingly important and diverse tasks, organizations of all sizes are also challenged by these issues. Some of the forces that are driving this convergence include:
Several years ago, CalNet was created in order to provide a foundation for identifying people using a single repository thus paving the way for more secure and improved services. In early 2003, the e-Architecture Working Group, a subgroup of the Information Technology Architecture Committee, recommended that our organization needed a more comprehensive campuswide means of identifying the roles and permissions belonging to users of campus systems. Currently, each application must handle this authorization functionality on its own — an expensive, inefficient, and error-prone practice, given the significant informational and functional overlap. Throughout our efforts to identify the requirements of an application authorization system, we realized that we could not ignore a number of related issues: authentication, directories, and the management of user accounts and passwords. This is what identity management provides — a framework for solutions and services that address these interrelated requirements. Although this expands the scope of concern, we argue that without some high-level principles and a defined stack of identity management services, the effort to solve the authorization problem will come up short in the long run. This, then, is the purpose of this article — to define a framework for identity management solutions and establish some high-level principles that should guide future work.
Identity management represents the convergence of formerly separate products into a suite of services that help provide solutions to a core set of interrelated problems that organizations such as ours are facing.
Directory services and registries |
Serve as the repository for information needed by identity management services and solutions. Includes information about users in directories and core systems where identity information originates, and can also include other organizational information and rules. |
Authentication |
Allows applications to verify a user's identity and to pass this identity information securely to other applications. The level of authentication required, ranging from weak to strong, may depend on individual application requirements. |
Authorization |
Determines what kinds of information and functionality can be accessed by an authenticated user. May be roles-based (structured) or rules-based (dynamic). |
Provisioning |
Adds users to systems with appropriate routing for approvals; reprovisions as needed when a user's responsibility or affiliation changes; deprovisions as users end their relationship with an organization. |
Password management and synchronization |
Provide services to streamline password management via self-service reset and synchronization screens; can also enforce password complexity requirements. |
Federation and trust |
Allow different organizations to share trust information in a structured manner. |
A conceptual architecture for these services is presented in Figure 1. At the lowest level are the fundamental sources of information about people and the organization. In the middle tier, several engines work together to process information, providing responses to the top tier (applications) and updating information as needed in the repositories of the lower tier. The core identity management engines perform authentication and authorization functions, but they may be integrated with several other enterprise engines such as workflow, enterprise application integration, and content management systems. The top tier contains the applications that consume and produce identity management information, under most circumstances via responses from the middle tier engines. These include core identity management applications such as provisioning applications, self-service systems (e.g., to facilitate password resets), and auditing and reporting systems. More importantly, enterprise and departmental applications should use the identity management resources to authenticate and authorize users to access their systems.
|
|
Although vendors and standards organizations have accomplished much in the last six to twelve months, the ideal goal of procuring a single enterprise suite is still problematic for most organizations. Most industry experts recommend that organizations (1) define a strategic goal and set of principles and (2) select a project or set of projects that solve real problems, bring value to the organization, and help build toward the strategic goal and vision. These projects might focus on one aspect of identity management (e.g., authorization and roles), one population (e.g., alumni or affiliates), or one office (e.g., the Library). By demonstrating success in one area, the ground is paved for future successes.
As the organization's identity management framework evolves over time, a set of principles should guide the effort:
The purpose of this article has been to provide some definitions and principles for identity management solutions for UC Berkeley. The problems that identity management tries to solve are significant, and relief in any one area could bring significant value to the organization. At the same time, the challenges are considerable and encompass organizational and policy-related issues as well as technical ones. The e-Architecture Working Group and the Information Technology Architecture Committee will continue to work with IST, e-Berkeley, and other campus units. Already, IST is drafting a 12-month road map for expanding CalNet into an identity management system, and IST and e-Berkeley are convening a one-day campus meeting of appropriate technical and functional staff to discuss short-term plans and a long-term strategy for identity management solutions for our organization. Developments such as these promise to improve campus information systems, large and small, in fundamental ways.
Additional information is available on the e-Architecture Working Group's Enterprise Roles and Application Authorization website, http://itac.berkeley. edu:4259/e-Arch/roles/. Send comments to
[ iNews | Search | IST | UC Berkeley Computing | UC Berkeley ]
iNews: UC Berkeley information technology news channels
Copyright 2004, The Regents of the University of California
