CAMP: Building a Distributed Access Management Infrastructure

Identity management (IdM) is a valuable thing. By gathering together information about people on your campus, it becomes easier to reliably provide them with basic online services. IdM is the heart of managing services around people rather than around systems.

A major challenge, however, is to bring consistency and sanity to managing access rights in a multisystem environment. It is no longer sustainable to allow individual systems to define privileges in isolation. Both users and managers struggle to coordinate access rights in multiple places to all the right people and to ensure that those rights are adjusted as the individual’s relationship to the institution changes.

Solving this requires a distributed access management infrastructure—central services in a distributed management model, tied into your identity management and integrated through common middleware. But getting there doesn’t happen all at once. In this CAMP we will present an evolutionary model that shows how a distributed access infrastructure can be built in stages.

A key strategy towards this goal is supported by two products developed by the Internet2 community:

• GROUPER is a groups management toolkit. You already know the importance of leveraging institutional roles like faculty or student affiliations for controlling access and defining eligibility. rouper enables the distributed creation and management of any number of additional membership roles--school, departmental, project based, team, personal--to extend the language of role-based access.
• SIGNET is a privilege management system. It takes management further by defining a centrally held but user-managed repository of permission information. Privilege management centers access control and authorization decisions around who people are and what they can do, and can eliminate or make consistent the many isolated and unevenly managed system-specific methods of control.

This CAMP will offer use cases and experience from institutions building distributed access management solutions and currently adopting Signet and Grouper for such use. On the technical side, emphasis will be on integrating these solutions in campus environments and adapting systems to take advantage of them.

Both IT management and technical staff will find sessions of interest and guidance for leveraging Grouper and Signet at their institution. As a participant, you will:

• Consider the evolution of IdM into solutions for roles- and privilege-based access control
• Learn about deploying Grouper and Signet on your campus, for either small or large scale use
• Discuss the design of good groups and privilege metadata and how to use them effectively
• Explore the management issues when running centralized groups and privilege systems

This workshop will offer education and guidance to higher education IT managers, project managers, middleware architects, and systems analysts involved at a technical, management, or stakeholder level in supporting campus-wide services.

Participants are encouraged to have a sound knowledge of IdM to learn the most from the sessions. Those interested in knowing more about IdM can review the Enterprise Directory and Authentication Implementation roadmaps and attend the preworkshop seminar "Introduction to Identity Management: The Big Picture." A technical preworkshop is designed for those already familiar with IdM and interested in the basics building blocks of a campus-wide infrastructure that can support IdM and integration middleware.

CAMP is sponsored by the National Science Foundation Middleware Initiative-Enterprise and Desktop Integration Technologies (NMI-EDIT) Consortium: Internet2 and EDUCAUSE. Additional support was provided by the National Science Foundation OCI-0330626.

For information about NMI-EDIT and participation in the NSF Middleware Initiative, see www.nmi-edit.org.