Date: Thu, 28 Mar 2024 18:35:47 +0000 (UTC) Message-ID: <2094200100.6793.1711650947815@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6792_153541516.1711650947813" ------=_Part_6792_153541516.1711650947813 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
This course series will explore solutions for four common identity and a= ccess management Problem and Solution sets:
Whethe= r you are on a campus, with a research organization, or a company, managing= access to multiple resources can quickly overwhelm you and other staff mem= bers. Higher Education in particular has the complex situation of hav= ing many people with many roles that require a large variety of access righ= ts to it=E2=80=99s resources.
Using = groups as the primary means for access means having a group management syst= em that is intuitive and easy to use.
The Grouper software component of the Trusted = Access Platform facilitates enterprise-level access management and authoriz= ation by grouping unique institutional identities = (UIDs) into groups that can = be associated with classes, class materials, and other resources. It = also provides many powerful features for managing the access rights of the = identities easily over time with little effort.
Stephe=
n Hawking is a new student in your system. His interview for enrollme=
nt identified him as being highly proficient in math and the faculty would =
like him to assist them with updating math faculty resources.
The Ma= th Faculty must facilitate adding all of the new math students to the basic= curriculum resources and additionally they would like to give Stephen the = ability to update curriculum resources and access some student information = for tutoring purposes.
Using = Grouper the Math Faculty can be added to a group with delegated authority f= or adding or removing student identities from groups associated with Math F= aculty Resources. Then any of the Math Faculty members can add Stephe= n to groups that have R/W access to those resources and read access to cert= ain students who have Opted-In for tutoring.
Now th= e Math =E2=80=9Cteam=E2=80=9D would be able to manage access and authorizat= ion to these resources independently from Central IT.
Replic= ate that across all departmental resources and applications and you can rea= lize a large optimization in people=E2=80=99s time and effort.
Bring = up an instance of Grouper pre-populated with Math Faculty, groups represent= ing admin for certain resources (this could be spaces), and groups represen= ting students, students who opt-in for tutoring
Resear= ch organizations and virtual organizations have similar issues - people com= ing from various places bringing an identity with them, and needing access = to various tools and ways to collaborate.
Imagin= e researchers and administrators working together on a groundbreaking resea= rch effort while being based at numerous different universities and researc= h institutes. To facilitate their teamwork, these collaborators need to sha= re documents, set up institution-independent mailing lists, coordinate cale= ndars, and use a protected wiki to capture their efforts. Their collaborati= on needs to be protected, but the focus needs to be on the collaboration, n= ot the technology.
Bring = up an instance of COmanage, Confluence, Grouper pre-populated with Faculty = Researchers from several fake institutions, groups representing admin for c= ertain resources (this could be spaces), and groups representing researcher= s working on 3 or 4 different aspects of a project with associated mailing = lists to communicate. They can all have access to the protected wiki = but there will be several pages specific to the different aspects details.<= /span>
Many organizations would like a way to manage gue=
st (affiliation) access that doesn=E2=80=99t require creating accounts and =
provisioning guests through the normal ERP system. This session will provid=
e a solution.
Identi= fying users in a unique way that can then be used to provide access to inst= itutional resources, and later change or withdraw that access can be a chal= lenging process and prone to many problems. Students are the most pro= blematic as there are vast numbers of them and what they should or should n= ot have access to and what level of access may frequently change during the= ir enrollment time and even afterwards as alumni. Staff and faculty, = though smaller in number, have similar issues.
The Tr= usted Access Platform can be integrated with existing systems of record SOR= , such as HR, such that events like hiring, student admissions, etc. will t= rigger the creation of a unique institutional identity (UID) and associate = that identity with basic known attributes from the SOR and then store the i= dentity in a registry with those attributes.
Additi= onally, the identity can also be added to groups associated with access to = classes, course materials, applications and other resources automatically (= provisioning).
Simila= rly, additional events triggered by changes in HR or other SORs can change = or revoke the identity access rights automatically (de-provisioning).
Stephen Hawking is a new student in your = system. His interview for enrollment identified him as being highly p= roficient in math and the faculty would like him to assist them with updati= ng math faculty resources.
As a part of the normal business process = for students assisting faculty, Stephen will be hired as a research assista= nt in the HR system. Stephen will appear to be a new person to the HR perso= n, so it will send a message to midPoint to create Stephen in the registry.= The registry discovers Stephen already exists by running its search match = process, and updates the registry with the HR system identifier. An updated= person message is sent out by the registry, prompting Grouper to retrieve = information about Stephens employee status and department and adds Stephen = to basis groups resulting in an employee affiliation. Midpoint receives a m= essage about the employee group affiliation and adds the employee role to S= tephen.
After two semesters, Stephen decided to s= top working to focus on studying, the HR system marked Stephen as terminate= d. A message from the HR system about the termination is sent to midPoint w= hich marks Stephen as inactive for the HR resource and published an updated= person message. Grouper retrieves this message, and processes changes to b= asis groups resulting in the loss of employee affiliation. A message about = this change is picked up by midPoint, which removes the employee role from = Stephen.
Students will work through an integrated = demo environment and learn how InCommon Trusted Access Platform components = can work together to solve common IAM challenges.
Many t= imes institutions that support many of their own applications would like to= provide secure access to those applications such that outside Faculty or S= tudent can collaborate on projects or in other way through those applicatio= ns. Managing many inside and outside user accounts/passwords is cumbe= rsome and time consuming. Federating those applications as Service Pr= oviders (SPs) provides a means to securely provide access by verifying user= s via Federated Identity Providers (IdPs) both internally and for select ex= ternal institutions or organizations.
write this
write = this