Versions Compared

Old Version 15

changes.mady.by.user Tom Barton (uchicago.edu)

Saved on

compared with

New Version 16

changes.mady.by.user Tom Barton (uchicago.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

Problem

Organizational policy enables use of a service by people identified by a business process reflected in the organization's Identity Management system. This set of people tracked by a given business process is, by definition, accurate and authoritative for its original purpose.  However, the original business process is often not fully accurate, giving rise to the need to interpret high-level policy and accordingly "tweak" the official roster by effectively adding or removing people. For this purpose, additional policies give limited authority to others to grant or deny access to the service.

Solution

Reflect the official source in the membership of a group. Create two other groups for the whitelist and blacklist and assign Updater or Admin privilege to those with authority to grant or deny access to the service (if there is more than one such authority for either the whitelist or the blacklist, follow the "Application Access Roles- Multiple Registrars for a Service" solution pattern). Using Grouper, form a group of people authorized to use the service for its run-time access control by

  1. Making an intermediate group: official1 = official Union whitelist.
  2. Making the authorized group = official1 Complement blacklist.

Naming these groups should follow the site's naming plan.

Examples

  • The faculty, staff, and students of the University are permitted to use the University's wireless service. However, the Network Security group is empowered to deny access to anyone whose computer is thought to be interfering with normal operations. Further, University guests are to be given access to wireless.
  • The Clerk of the Faculty wishes to maintain a group of individuals known as "Faculty" who are full voting members of the Faculty as well as approved to serve on committees, as opposed to the list of individuals known as "Faculty" to HR, which includes part-time and Adjunct members of the Faculty who do not have these rights. This group would be used for email distribution lists as well as access to a private webpage for Faculty containing meeting minutes, committee reports, and other relevant documents.

Graphic (click on it to view full size)