The following information is intended to help guide the deliverable/s of the various subcommittees but should in no way constrain the outcomes of the groups.
Group Name: Access Management Subcommittee
Date
9/16/2011
Purpose of Group
Determine the requirements for an Access Management solution, perform a gap analysis of existing open source and commercial solutions and make a final recommendation to the OSIdM4HE group.
Gap Analysis
Glossary of Terms
Term |
Definition |
---|---|
|
|
|
|
|
|
Requirements/Principles of the Chunk/Module
Groups Requirements
What follows are requirements related to the groups portion of an Access Management solution
Requirement ID |
Requirement Source |
Requirement Description |
KIM |
Grouper |
---|---|---|---|---|
GRP_0100 |
PSU |
The groups system shall support the establishment and maintenance of standing groups based on data from System(s) of Record (SoR). |
|
|
GRP_0110 |
PSU |
The groups system shall support the establishment and maintenance of student class groups. |
|
|
GRP_0120 |
PSU |
The groups system shall provide a delegated groups management function. |
|
|
GRP_0130 |
PSU |
The groups system shall provide a API and web service interfaces for accessing group information. |
|
|
GRP_0140 |
PSU |
The groups system shall support the publishing of groups information to other systems (LDAP, Active Directory, and so on). |
|
|
GRP_0150 |
PSU |
The groups system shall support the creation, modification and/or deletion of groups and/or membership. |
|
|
GRP_0160 |
PSU |
The groups system shall support the construction of dynamic groups. |
|
|
GRP_0170 |
PSU |
The groups system shall support nested groups. |
|
|
GRP_0180 |
PSU |
The groups system shall support groups that have an effective and/or expiration date. |
|
|
GRP_0190 |
PSU |
The groups system shall provide an end-user user interface for the management of groups. |
|
|
GRP_0200 |
PSU |
The groups system shall provide an auditing facility for all changes to groups/memberships. |
|
|
GRP_0210 |
PSU |
The groups system shall provide a notification facility that user's/system's can subscribe to for group changes. |
|
|
GRP_0220 |
PSU |
The groups system shall allow for attributes to be associated with a group (metadata). |
|
|
GRP_0230 |
PSU |
The groups system shall support the construction of a group from the members of other group(s) (group math). |
|
|
Roles Requirements
What follows are requirements related to the roles portion of an Access Management solution
Requirement ID |
Requirement Source |
Requirement Description |
---|---|---|
ROL_0100 |
PSU |
The roles system shall provide a facility for the management of roles. |
ROL_0110 |
PSU |
The roles system shall support three types of roles: basic, assigner (assigns users to roles) and stewards (assigns assigners to roles). |
ROL_0120 |
PSU |
The roles system shall provide an API and/or Web Services to access its facility. |
ROL_0130 |
PSU |
The roles system shall support the creation, modification and deletion of roles. |
ROL_0140 |
PSU |
The roles system shall support effective and expiration dates for a role. |
ROL_0150 |
PSU |
The roles system shall support permissions and/or limits associated with a role. |
ROL_0160 |
PSU |
The roles system shall support the publishing of role information to other sources, for example LDAP. |
ROL_0170 |
PSU |
The roles system shall support the concept of a role proxy where a person is given access for a limited period of time. |
ROL_0180 |
PSU |
The roles system shall support a hierarchy of roles, which enables the reuse of roles. |
Attributes Requirements
What follows are requirements related to the attributes portion of an Access Management solution
Requirement ID |
Requirement Source |
Requirement Description |
---|---|---|
ATT_0100 |
PSU |
The system shall provide an attribute services. Attributes can either be single-valued or multi-valued. |
ATT_0110 |
PSU |
The system shall support public and sensitive (limited access) attributes. |
ATT_0120 |
PSU |
The system shall support official and user-modifiable person attributes. |
ATT_0130 |
PSU |
The system shall provide Web Services to access attributes. |
ATT_0140 |
PSU |
Attributes from eduPerson, inetOrgPerson and orgPerson objectClasses shall be available for use in federating applications. |
Policy Engine Requirements
What follows are requirements related to the policy engine portion of an Access Management solution
Requirement ID |
Requirement Source |
Requirement Description |
---|---|---|
POL_0100 |
PSU |
Granting and removal of access shall be performed automatically according to defined business rules. |
POL_0110 |
PSU |
The system’s policy engine shall be high performing and flexible enough to allow for a variety of rules. |
POL_0120 |
PSU |
The system’s policy engine shall be accessible from either a Web-based GUI or Web Services with appropriate access controls. |
POL_0130 |
PSU |
The system’s policy engine shall allow for searching of existing rules for possible reuse. |
POL_0140 |
PSU |
The system shall support a centralized policy engine responsible for managing and evaluating policy rules (PDP). |
POL_0150 |
PSU |
The system shall support a policy enforcement point (PEP). |
Auditing Requirements
What follows are requirements related to the auditing portion of an Access Management solution
Requirement ID |
Requirement Source |
Requirement Description |
---|---|---|
AUD_0100 |
PSU |
The system shall support the periodic review of a user’s privileges as defined by policy. |
|
|
|
Enterprise Requirements
What follows are requirements related to the enterprise aspect of an Access Management solution
Requirement ID |
Requirement Source |
Requirement Description |
---|
Scope
- Groups
- Roles
- Attributes
- Enterprise
Project Definition
- Resources Needed, Outcome Expected, Timeline