The following information is intended to help guide the deliverable/s of the various subcommittees but should in no way constrain the outcomes of the groups.
Group Name: Access Management Subcommittee
Date
9/16/2011
Purpose of Group
Determine the requirements for an Access Management solution, perform a gap analysis of existing open source and commercial solutions and make a final recommendation to the OSIdM4HE group.
Gap Analysis
Glossary of Terms
Term |
Definition |
|---|---|
|
|
|
|
|
|
Requirements/Principles of the Chunk/Module
Groups Requirements
What follows are requirements related to the groups portion of an Access Management solution. Cf notes from 10/24/2011 to amplify on some of these.
Requirement ID |
Requirement Source |
Requirement Description |
KIM |
Grouper |
|---|---|---|---|---|
GRP_0100 |
PSU |
The groups system shall support the establishment and maintenance of standing groups based on data from System(s) of Record (SoR). |
N, but |
Y |
GRP_0110 |
PSU |
The groups system shall support the establishment and maintenance of student class groups. |
N, but |
Y |
GRP_0120 |
PSU |
The groups system shall provide a distributed and delegated groups management function.(Requires deep namespace) |
N, but |
Y |
GRP_0130 |
PSU |
The groups system shall provide a API and web service interfaces for accessing group information. |
Y |
Y |
GRP_0140 |
PSU |
The groups system shall support the publishing of groups information to other systems (LDAP, Active Directory, and so on). |
N |
Y |
GRP_0150 |
PSU |
The groups system shall support the creation, modification and/or deletion of groups and/or membership. |
Y |
Y |
GRP_0160 |
PSU |
The groups system shall support the construction of dynamic groups.LDAP in particular. |
N |
Y |
GRP_0170 |
PSU |
The groups system shall support nested groups. |
Y |
Y |
GRP_0180 |
PSU |
The groups system shall support groups that have an effective and/or expiration date. |
Y |
Y |
GRP_0190 |
PSU |
The groups system shall provide an end-user user interface for the management of groups. |
Y |
Y |
GRP_0200 |
PSU |
The groups system shall provide an auditing facility for all changes to groups/memberships. |
Y (check Group Update Service) |
Y |
GRP_0210 |
PSU |
The groups system shall provide a notification facility that user's/system's can subscribe to for group changes. |
N |
Y |
GRP_0220 |
PSU |
The groups system shall allow for attributes to be associated with a group (metadata). |
Y |
Y |
GRP_0230 |
PSU |
The groups system shall support the construction of a group from the members of other group(s) (group math). |
N |
Y |
Roles Requirements
What follows are requirements related to the roles portion of an Access Management solution. Cf notes from 10/24/2011 to amplify on some of these.
Requirement ID |
Requirement Source |
Requirement Description |
KIM |
Grouper |
|---|---|---|---|---|
ROL_0100 |
PSU |
The roles system shall provide a facility for the management of roles. |
Y |
Y |
ROL_0110 |
PSU |
The roles system shall support three types of roles: basic, assigner (assigns users to roles) and stewards (assigns assigners to roles). |
Y |
Y |
ROL_0120 |
PSU |
The roles system shall provide an API and/or Web Services to access its facility. |
Y |
Y |
ROL_0130 |
PSU |
The roles system shall support the creation, modification and deletion of roles. |
Y |
Y |
ROL_0140 |
PSU |
The roles system shall support effective and expiration dates for a role. |
Y |
Y |
ROL_0150 |
PSU |
The roles system shall support permissions and/or limits associated with a role. |
Y |
Y |
ROL_0160 |
PSU |
The roles system shall support the publishing of role information to other sources, for example LDAP. |
N |
? (ask Jimmy) |
ROL_0170 |
PSU |
The roles system shall support the concept of a role proxy where a person is given access for a limited period of time. |
Y |
Y |
ROL_0180 |
PSU |
The roles system shall support a hierarchy of roles, which enables the reuse of roles. |
Y |
Y |
Attributes Requirements
What follows are requirements related to the attributes portion of an Access Management solution
Discussion 11/3/2011: Neither KIM nor Grouper focus on being attribute service providers, but they provide access management capabilities to applications that can be based on person attributes. However, Grouper's LDAP provisioning connector can provision person attributes based on their group memberships, and the GrouperDataConnector for shibboleth allows a shib IdP to express attributes as a function of group memberships. Both KIM and Grouper support attributes on groups and Grouper support attributes on other types of objects and KIM manages Principals/Entities with attributes.
Requirement ID |
Requirement Source |
Requirement Description |
KIM |
Grouper |
|---|---|---|---|---|
ATT_0100 |
PSU |
The system shall provide an attribute services. Attributes can either be single-valued or multi-valued. |
Y (check on multi-valued attributes) |
Y |
ATT_0110 |
PSU |
The system shall support public and sensitive (limited access) attributes. |
Y |
Y |
ATT_0120 |
PSU |
The system shall support official and user-modifiable person attributes. |
N/A |
N/A |
ATT_0130 |
PSU |
The system shall provide Web Services to access attributes. |
Y |
Y |
ATT_0140 |
PSU |
Attributes from eduPerson, inetOrgPerson and orgPerson objectClasses shall be available for use in federating applications. |
N/A |
N/A |
Policy Engine Requirements
What follows are requirements related to the policy engine portion of an Access Management solution
Requirement ID |
Requirement Source |
Requirement Description |
KIM |
Grouper |
|---|---|---|---|---|
POL_0100 |
PSU |
Granting and removal of access shall be performed automatically according to defined business rules. |
Y, KIM includes a number of role type implementations for common business rules |
Y |
POL_0110 |
PSU |
The system’s policy engine shall be high performing and flexible enough to allow for a variety of rules. |
Sure! |
Sure! |
POL_0120 |
PSU |
The system’s policy engine shall be accessible from either a Web-based GUI or Web Services with appropriate access controls. |
|
|
POL_0130 |
PSU |
The system’s policy engine shall allow for searching of existing rules for possible reuse. |
|
|
POL_0140 |
PSU |
The system shall support a centralized policy engine responsible for managing and evaluating policy rules (PDP). |
|
|
POL_0150 |
PSU |
The system shall support a policy enforcement point (PEP). |
|
|
Auditing Requirements
What follows are requirements related to the auditing portion of an Access Management solution
Requirement ID |
Requirement Source |
Requirement Description |
KIM |
Grouper |
|---|---|---|---|---|
AUD_0100 |
PSU |
The system shall support the periodic review of a user’s privileges as defined by policy. |
|
|
|
|
|
|
|
Enterprise Requirements
What follows are requirements related to the enterprise aspect of an Access Management solution
Requirement ID |
Requirement Source |
Requirement Description |
KIM |
Grouper |
|---|
PACCMAN Requirements
What follows are requirements related to the enterprise aspect of an Access Management solution
Requirement ID |
Requirement Source |
Requirement Description |
KIM |
Grouper |
|---|---|---|---|---|
PAC_0100 |
B-2 |
The system shall support the ability to transfer access rights to another user. |
|
|
PAC_0110 |
B-3 |
The system shall support time-limited delegation of application privileges from authority |
|
|
PAC_0120 |
B-14 |
The system shall support point in time auditing of permissions. |
|
|
PAC_0130 |
B-15 |
The system shall support the automatic recalculation of privileges based on granular changes |
|
|
PAC_0140 |
A-8 |
The system shall support granting time-limited access previously granted automatically via group |
|
|
PAC_0150 |
L-2 |
The system shall support federated identity coupled with federated group membership for shared access |
|
|
Scope
- Groups
- Roles
- Attributes
- Enterprise
Project Definition
- Resources Needed, Outcome Expected, Timeline