Setting up Privilege Management with Signet Metadata Setting up Privilege Management with Signet Metadata

3Distributed Access Management CAMP

Privileges Building BlocksPrivileges Building Blocks

Functional view• Subsystems• Categories• Functions• Scope, Limits• Prerequisites &

Conditions

System view• Subject• Action• Resource

Privileges → Permissions

4Distributed Access Management CAMP

Signet ComponentsSignet Components

• Define domains of ownership and responsibility

• Reflect real world boundaries

• Can be large or small

Financial systemStudent AdministrationHR systemNetwork access

managementResearch administrationClinical resourcesProgrammatic resourcesCollaboration resources

Subsystems

5Distributed Access Management CAMP

Functional ViewFunctional View

Signet configuration declares …

LimitsQualifiers, constraints for a privilege

Limit typesLimit choice sets

Scope TreesOrganizational hierarchy governing distributed delegation

FunctionsThe things a person can do; what they are getting privileges for

CategoriesProvide useful arrangement of functions within a subsystem; for reporting, ease of use

6Distributed Access Management CAMP

Functional ViewFunctional View

Categories FunctionsSubsystems

Clinical Trial Protocol A Patient Records

Materials Control

Manage Grant

Lab AccessAdmin

Student Admin Course Support

Add/Drop students

Schedule Classes

Process Applicants

Award Scholarships

Manage Accounts

FinancialAid

Limits

Which term

From Fund…

Read/Write

Hours

For school…

For fund…

Which campus

Qty/day

$ constraints

organizing actions

7Distributed Access Management CAMP

Systems ViewSystems View

Permissions• Atomic units of control that map to specific

access rules in systems• Includes limits that must be evaluated when

interpreting permissions

Resources• The target of a specific privilege; things that

have access rules to control their use

8Distributed Access Management CAMP

Functional View PermissionsFunctional View Permissions

Resources/Permissions

Student Admin

Functional View

Course Support Add/Drop students

Schedule Classes

Process Applicants

Award Scholarships

Manage Accounts

Financial Aid

reserve_time

view_schedules

student_records

applicant_data

view_fund_data

update_fund_data

update_course_data

reserve_room

Calendar

Course

Facilities

Financial

Student

categories functions

9Distributed Access Management CAMP

Privileges LifecyclePrivileges Lifecycle

Conditions• Provides automatic revocation of privileges• Date controls -- from date, until date• Will be based on person’s status, affiliation, etc.

e.g., as long as person is at Stanford

Prerequisites• Pre-conditions that must be met to activate privileges

e.g., training

10Distributed Access Management CAMP

Other featuresOther features

Assignments can be• To an individual• To a Group

With/without ability to further delegate• Distributed delegation using organizational hierarchy

• Records “chain of command”

Proxy assignment• Temporary granting of one’s privilege to another