Date post: | 03-Jan-2016 |
Category: |
Documents |
Upload: | justina-hunter |
View: | 221 times |
Download: | 0 times |
Setting up Privilege Management with Signet Metadata Setting up Privilege Management with Signet Metadata
3Distributed Access Management CAMP
Privileges Building BlocksPrivileges Building Blocks
Functional view• Subsystems• Categories• Functions• Scope, Limits• Prerequisites &
Conditions
System view• Subject• Action• Resource
Privileges → Permissions
4Distributed Access Management CAMP
Signet ComponentsSignet Components
• Define domains of ownership and responsibility
• Reflect real world boundaries
• Can be large or small
Financial systemStudent AdministrationHR systemNetwork access
managementResearch administrationClinical resourcesProgrammatic resourcesCollaboration resources
Subsystems
5Distributed Access Management CAMP
Functional ViewFunctional View
Signet configuration declares …
LimitsQualifiers, constraints for a privilege
Limit typesLimit choice sets
Scope TreesOrganizational hierarchy governing distributed delegation
FunctionsThe things a person can do; what they are getting privileges for
CategoriesProvide useful arrangement of functions within a subsystem; for reporting, ease of use
6Distributed Access Management CAMP
Functional ViewFunctional View
Categories FunctionsSubsystems
Clinical Trial Protocol A Patient Records
Materials Control
Manage Grant
Lab AccessAdmin
Student Admin Course Support
Add/Drop students
Schedule Classes
Process Applicants
Award Scholarships
Manage Accounts
FinancialAid
Limits
Which term
From Fund…
Read/Write
Hours
For school…
For fund…
Which campus
Qty/day
$ constraints
organizing actions
7Distributed Access Management CAMP
Systems ViewSystems View
Permissions• Atomic units of control that map to specific
access rules in systems• Includes limits that must be evaluated when
interpreting permissions
Resources• The target of a specific privilege; things that
have access rules to control their use
8Distributed Access Management CAMP
Functional View PermissionsFunctional View Permissions
Resources/Permissions
Student Admin
Functional View
Course Support Add/Drop students
Schedule Classes
Process Applicants
Award Scholarships
Manage Accounts
Financial Aid
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
categories functions
9Distributed Access Management CAMP
Privileges LifecyclePrivileges Lifecycle
Conditions• Provides automatic revocation of privileges• Date controls -- from date, until date• Will be based on person’s status, affiliation, etc.
e.g., as long as person is at Stanford
Prerequisites• Pre-conditions that must be met to activate privileges
e.g., training
10Distributed Access Management CAMP
Other featuresOther features
Assignments can be• To an individual• To a Group
With/without ability to further delegate• Distributed delegation using organizational hierarchy
• Records “chain of command”
Proxy assignment• Temporary granting of one’s privilege to another