parviz dousti it consulting engineer computing service carnegie mellon university

24
S3 Authorization Framework “Managing Access in Student Information System at Carnegie Mellon University” Parviz Dousti IT Consulting Engineer Computing Service Carnegie Mellon University Oct. 1 st 2012

Upload: amena

Post on 22-Feb-2016

29 views

Category:

Documents


0 download

DESCRIPTION

S3 Authorization Framework “Managing Access in Student Information System at Carnegie Mellon University” . Parviz Dousti IT Consulting Engineer Computing Service Carnegie Mellon University Oct. 1 st 2012. Background. Student Services Suite (S3) A Brownfield development of SIS - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

S3 Authorization Framework“Managing Access in Student Information System at

Carnegie Mellon University”

Parviz Dousti

IT Consulting EngineerComputing Service

Carnegie Mellon University

Oct. 1st 2012

Page 2: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

BackgroundStudent Services Suite (S3)

A Brownfield development of SIS Completely new Authorization

Had a Discovery Project to answer:Have a Central Authorization System?Use an Open Source Solution?Buy a Product?Write our own?

Page 3: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

RequirementsModularized :Complete Independence from the

ApplicationConfigurable: i.e. not hard-codedFlexible and Powerful: Capable of Handling Complex

User Stories in SISTime based authorizations

e.g. add/drop periodQuantity/Amount based authorization

e.g. refundingRelation based authorization.

Department Admins Access to Students of a Certain Program Advisor – Advisee relation. Original Creator of a Memo

Page 4: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

Framework Design GoalsPowerful (RBAC, ABAC, filtering)Encapsulated, isolatedReusableSimpleScalable, fast

Page 5: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

High Level Architecture

Page 6: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

Authorization Vocabulary Permission:

User/Group can do Action on a Resource [based on Qualifier(s)] Examples:

AcademicAdmins can Update /cmu/s3/admin/course_grades [if course belongs to their department]

Page 7: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

Entities(Abstract)

Qualifier

User

Resource

Action Permission

Group

Page 8: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

Entities(Implemented)

Qualifier (33)

User

Resource:Action (199)

Permission

Group (61)

Qualifier Values

Page 9: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

S3 Authz Building blocks

Developer Business OwnerResourceQualifier

UsersGroupsQualifier ValuesPermissions

Page 10: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

ResourcesIdentifier of any “thing” to be protectedAdheres to standard form:

<cmu namespace>:<system>:<resource type>:<resource>=<action>

For example:

urn:mace:cmu:edu:andrew:s3:admin:screen:students:grades=view

Page 11: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

More on QualifiersFixed Attribute and custom QualifiersMay use user’s inherit attributes or affiliationsMay use existing authorization tables in SISCan be combined in a Boolean expressionNot all are meaningful for a permission

Page 12: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

Custom QualifiersImplemented as simple Java classes

public class IsEnrolled implements Qualifier { public boolean isSatisfied(String userId, Map ctx) {

return dao.isEnrolled(ctx.get(“studentId”));}

}

Page 13: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

Fixed-Attribute Qualifierspublic class StudentDeptAR implements AttributeRetriever {

public AttributeSet fetchAttributes(Map ctx) {Student student = dao.fetchStudent(

ctx.get(“studentId”);AttributeSet as = new AttributeSet(); as.setAttribute1(student.getDepartment());return as;

}}

Page 14: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

API// APIpublic interface AuthorizationEngine {

boolean isAuthorized(String userId, String resource, Map<String, Object> context);

}

// Example callcontext.put(“studentId”, “northrop”);

authzEngine.isAuthorized(“dl2b”, “screen:student:grades=view”, context);

Page 15: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

Evaluating Design GoalsPowerful (RBAC, ABAC, filtering)

Yes! groups + qualifiersEncapsulated, isolated

Yes! authz engine + resource + custom qualifiersReusable

Yes! qualifiers applied to any resourceSimple

Yes! must only “tag” resources + write qualifiersScalable, fast

Yes! optimizations for caching and aggregating calls

Page 16: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

Some UI Screenshots

Page 17: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

Authorization Console

Page 18: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University
Page 19: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University
Page 20: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University
Page 21: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University
Page 22: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University
Page 23: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

Thanks To:

Darleen LaBarbera- VP for Campus Affairs, Carnegie Mellon University

Ben Northrop - Distinguished Technical Consultant, Summa

Page 24: Parviz Dousti IT Consulting Engineer Computing Service Carnegie  Mellon University

Questions?