Interim Director
Projects & Initiatives
Contact Information
Formation of the OIT

Departmental Directory
UCSB Directory Service
Directory Assistance
UCSB Website Directory
UC Directories

Network Description
Report Trouble
Policy & Procedures
DMCA Reporting

Monitoring and Statistics
Network Time Services
SSL Certificates
VPN Service
Organizations
Report Trouble

Datasets Signoff Process
Computer Security Guide
Securing & Protecting
News, Advisories, & Alerts
Report an Incident
Recover from Intrusion
Other Security Sites
Mailing Lists
Policies

For Students
For Faculty & Staff

Email
Supercomputing
Software

EduCause

IT Board (ITB)
IT Planning Group (ITPG)
Campus Network (CNC)
Acad. Technology (ATWG)
Backbone Engineering (BEG)
DECAF
UC Committees

Current Openings
How to Apply

OIT Home > Committees > ITPG > 2001 Proposals > Authorization Software Package

Authorization Software Package

Project: Authorization Software Package Acquisition

Sponsor: ITPG Authentication/Directory Group and IS&C

Summary

As the number of different computer services used by faculty, staff and students grows, the number of computer ID/password combinations that an individual must remember and the number of computer systems that must be changed when an individual’s status changes grow accordingly. Changes to the population of people affiliated with UCSB as well as to such data items as email address, password and access privileges occur with such frequency that providing timely, accurate data to other people and to computer services becomes a difficult, time-consuming and redundant task. To address these issues institutions including UCSB have implemented electronic directories of the people associated with the enterprise. The recently implemented UCSB Directory provides a single, network-accessible place to find accurate data regarding the population affiliated with UCSB. This document proposes to extend the capabilities of the existing UCSB Directory by adding an “authorization” software package. Such a package would provide the infrastructure necessary to assure that (only) appropriately authorized individuals can easily access the many emerging computer services at UCSB.

Support for Academic Mission

In addition to serving as a “white pages” directory which may be searched and viewed by people using network browsers, the UCSB Directory also supports basic eligibility services for campus computer services, authenticating their users based on id/password combinations. At the moment, invoking this service requires modifications to each web service to make it request authentication via the UCSB Directory. With the addition of the proposed authorization software, invoking authentication via the Directory could be made automatic for all services running on a particular web server just by setting system configuration parameters. Thus, programmers all over campus would be freed from having to implement code to check passwords and digital credentials when they implement new services.

Furthermore, computer services generally need to know more about people who are accessing them than the fact that the people know their passwords or that they have presented valid “digital credentials” such as PKI certificates. Computer services need to have access to “attributes” describing their users to know which, if any, programmed features specific users qualify to use. For example, knowing that I know my password doesn’t tell a program what role I play at UCSB and whether I should be allowed to order goods, spend money or approve transactions. These privileges might be assigned to me as a result of my holding a particular position at UCSB or they might be delegated by someone else with the appropriate authority.

The data elements associated with UC digital credentials must be stored in a suitable “attribute server” that provides reliable information about each person’s affiliations, roles, and responsibilities. Attribute servers provide a standard method for internal and external applications to request additional information about UC credential holders while assuring that private and confidential information about individuals is not released inappropriately. A robust authorization service supported by highly reliable digital credentials will simplify management of access to computer services, minimize the overhead users face in gaining access and reduce the number of different means of authentication supported throughout the University today.

Creating and maintaining an attribute server to store roles and status of individuals with access to computer services at UCSB is a complicated task. The system must store a hierarchy of individuals with privileges deriving from their role or place in the hierarchy. It must also allow individuals to be assigned dozens of roles and privileges by dozens of different authorizing authorities. It must track delegations and re-delegations and allow departments and individuals to control access to the computer resources for which they hold responsibility. In general, UC digital credentials and related attribute servers must be sufficiently trustworthy so they can be used to validate transactions with external partners such as government agencies, vendors and contractors, and other research and education institutions.

Fortunately, several available software products provide these features and most use an LDAP server such as the one implemented at UCSB to store attribute data. These products typically support Single Sign On and automatic reference to digital credentials as inherent features. Organizational hierarchy software is also a by-product of the delegated authorization scheme in at least one of the products we have reviewed. This proposal is for the acquisition of one of these products.

Funding Source

Unknown.

Costs

Approximately $80,000 one time plus $12,000 per year in license charges.

Matching Opportunities

If IS&C succeeds in obtaining funding for ongoing staff support of the existing UCSB Directory (as requested in a higher priority companion proposal), staff resources currently supporting the directory can be reassigned to the implementation of the authorization service. IS&C will also provide a suitable hardware platform with appropriate operational support.

Staff Support Required

None beyond that requested in the companion proposal for one FTE to support the UCSB Directory.

Existing Resources to Be Used

The existing UCSB Directory hardware, software and licenses.

Project Timeline

Two to three months to compose, release and evaluate a Request for Quote and another two to three months for initial implementation of role based authorization and Single Sign On. The additional possibilities inherent in a software package of this complexity (e.g., support for the organizational hierarchy or for a campus portal) will take longer to realize.

Life Cycle of Result

The authorization service supported by the proposed acquisition is likely to be an integral part of the IT infrastructure at UCSB for the predictable future. The future of the individual product will depend on the evolution of the technology and the products available to support authentication and authorization functions.

Back to Proposals Index



	Copyright © 2003-2024 The Regents of the University of California, All Rights Reserved Web contact • Terms of Use • Accessibility Last modified: 10/19/2007