From LDAP to IdM Presentation at the Athens Eurocamp 2008 by Roland Hedberg <roland.hedberg@adm.umu.se>
The transition -starting point Admin interface LDAP Scripts
The transition - toward nirvana Admin interface LDAP Scripts Transition Admin interface LDAP SIS IdM AD HR
!"#$%&'()*+',-./'01)23-+0'01)4(+(5-%-+0)64(1)7889: J-(#)H'%-)2+0-.K(<- (+3)S,-+0)2+0-.K(<- ;.<='0-<0$.-)>,-.,'-? 6P2Q>L@D:)(.-)0=- D1/0-%/)"K V-E(.0%-+0 /(%-)'+)(<0$(# S+3)*/-./ '%E#-%-+0(0'"+\ ;3%'+'/0.(0"./ J-<".3 @-&)A."+0-+3 6P2Q>L*2:)<(+)&- P2Q>L@D P2Q>L*2 $/-3)K".)]$-.1)(/ J-(#)H'%- 2+0-.(<0',- ?-##)(/)$E3(0-\ N(0<= 6D>;I: 6@-&: 2+0-.K(<- 2+0-.K(<- A."+0-+3 *+'O)2+0-.K(<- A'O-3)@'30=F)I-.# B(,(CDE.'+5F)@DLM B(,(CDE.'+5F)GHHID P."$E)W);<<"$+0 4(+(5-%-+0 P2Q> P2Q>);I2 !^^ !".- U-5(<1)@-& 23-+0'K'-. X J-<"+<'#'(0'"+ Q-?R @-&!.-(0-F)-0< ;//'5+%-+0 I-.# ;<<"$+0)4(+(5-%-+0 >.(<#-)I."<-3$.- Q S%('#);<<"$+0/ !^^ !1.$/ 23-+0'01)V(0()W N$/'+-// N$/'+-//)J$#-/ I."E.'-0(.1 ;$0=-+0'<(0'"+ J$#-/ J-E"/'0".1 I.",'/'"+'+5 Z-.&-."/F)@-&2D> SO-<$0'"+ >.(<#- $+'O <1.(3%F)[(3%'+F)#3(E #3(E *E3(0- V'.-<0".1 T$-$- N(0<= UV;I S,-+0);I2 @='0-E(5-/)UV;I ;$0=Y 2+0-.K(<- Q-02V I-"E#- B(,(CDE.'+5F)D>;I G'-.(.<=1 A'O-3)@'30=F)I-.# V'.-<0".1 P2Q>L@D *IQ P."$E/ G'-.(.<=1 N(0<=)SO0.(<0/ I$&#'<)D(K-01 ;$0=".'Y(0'"+ ;<<"$+0 (+3)N(<[K--3/ 2V)!(.3/)6U-+-#: UV;IF)@-&2D> 2+K"
The basic model R L S Db
What’s IdM ? “Identity management is the management of the identity life cycle of entities.” Establish Describe Destroy
Where the big challange is ! Establish Describe Destroy
Francis Bacon 1561-1626 knowledge of the essence of things the way things really are Ideals of the mind ideal of the tribe (human nature) ideal of the cave (hobby horse, prejudice) ideal of the market place (social interaction, language) ideals of the theater (learned)
Ontology Ontology deals with questions concerning what entities exist or can be said to exist, and how such entities can be grouped, related within a hierarchy, and subdivided according to similarities and differences
Data models LDAP Ontology language (OWL)
LDAP Object class set of must/may attributes Attribute value type <=1 or >=0 size Object relationsship DIT seeAlso,Alias,...
LDAP limitations Simple inheritance You can not have objects as values No value sets No meta-information
OWL Web Ontology Language Object classes set of properties property restrictions Properties domain / range Multiple inheritance Version control ontology meta information
Our present model Basic objects person, collection, unit, user, course, ... Relation objects employee, student, partOf, belongsTo,...
The information Who owns it ? Responsibility Accountability Stability What does it mean ? Special / Universal Usage uncoupled from definition
Leads up to Information services Service definitions
Business rules Examples Life cycles Source priorities Value construction algoritms Object matching/reconciliation Harmonization Features Declarative Atomic Distinct, independent
Repositories Identifiers Any identifier an object has ever had State The complete state of an object Messages All messages ever seen by the system
Views Different applications - different needs There are so many ways of doing things, that we can not mandate one. LDAP/AD WS Provisioning Transformation between data models
Information security Confidentiality Ensuring that information is accessible only to those authorised to have access Integrity Data cannot be modified without authorisation Availability the information must be available when it is needed Correctness/Coherence
That’s it ! Questions ?
Recommend
More recommend
