Access Management and Provisioning Technology

2 minute read

× This article was imported from this blog's previous content management system (WordPress), and may have errors in formatting and functionality. If you find these errors are a significant barrier to understanding the article, please let me know.

Building on the shoulders of others -- isn't that how that quote goes? There has been a stack of printouts on my desk for a while now for various access management and service provisioning technologies. Rather than keep the paper, I'm putting the list here so I know how to get back to them if/when I need to. (Of course, along the way if you'd like to comment on them or suggest others to look at, please feel free to do so in the comments.) Note, too, that by listing them here I'm not proposing, or even sure if, all of these pieces come together to a coherent structure.

Grouper --- Internet2 Middleware

"Grouper is an open source toolkit for managing groups. It is designed to function as the core element of a common infrastructure for managing group information across integrated applications and repositories. Grouper combines multiple sources of group information, both automated and manual, in managing memberships and other group information in a Group Registry, a central information asset complementary to a site's Person Registry. Grouper manages two primary types of objects: groups and namespaces. Groups are created and named within a namespace. Group management authority can be limited "

Now at version 0.9, Grouper is part of a suite of tools from the NSF Middleware Initiative (NMI) that supports "development, testing, and dissemination of architectures, software, and practices in the areas of identity and access management."

Signet - Internet2 Middleware

"Core middleware services such as identity management, directory, and authentication provide a foundation for secure, manageable applications throughout an institution. Even with this foundation, as systems and applications proliferate it becomes more and more difficult to manage user access consistently and cost-effectively. [The Signet] privilege management service is a relatively new component of campus middleware that addresses this problem by providing centralized management of user privileges across a range of applications. The benefits of this service include: a standard user interface for privilege administrators; consistent, simplified policy definition, via roles and integration with core campus organizational data; improved visibility, understandability, and auditability of privilege information; and standard interfaces to other infrastructure services and to application systems to support integration."

Now at version 1.01, released 29-Mar-2006. Could this kind of provisioning service be used to generate XACML files to drive FEDORA?

OASIS eXtensible Access Control Markup Language (XACML)

"XACML is expected to address fine grained control of authorized activities, the effect of characteristics of the access requestor, the protocol over which the request is made, authorization based on classes of activities, and content introspection (i.e. authorization based on both the requestor and potentially attribute values within the target where the values of the attributes may not be known to the policy writer). XACML is also expected to suggest a policy authorization model to guide implementers of the authorization mechanism."

Sun's XACML Implementation (available at Sourceforge) is the access management engine embedded into the FEDORA repository.

Acegi Security System for Spring

"Acegi Security is a powerful, flexible security solution for enterprise software, with a particular emphasis on applications that use Spring. Using Acegi Security provides your applications with comprehensive authentication, authorization, instance-based access control, channel security and human user detection capabilities."

Release 1.0.0 came out in May 2006 after nearly two years of development.