Managing User Access: How to Manage the Herd August 8, 2018 UCCSC - - PowerPoint PPT Presentation

managing user access how to manage the herd
SMART_READER_LITE
LIVE PREVIEW

Managing User Access: How to Manage the Herd August 8, 2018 UCCSC - - PowerPoint PPT Presentation

Apr 06, 2023 304 likes •505 views

Managing User Access: How to Manage the Herd August 8, 2018 UCCSC 2018 UC Davis Jeffrey Crawford UCLA IDM Solutions Architect Warren Leung UCLA IDM Program Manager Information Technology Services Information Technology

slide-1
SLIDE 1

Information Technology Services Information Technology Services

Managing User Access: How to Manage the Herd

August 8, 2018 UCCSC 2018 – UC Davis Jeffrey Crawford – UCLA – IDM Solutions Architect Warren Leung – UCLA – IDM Program Manager

slide-2
SLIDE 2

Information Technology Services Information Technology Services

What challenges do you face when managing access for your users?

slide-3
SLIDE 3

Information Technology Services

The Challenges

3

  • Takes too long
  • Repetitive
  • Unsure of what access users need or

have

  • Removing access?
slide-4
SLIDE 4

Information Technology Services Information Technology Services

Why is Identity no longer enough?

slide-5
SLIDE 5

Information Technology Services

Problems

  • Access based on account status
  • Modify access on account change
  • Access under departmental control
  • Audit access across the enterprise
  • Maintain access sanity
  • Exception cases

6

slide-6
SLIDE 6

Information Technology Services Information Technology Services

Internet2 Grouper

slide-7
SLIDE 7

Information Technology Services

What is Grouper

8

  • Distributed enterprise access

management system

  • Trust and Identity in Education and

Research (TIER) Initiative

  • NIST 800-162 – Attribute Based Access

Control (ABAC)

slide-8
SLIDE 8

Information Technology Services

Key Grouper Features

9

  • Auditing
  • Delegation
  • Group Math
  • Grouper Rules (Triggers)
  • Web Service
  • Attestation
  • Time based Management
slide-9
SLIDE 9

Information Technology Services

Examples: Data Center VPN Access

10

slide-10
SLIDE 10

Information Technology Services

Delegation

11

  • Departments know their access best
  • IAM doesn’t need to know the details
  • Access granting/removal is tracked
  • Departments can use reference groups
  • Based off the Grouper Deployment

Guide

slide-11
SLIDE 11

Information Technology Services Information Technology Services

Grouper at UCLA

slide-12
SLIDE 12

Information Technology Services

Distributed Administrative Computing Security System (DACSS) at UCLA

  • Legacy system
  • Delegated administration
  • Fine grained access control
  • How do we transition to Grouper?

13

slide-13
SLIDE 13

Information Technology Services

UCLA Grouper Use Cases

  • Multi-factor Authentication
  • MyUCLA (Student Portal)
  • BruinCard (Door Access Management)
  • AWS Management

14

slide-14
SLIDE 14

Information Technology Services

UCLA Proposed Grouper Architecture

15

slide-15
SLIDE 15

Information Technology Services Information Technology Services

Grouper at UCSC

slide-16
SLIDE 16

Information Technology Services

UCSC Grouper Architecture

17

slide-17
SLIDE 17

Information Technology Services

UCSC Grouper Use Cases

  • VPN Access
  • CruzID Manager (Access Control)
  • Public Groups
  • Campus Group Access

18

slide-18
SLIDE 18

Information Technology Services

Best Practices for Deployment

  • Note the lack of structural differences
  • Use TIER as a starting point
  • Talk to your developers and functional

teams to understand their application

  • Talk to Security about sensitivity of groups

20

slide-19
SLIDE 19

Information Technology Services

Resources

  • Grouper:

https://www.internet2.edu/products- services/trust-identity/grouper/

  • IAMUCLA: https://www.it.ucla.edu/iamucla
  • TIER Grouper Deployment:

https://spaces.at.internet2.edu/x/mgAZBg

  • Contacts: jcrawford@it.ucla.edu,

wleung@it.ucla.edu

23