VT People Registry Schema

1
VT People Registry Schema
2
Goals

• Central management of peoples ids
• Central and extensible authentication
• Flexible authorization
• Increased security of users data

3
Pieces of the Puzzle

• Person
• Stores university-wide information used to define
  a person.
• Group
• Represents a collection of people.
• Service
• Represents an external system using the directory
  for information.

4
Person Components

• UUPID
• Universally Unique Personal Identifier
• 16 characters long
• Case Insensitive
• Can contain a-z 0-9 _ .
• Must start with a letter (a-z)
• UUPID_at_vt.edu is not required to be a valid email
  address

5
Person Components

• Alternate Ids
• List other systems the user has access to and
  their Ids on those systems.
• Demographic Information
• Demographic information for a person, such as
  home address, pager number and email address.
• Suppressed Attributes
• List of information the user has suppressed.

6
Person Components

• Creation Date
• The date the person was added to the directory.
• Expiration Date
• The date a persons account expires. (Directory
  does not delete the account, this is the job of
  the application who created it.)
• Public Key
• A users public key(s)

7
Group Components

• UUGID
• Universally Unique Group Identifier
• Two Namespaces
• IRM controlled
• Official VT Groups (clubs, classes, etc)
• No-prefix
• IRM assures uniqueness
• User controlled groups
• Any group a user wants
• Prefixed with users UUPID
• Users assures uniqueness

8
Group Components

• Display Name
• Human readable name of group which is not
  guaranteed to be unique.
• Contact Information
• Information for contacting the group, may include
  address, email, phone number, etc.
• Administrators
• A list of people who administer the group

9
Group Components

• Creation Date
• Date group was created
• Expiration Date
• Date the group expires.(The directory does not
  delete the group, it is simply for application
  use.)
• Members
• A list of the people within a group.

10
Service Components

• UUSID
• Universally Unique Service Identifier
• Service Certificate
• Used to authenticate a service
• Administrators
• The person(s) responsible for the service
• Creation Date
• Date service was added to the directory

11
Service Components

• Expiration Date
• Date the Service expires.(The directory does
  not delete the service, the date is for
  application use only.)
• Members
• A list of people authorized to use the service.
• Generic Service Data
• Free-for-all field for service to store data in

12
Service Component

• Service Type
• Can be
• Public May release information to the public.
• Personalized May release the information of the
  user currently authenticated by the service.
• Private Information is never viewed by anything
  but the service.
• View Access Control
• List of person attributes a service may view.
• Write Access Control
• List of person attributes a service may write to.

13
Goals

• Central management of peoples ids
• Central and extensible authentication
• Flexible authorization
• Increased security of users data

14
Id Management

• Person concept can represent any person
  affiliated with VT. Some examples
• Student, Faculty/Staff, Alumni
• Vendors, e-customers, distant learners
• Visiting Scholars, Extension Office Personnel
• Alternate Ids can be used for
• Migration from old to new system
• Single-sign on applications
• Quick removal of Ids for people no longer
  associated with VT.

15
Extensible Authentication

• SASL (Simple Authentication and Security Layer)
  provides many forms of authentication like
• UUPID/Password
• PKI Certificates (Current IRM project)
• Kerberos (Windows 2000/Active Directory)
• SASL allows for in-house authentication modules.

16
Flexible Authorization

• Service membership list provide a quick yes/no
  authorization check for services.
• Groups provide a robust, and configurable,
  authorization means for applications.

17
Increased Data Security

• Users can now suppress information on a per
  attribute basis.
• Attributes a user has suppressed are listed in
  their suppressed attribute list.
• Non-service entities will never be able to see
  the value of these suppressed attributes.

18
Increased Data Security

• Services have different views of a users data
  depending on their service type.
• Public services can view
• Any non-suppressed attribute
• Personalized services can view
• Any non-suppressed attribute
• Any suppressed attribute in its view access
  control list, for the authenticated user.

19
Increased Data Security

• Private Services can view
• Any non-suppressed attribute
• Any attribute in its access control list, for
  any user.

20
Increased Data Security

• Extracts and Real Time Updates
• Can view only non-suppressed information
• Receive a value of suppressed for information
  which is currently suppressed.

21
Things to remember

• Services can no longer assume that inclusion in
  the directory implies any authorization
  information.
• Services or users can no longer assume that a
  valid UUPID equates to a valid email address.
• Services must now authenticate with certificates,
  which can not be transferred to another service.

22
Resources

• People Registry Information Site
• http//www.middleware.vt.edu
• Contact Info
• Chad La Joie
• clajoie_at_vt.edu