This is the second of a two-part series introducing the Identity and Access Management (IAM)project at the University of Illinois. Read part 1, Identity. More information can be found on the IAM project website.
Authorization
You will recall from the first post on IAM that authentication deals with determining whether someone is who they claim to be. Authorization is concerned with determining what resources a person can use after they have passed authentication. The most common authorization method at the University of Illinois uses Active Directory. An identity (remember, one person, one identity) is added to one or more active directory groups, and those groups are granted permissions for using resources or accessing services.
One common problem with authorization is that many services don’t use it. There are a lot of applications on campus, especially websites, that require a Bluestem login to access them. In some cases, after Bluestem passes the authentication (the website trusts that the user is who they claim to be), there are no authorization checks to ensure that the person should be able to access the page. This happens because of old policy; when a person ends their affiliation with the University, their accounts are deactivated. For services that are expected to be available to all University-affiliated people, there was never a need for authorization.
- Authentication – Are you who you claim to be?
- Authorization – Are you allowed to use this resource?
Identity for Life
One of the stated goals for IAM is that once a person has claimed an identity, it is theirs for life (and possibly longer). Making this change would allow places like the Library to offer services to alumni and retirees without creating a new identity for them, or lumping them in with other unauthenticated users. It has some interesting and wide-reaching implications, such as eliminating the need for zero-time appointments.
But this also creates a problem for applications that don’t use authorization, or that are very loose with it. There is a lot of talk about allowing retirees and alumni to continue to use Library resources. But what about all the students who applied to the University, but never actually took a class? Poor access management could cost millions of dollars, as publishers and other rights holders demand more money for current subscriptions because there are many more people with access.
Fewer Passwords
There are quite a few things to get excited about with IAM, but perhaps the most anticipated service is single sign-on (SSO). Since there will be a single identity store making sure you are who you claim to be, there is no reason for dozens of different applications to ask for your password. You just gave a password when you logged into your computer, why do you need to do so again when you open email, go to your department’s internal website, access the wiki, or anything else?
This concept can be extended even further, to off-campus applications. The final stage of IAM will create federation between the University and other institutions. This will allow people to use their existing logins/passwords from Illinois to access resources that are run somewhere else.
What does this mean for the Library?
Library IT is preparing for this change on several fronts. We are examining our services to ensure that they use proper authorization, and cleaning out old permissions for people who have left the Library. We are also cataloging each of our secure services to address what the proper authentication and authorization processes should be.
In doing this, we will enlist the help of many Library service owners – the people working with patrons to provide a usable Library service – to identify the required level of authentication trust and proper authorization requirements for each service. A committee has also been formed to identify and solve potential problems with the IAM project that could affect the Library.