Educause Security Discussion mailing list archives
Re: [Possible SPAM] sync general user accounts to SIS accounts ?
From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 2 May 2007 07:05:31 -0700
Michael Fox wrote:We are looking at implementing a single point of authentication for most of our accounts. I would like to ask what others are doing in respect to accounts that access your SIS information. For example, faculty that access SIS to enter student grades. Are you using separate accounts for SIS or are the general accounts being used for this kind of access? I would like to see a separate account but I am getting the convenience side argument (which I understand). Any thoughts will be a help.
We use a single password currently for convenience but we're planning an IdM system that that will give us the opportunity to provide more reasonable security in a flexible, graduated way. The IdM system includes Oracle Access Manager ( based on Oblix Netpoint/CoreID ). That product allows for the definition of varying policy domains to which resources can be assigned. Each domain has a security level assigned to it. Varying authentication schemes can be assigned to the policy domains. The authentication schemes can be combined and cascaded with decision logic on each step. Out of the box authentication schemes include: HTTP Basic X509 Cert with attribute support Form ( supports organization chosen custom fields ) Security Bridge OS/390 SecureID Active Directory External They also provide an API to write custom authentication schemes. Authorization schemes and rules are similarly flexible. They provide the capability to control access based on such things as originating computer IP address, time of day, and LDAP attributes. The vision is for the system to require varying levels of authentication depending upon what the person is trying to access and where they are coming from ( e.g. off-campus, a computer not used for the access in the past, time of day ). Oracle Access Manager white paper http://www.oracle.com/technology/products/id_mgmt/coreid_acc/pdf/access_manager_wp_10gr3.pdf Oracle Access Manager Administration Guide - User Authentication http://download-east.oracle.com/docs/cd/B28196_01/idmanage.1014/b25990/v2authen.htm#CHDFHCDI Sorry if I sound like a sales pitch. I'm excited about the capabilities of the product. It is the only part of the over hyped IdM market that I think provides a significant boost to security. The provisioning aspect is mostly to enable automated business processes and may introduce as much risk as it removes. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Current thread:
- Re: [Possible SPAM] sync general user accounts to SIS accounts ? Richard Gambrell (May 01)
- <Possible follow-ups>
- Re: [Possible SPAM] sync general user accounts to SIS accounts ? Richard Gambrell (May 01)
- Re: [Possible SPAM] sync general user accounts to SIS accounts ? Karen Duncanson (May 01)
- Re: [Possible SPAM] sync general user accounts to SIS accounts ? Gary Flynn (May 02)
- Re: [Possible SPAM] sync general user accounts to SIS accounts ? Gary Flynn (May 02)