Educause Security Discussion mailing list archives

Re: [Possible SPAM] sync general user accounts to SIS accounts ?

From: Gary Flynn <flynngn () JMU EDU>
Date: Wed, 2 May 2007 07:05:31 -0700

Michael Fox wrote:

We are looking at implementing a single point of authentication for 
most of our accounts. I would like to ask what others are doing in 
respect to accounts that access your SIS information. For example, 
faculty that access SIS to enter student grades. Are you using 
separate accounts for SIS or are the general accounts being used for 
this kind of access?

I would like to see a separate account but I am getting the 
convenience side argument (which I understand).
Any thoughts will be a help.

We use a single password currently for convenience but we're planning
an IdM system that that will give us the opportunity to provide more
reasonable security in a flexible, graduated way.

The IdM system includes Oracle Access Manager ( based on Oblix
Netpoint/CoreID ). That product allows for the definition of varying
policy domains to which resources can be assigned. Each domain has
a security level assigned to it. Varying authentication schemes can
be assigned to the policy domains. The authentication schemes can be
combined and cascaded with decision logic on each step. Out of the
box authentication schemes include:

HTTP Basic
X509 Cert with attribute support
Form ( supports organization chosen custom fields )
Security Bridge OS/390
SecureID
Active Directory
External

They also provide an API to write custom authentication schemes.

Authorization schemes and rules are similarly flexible. They provide
the capability to control access based on such things as originating
computer IP address, time of day, and LDAP attributes.

The vision is for the system to require varying levels of authentication
depending upon what the person is trying to access and where they are
coming from ( e.g. off-campus, a computer not used for the access in the
past, time of day ).

Oracle Access Manager white paper
http://www.oracle.com/technology/products/id_mgmt/coreid_acc/pdf/access_manager_wp_10gr3.pdf

Oracle Access Manager Administration Guide - User Authentication
http://download-east.oracle.com/docs/cd/B28196_01/idmanage.1014/b25990/v2authen.htm#CHDFHCDI

Sorry if I sound like a sales pitch. I'm excited about the capabilities
of the product. It is the only part of the over hyped IdM market that I
think provides a significant boost to security. The provisioning aspect
is mostly to enable automated business processes and may introduce as
much risk as it removes.

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Current thread:

Re: [Possible SPAM] sync general user accounts to SIS accounts ? Richard Gambrell (May 01)
- <Possible follow-ups>
- Re: [Possible SPAM] sync general user accounts to SIS accounts ? Richard Gambrell (May 01)
- Re: [Possible SPAM] sync general user accounts to SIS accounts ? Karen Duncanson (May 01)
- Re: [Possible SPAM] sync general user accounts to SIS accounts ? Gary Flynn (May 02)
- Re: [Possible SPAM] sync general user accounts to SIS accounts ? Gary Flynn (May 02)