nethz 3.0: Design & Status - ETH - ITEK - ETH Zürich

nethz 3.0: Design & Status 

Matteo Corti 

ID-Basisdienste, Web Applications and Identity Management 

© ETH Zürich | 

2011-05-11

Outline 

� Identity management at ETHZ 

� Goals 

� What’s new 

� Status 

2011-05-11 Matteo Corti/ETH Zurich, Informatikdienste/matteo.corti@id.ethz.ch 2

Identity Management at ETHZ 

Persons 

SAP 

OIS 

applications 

OIS 

Security principals 

permissions 

groups 

nethz 

AdminTool 

2011-05-11 Matteo Corti/ETH Zurich, Informatikdienste/matteo.corti@id.ethz.ch 

Directories and 

applications 

LDAPS 

AD 

Radius 

Linux 

ETHis 

Web apps 

… 

Windows 

Mail 

Sharepoint 

… 

VPN 

802.1X 

… 

3

New identity management: Why? 

� nethz is more than 10 years old 

� outdated initial architecture/design: the system 

grew from a password management tool to a huge 

identity management system 

� new design 

� implemented as a bunch of Perl scripts 

� several parts are outdated 

� not in sync with ID strategy 

� UML, Java, Releases, … 


4

Goals 

� New model (definition of the business processes and 

objects) 

� New architecture (domain separation, releases, …) 

� New GUI (workflows, multilingual, help) 

� Orders and authorizations 

� Auditing/tracking 

� General model (open source product) 

� Quick overview of some of the changes 


5

Orders 

� Every change is requested through an order by user 

� If necessary, the operation needs to be authorized by 

� the resource owner (e.g., CMN) 

� an ISG (e.g., VPN, mail, …) 

� a fund owner (e.g., CMN) 

� A user can issue orders for another user 

� Orders can be tracked 

� The DB status is archived (~ Time Machine) 


6

Workflow changes for “administrators” 

� For many tasks they will only need to authorize (or 

deny) an order 

� Users will be able to generate orders for third parties. 


7

Security attributes vs. Centralized authorization 

nethz dir application 

identity 

• student 

• … 

security principal 

• student 

• … 

nethz dir application 

identity 

• student 

• … 

nethz 

security principal 

• permission p 

• … 

permission 

application 

security attributes 


permissions 

8

Model 

Every business object and the relationships among 

them are precisely defined and documented: 

� Identities: persons, machines, … 

� Security domains: security principals, permissions 

� Resources 

� Groups 

Case study: change of a password 


9

Simplified model 

Security Domain 

Identity Identity Group 

Principal Principal Group 

Permission Group Permission 


Resource 

10

Business object life cycles 

Every business object will be either 

� managed externally (e.g., by OIS) 

� no manual changes 

� lifecycle determined by the source 

� managed manually 

� no automatic changes 

� lifecycle managed by the owner (limited in time) 


11

System architecture 

GUI 

Order 

management 

DB 

Order 

management 

Order 

management 

Identity 

management 

Identity 

management 

Order management engine 

Identity 

management 

Mail 

management 

Mail 

management 

Mail 

management 

Prepaid 

management 

Prepaid 

management 

Prepaid 

management 


We split neth in 

several application 

domains with 

separate: 

• release cycles 

•DB 

but a common GUI 

• single sign on 

• unique layout 

12

Groups 

� Identities and security principals can be grouped 

� decoupled from their technical incarnation 

� everybody can manage groups 

� Permissions can be grouped 

� Unified group management (e.g., ISG Tool) 


13

Project status 

Specifications and configuration ✔ 

Business model ✔ 

Order management engine ✔ 

Core: identity management ✔ 

OIS connector ~ 

Core: other (mail, …) ✗ 

GUI: design (content and workflows) ~ 

GUI: implementation ~ 

Synchronization(s) ✗ 

Documentation ✗ 

Migration ✗ 

Estimated first release candidate: end of year 


35KLOC 

14

nethz 3.0: Design & Status - ETH - ITEK - ETH Zürich

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?