Identity Management

1
Identity Management
2
Authentication(Prove who you are)

• Authentication techniques
• Prompt for username / password
• Relay network domain credentials
• Digital Certificates
• Smart Cards
• Username / passwords the most common in our apps
  right now
• Every application stores user information,
  including passwords
• Every application is authenticating users only
  within the context of a single application
• Security Risk
• Passwords stored in variety of locations
• Individual applications may not have the
  resources to keep up with DOI password policies
• Resolution Security Token Services (STS)
• Centralize user information in STSs
• Only the STS knows the passwords, and/or other
  user information
• DOI security policies are addressed in one place
• STS exchange user credentials for an industry
  standard digitally signed token

3
Security Token Service

• Validate User Credentials
• Domain accounts / Windows NTLM
• DOIs Active Directory
• For users on the DOI network
• Usernames / Passwords
• ADAM / AD LDS a light weight implementation of
  Active Directory
• For users not on the DOI network
• Other credential types
• Digital Certificates
• Authenticating partner applications / services
  running automated processes
• Transform User Credentials
• Make claims about a user
• Wrap the claims within a digitally signed SAML
  Token

4
Security Token Process

• Apps and Services will never see usernames and
  passwords, just SAML tokens

5
Authorization(What are you allowed to do)

• Role based authorization
• Users are placed in groups (roles) and
  permissions are applied to the group
• Access to a resource is done by comparing the
  users role to roles defined for the resource
• Advantages
• Permission management on small number of groups
  instead of many users
• Limitations
• Permissions are applied to resources at a very
  broad level. Granular rules will require more
  and more groups
• Roles only have meaning within individual
  applications
• Resource based authorization (Access Control
  Lists)
• Permissions are defined on the resource itself
• Specify what operation / group / user can access
  a resource
• Advantages
• Authorization rules are up held independent of
  what service is requesting it
• Limitations
• Every resource would have to implement attributes
  that identify what it is
• In the case of system files, often requires some
  form of impersonation to get through operating
  system process rules

6

• Claims based authorization
• Claims are properties that describe the
  capabilities of an entity
• Type allow services consuming claims to know
  what the claim is in reference to
• Right describes the capability the entity has
  over a resource
• Resource - something to which a claim is made
  over
• Essentially does role based authorization and
  more
• Roles are based on identity. Identity one of
  many claims that can be made about a user
• Advantages
• Separates authorization rules from the mechanisms
  used for authentication
• Authorization policies, based on claims, can be
  created down to a very granular level
• Very good at controlling access across platforms
  and applications

7
Challenges Solved and Still to Solve

• Authentication from multiple sources
• Currently can do multiple types of STS
• Transparent logins for domain users
• Form based username / passwords against ADAM / AD
  LDS
• Digital Certificates
• Will be developing a flexible and reusable API
  for authorization
• Determine general claim types that are needed
  across our services
• Identify service specific claim types that will
  be needed
• Make it all work for client applications other
  then web browser
• Excel
• Access
• Etc.

8
Unit

• IRMA Infrastructure Services

9
Problems to Solve

• Multiple copies of unit, park, etc. databases
  being used (every app had a different one!)
• Inconsistent park codes and names used
• No common maintenance practices

10
Version 1.0.0

• Centralized data source
• Initial IRMA coding standards, service structure
• Very atomic methods (not user-friendly, but they
  work)

11
Example

• Reference Service Search Page
• http//nrinfo.nps.gov
• Pick List data web controls

12
Short-term Vision

• Full integration with IRMA practices
• Standardized park codes
• More efficient fetch methods
• More sophisticated web controls

13
Longer-term Vision

• Customizable web controls
• Accessible service for networks and parks
• Search and report page in NRInfo Portal
• Subunits
• Management districts, ranger districts, etc.
• Maintenance functions

14
Taxonomy

• IRMA Infrastructure Services

15
Problems to be Solved

• Multiple applications need to manage information
  about taxa
• We need a common currency for discussing taxa
• We would like to use other taxonomic datasets
  besides ITIS, such as USDA Plants

16
Version 1.0

• Four primary parts
• Names
• Categories
• Sources
• Classifications
• Searching by Name and by Code
• Taxon Profile pages
• Integration with Species

17
Search by Name
18
Search by Code
19
Search Results
20
Taxon Profile
21
Short-term Vision

• Include authorities
• Integrate USDA Plants list
• Downloadable taxonomy lists
• Saved searches and layouts
• Transform a taxa list using Crosswalks
• Links to external Classification Sources
• More search options

22
Long-term Vision

• Adding and editing Taxa
• Roll-up to Ranks
• Authentication
• Change History Management
• Commenting
• Other types of taxonomies

23
Benefits

• One-stop shopping for Taxonomy
• NPS Taxon Code serves as common currency
• New Classification Sources can be loaded, adding
  new sets of names

24
Reference Service Update

• Data Managers Conference
• April, 2009

25
Overview

• Problem
• Current Status
• Short-Term Plans
• Long-Term Vision
• Benefits of Service

26
What is the Problem?

• Fundamental need to manage citations/metadata
• Documents
• Datasets
• Photos
• Other
• Citations/Metadata in different systems
• Hard to associate/group references
• Applications do not adequately serve the needs of
  the natural resources program

27
Reference Service 1.0

• Active, non-sensitive, and non-proprietary
  citations from NatureBib and Data Store
• Limited subset of the Reference attributes
• Basic searching and read-only viewing
• No user-name or password required to search
• Download attachments
• Creating/Editing still done through NatureBib and
  Data Store

28
(No Transcript)
29
Search

• Simple search (search logic behind the scenes)
• Must be easy to use

30
Search Results
31
Detailed View
32
Short-Term Plans

• 1.x Iterations
• Functionality of NatureBib and DataStore
• Begin to clarify definitions
• Introduce Reference Owner and Unit Steward roles
• Begin Reference Relationships
• Split into related references (e.g., book chapter
  is part of book)
• Begin to Combine duplicates
• Show related references as one in Portal
• Create Reference from XML record
• Integrate with other services
• 2.0
• Turn off NatureBib and Data Store
• Begin following Long-Term Road Map for adding
  functionality

33
Long-Term Road Map

• Stakeholder Interviews
• Project Scope
• Version Timeline

34
Stakeholder Interviews

• Fall of 2008
• Gather user needs
• 100 people interviewed
• 25 meetings

35
Road Map - Project Scope

• Out for review - March 2009
• Integrates user needs
• Proposes long-term functionality
• Very general and dry
• Minimize risks
• Get everyone on the same page
• Identify logical flaws
• Survey to Get Feedback/Comments

36
Survey Results
37
Road Map Version Timeline

• Prioritize functionality in Project Scope
• Can begin once Project Scope is completed
• Very important beyond 2.0

38
Further Development and Refinement

• Progressive elaboration
• Regular user feedback

39
Benefits

• Leverages functionality of other services
• Taxonomy
• Units
• Authentication
• File
• Can be leveraged by other services
• Species
• Project
• Data Clearinghouses

40
NPSpecies Update

• Presented by Alison Loar

41
New NPSpecies is Useful Because

• Shared infrastructure
• Units, Taxonomy, Authentication, etc
• Reusable controls
• New user friendly user interface on the NRInfo
  Portal
• Ability to access service fetch operations to
  build your own

42
Current Status

• NPSpecies 2.0.3 on NRInfo Portal
• Certified Species Lists
• For data that have been certified
• ability to download lists
• Live Demo

43
Upcoming Release

• NPSpecies 2.1.0
• Released next month
• Species lists with more views
• Park-Species Profile
• Simple stats
• List of Units (where one species is found)
• Live Demo

44
Roadmap Release PlanShort Term

• NPSpecies 2.2
• Integrate NPSpecies with New Match List
  Application
• NPSpecies 2.3
• Integrate NPSpecies with New Evidence
  Applications (Vouchers, Observations, References)
• NPSpecies 3.0
• Add/Edit/Delete
• Turn off NPSpecies 1.0

45
Roadmap Release PlanLong Term

• NPSpecies 3.1
• Ability to have multiple species lists for one
  category one unit in NPSpecies
• Tools to Compare and Merge data
• NPSpecies 3.2
• QA toolbox with QA Filters
• Automated workflow

46
IRMA Summary What this Means for You

• Data Managers Conference
• April, 2009

47
Accessing Information

• Web Portal
• Consistent Interface
• Brings multiple services together
• SOAP Messages

48
SOAP Messages

• Simple Object Access Protocol
• Get information without a web interface
• Text messages
• Industry Standard (e.g., Travelocity)
• Supported by other Languages and Applications
• MS Products
• Python

49
Example SOAP Message

• ltCreateReferencegt
• ltTitlegtBirds of ROMOlt\Titlegt ltPublishergt
  NPSlt\Publishergt
• ltDateOfIssuegt20080104lt/DateOfIssuegt
• lt\CreateReferencegt

50
Example Messages

• FetchReferenceList
• CreateReference
• FetchReferenceHolding
• DeleteReference

51
Application to Networks

• Custom applications
• Integrate multiple services for higher level
  functionality
• Automatic update of web pages