This article relies largely or entirely on a single source .(August 2007) |
In computing, delegated administration or delegation of control describes the decentralization of role-based-access-control [1] systems. Many enterprises use a centralized model of access control. For large organizations, this model scales poorly and IT teams become burdened with menial role-change requests. These requests — often used when hire, fire, and role-change events occur in an organization — can incur high latency times or suffer from weak security practices.
Such delegation involves assigning a person or group specific administrative permissions for an Organizational Unit. In information management, this is used to create teams that can perform specific (limited) tasks for changing information within a user directory or database. The goal of delegation is to create groups with minimum permissions that grant the ability to carry out authorized tasks. Granting extraneous/superfluous permissions would create abilities beyond the authorized scope of work.
One best practice for enterprise role management entails the use of LDAP groups. Delegated administration refers to a decentralized model of role or group management. In this model, the application or process owner creates, manages and delegates the management of roles. A centralized IT team simply operates the service of directory, metadirectory, web interface for administration, and related components.
Allowing the application or business process owner to create, manage and delegate groups supports a much more scalable approach to the administration of access rights.
In a metadirectory environment, these roles or groups could also be "pushed" or synchronized with other platforms. For example, groups can be synchronized with native operating systems such as Microsoft Windows for use on an access control list that protects a folder or file. With the metadirectory distributing groups, the central directory is the central repository of groups.
Some enterprise applications (e.g., PeopleSoft) support LDAP groups inherently. These applications are capable of using LDAP to call the directory for its authorization activities.
Web-based group management tools — used for delegated administration — therefore provide the following capabilities using a directory as the group repository:
In Microsoft Active Directory the administrative permissions this is accomplished using the Delegation of Control Wizard. Types of permissions include managing and viewing user accounts, managing groups, managing group policy links, generating Resultant Set of Policy, and managing and viewing InOrgPerson accounts.
A use of Delegation of Control could be to give managers complete control of users in their own department. With this arrangement managers can create new users, groups, and computer objects, but only in their own OU.
Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.
In computer security, an access-control list (ACL) is a list of permissions associated with a system resource. An ACL specifies which users or system processes are granted access to resources, as well as what operations are allowed on given resourcess. Each entry in a typical ACL specifies a subject and an operation. For instance,
Content management (CM) is a set of processes and technologies that supports the collection, managing, and publishing of information in any form or medium. When stored and accessed via computers, this information may be more specifically referred to as digital content, or simply as content.
In computing, a directory service or name service maps the names of network resources to their respective network addresses. It is a shared information infrastructure for locating, managing, administering and organizing everyday items and network resources, which can include volumes, folders, files, printers, users, groups, devices, telephone numbers and other objects. A directory service is a critical component of a network operating system. A directory server or name server is a server which provides such a service. Each resource on the network is considered an object by the directory server. Information about a particular resource is stored as a collection of attributes associated with that resource or object.
Oracle Internet Directory (OID) is a directory service produced by Oracle Corporation, which functions compatible with LDAP version 3.
Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.
In computing, the term virtual directory has a couple of meanings. It may simply designate a folder which appears in a path but which is not actually a subfolder of the preceding folder in the path. However, this article will discuss the term in the context of directory services and identity management.
A metadirectory system provides for the flow of data between one or more directory services and databases, in order to maintain synchronization of that data, and is an important part of identity management systems. The data being synchronized typically are collections of entries that contain user profiles and possibly authentication or policy information. Most metadirectory deployments synchronize data into at least one LDAP-based directory server, to ensure that LDAP-based applications such as single sign-on and portal servers have access to recent data, even if the data is mastered in a non-LDAP data source.
NIS+ is a directory service developed by Sun Microsystems to replace its older 'NIS'. It is designed to eliminate the need for duplication across many computers of configuration data such as user accounts, host names and addresses, printer information and NFS disk mounts on individual systems, instead using a central repository on a master server, simplifying system administration. NIS+ client software has been ported to other Unix and Unix-like platforms.
In computing, the term group generally refers to a grouping of users. In principle, users may belong to none, one, or many groups The primary purpose of user groups is to simplify access control to computer systems.
Microsoft Identity Integration Server (MIIS) is an identity management (IdM) product offered by Microsoft. It is a service that aggregates identity-related information from multiple data-sources. The goal of MIIS is to provide organizations with a unified view of a user's/resources identity across the heterogeneous enterprise and provide methods to automate routine tasks.
AGDLP briefly summarizes Microsoft's recommendations for implementing role-based access controls (RBAC) using nested groups in a native-mode Active Directory (AD) domain: User and computer accounts are members of global groups that represent business roles, which are members of domain local groups that describe resource permissions or user rights assignments. AGUDLP and AGLP summarize similar RBAC implementation schemes in Active Directory forests and in Windows NT domains, respectively.
PERMIS is a sophisticated policy-based authorization system that implements an enhanced version of the U.S. National Institute of Standards and Technology (NIST) standard Role-Based Access Control (RBAC) model. PERMIS supports the distributed assignment of both roles and attributes to users by multiple distributed attribute authorities, unlike the NIST model which assumes the centralised assignment of roles to users. PERMIS provides a cryptographically secure privilege management infrastructure (PMI) using public key encryption technologies and X.509 Attribute certificates to maintain users' attributes. PERMIS does not provide any authentication mechanism, but leaves it up to the application to determine what to use. PERMIS's strength comes from its ability to be integrated into virtually any application and any authentication scheme like Shibboleth (Internet2), Kerberos, username/passwords, Grid proxy certificates and Public Key Infrastructure (PKI).
SharePoint is a web-based collaborative platform that integrates natively with Microsoft 365. Launched in 2001, SharePoint is primarily sold as a document management and storage system. However the product is highly configurable, and its usage varies substantially among organizations, from sharing information through intranets to internal apps implementing business processes through workflows.
Heroku is a cloud platform as a service (PaaS) supporting several programming languages. One of the first cloud platforms, Heroku has been in development since June 2007, when it supported only the Ruby programming language, but now supports Java, Node.js, Scala, Clojure, Python, PHP, and Go. For this reason, Heroku is said to be a polyglot platform as it has features for a developer to build, run and scale applications in a similar manner across most languages. Heroku was acquired by Salesforce in 2010 for $212 million.
Delegation is the process of a computer user handing over its authentication credentials to another user. In role-based access control models, delegation of authority involves delegating roles that a user can assume or the set of permissions that the user can acquire, to other users.
A metadata repository is a database created to store metadata. Metadata is information about the structures that contain the actual data. Metadata is often said to be "data about data", but this is misleading. Data profiles are an example of actual "data about data". Metadata adds one layer of abstraction to this definition– it is data about the structures that contain data. Metadata may describe the structure of any data, of any subject, stored in any format.
RhodeCode is an open source self-hosted platform for behind-the-firewall source code management. It provides centralized control over Git, Mercurial, and Subversion repositories within an organization, with common authentication and permission management. RhodeCode allows forking, pull requests, and code reviews via a web interface.