self-service privacy using ldap at the university of notre dame cumrec 2003 brendan bellina office...
Post on 18-Dec-2015
225 Views
Preview:
TRANSCRIPT
Self-Service PrivacyUsing LDAP at
The University of Notre Dame CUMREC 2003
Brendan Bellina
Office of Information Technologies
University of Notre Dame du LacEmail: BBellina@nd.edu
Copyright © Brendan Bellina, 2003. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 2
Confidentiality inU.S. Higher Education
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 3
Family Educational Rights and Privacy Act (FERPA)Institution definition of “Directory Information”
– Full name– Address– Telephone number– Day and place of birth– College, major, or level– Participation in officially recognized activities and sports– Weight and height of members of athletic teams– Dates of attendance– Full or part-time status– Degrees and awards received– Most recent previous educational agency or institution attended by
the student– Other similar information such as a photograph
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 4
Family Educational Rights and Privacy Act (FERPA)
Excerpt from the Notre Dame FERPA webpage:
Directory information may be disclosed by this institution for any purpose, without the prior consent of a student, unless the student has forbidden its disclosure in writing.
Students wishing to prevent disclosure of the designated directory information must file written notification to this effect with the Registrar's Office.
In the event that such written notification is not filed, the University assumes that the student does not object to the release of the directory information.
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 5
Family Educational Rights and Privacy Act (FERPA)
In the year following the implementation of the directory privacy functionality described here, a self-service privacy mechanism was implemented in the Student Information System.
• Limited to student campus/home address and phone, and spouse name
• Available only during SIS availability (7x18)• Immediate effect for SIS applications; delayed effect for
web-based applications relying upon directory services• Restricts data passed to directory services, resulting in the
inability of even authorized directory-enabled applications from accessing the information via the directory.
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 6
Initiating FERPA Protection:The Student
• Request FERPA protection at registration or…
• Submit formal request for FERPA protection to the Office of the Registrar providing name and/or NetID
• Wait for request to be processed.
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 7
Initiating FERPA Protection:The Office of the Registrar
• Update Student Information System record to indicate that the student has requested FERPA protection
• Contact the Office of Information Technologies to have electronic directories & services updated
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 8
Limitations
• Complex and slow– multiple steps and points of failure and delay
• Available only during office hours M-F 8-5• Cumbersome – requires student visit• Dependent on availability of system
administrators for multiple systems (core middleware, email, listserv)
• Limited granularity – phone, address, spouse name, or all
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 9
Unwanted Side Effects• Disables growing list of functions reliant upon directory
entry information, including email forwarding, auto-reply, WebCT, Active Directory services, the eProcurement system, Learning Management System, Online Registration, Online Voting…
• System Administrator reliance - Requires configuration modifications and coding for each request (email, listserv, AFS)
• Separates user account from systems of record, preventing automated revocation and information updates
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 10
Goals • Self-service web application• Multi-level opt-out• Automate processes• Reduce administrator involvement• Eliminate need for coding and configuration
changes• 7x24x365 availability• Immediate effect – no latency• Attribute level granularity• Eliminate need for office visit• No restrictions on services caused by privacy
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 11
Steps Taken to Date
• Implementation of high availability Enterprise Directory Service
• Elimination of X.500 directories and Eudora cross-reference database to further reduce administrator involvement
• Web pages to allow user to edit entry content and update privacy options in the Enterprise Directory Service real-time, 7x24x365.
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 12
Steps Taken to Date
• FERPA protected individuals “mastered” in the Enterprise Directory Service
• Provide LDAP-enabled applications with service id’s authorized to access private entries
• Windows Active Directory domain policy to redirect Active Directory searches to the EDS
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 14
EDS Authentication Screen
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 15
Directory Entry Display
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 16
Directory Entry Edit
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 17
Privacy Options
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 18
Display Preferences
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 19
Opt-out Options
• Entry level and Attribute Level– Private – The entry/attribute is visible only to the owner
and to authorized applications. This is a selectable option for active student and departmental accounts.
– ND-Only – The entry/attribute is visible to authenticated searches and to authorized applications. This is a selectable option for all active accounts.
– FERPA Restrict – entry-level setting identical to “Private” except can only be set and reversed by formal request.
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 20
Usage Statistics
• FERPA protection / hidden account: 4
• Self-service entry-level privacy: 46
• Self-service entry-level ND-only: 33
• Self-service attribute-level privacy: 250
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 22
Directory Attributes: dn
Directory dn (distinguished name) is comprised of:– ndGuid – a uniquely defined string of
characters randomly assigned in format ndaa#aa# (ndPVid) prefixed with “nd.edu”
– X.500 Directory base (avoids conflict with our Active Directory domain)
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 23
Directory Attributes: dn Intentionally avoided basing on name, NetID, department, or affiliation in order to:– (1) reduce chance of dn changes when changes
occur– (2) allow anonymity without requiring entire
entry to be restricted.
Needed an unchanging, non-reissuable, meaningless id independent of vendor and transaction system influence.
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 24
Directory Attributes: ndEntryStatus • Multi-valued attribute used to control access to the
entry from applications.• Allowable values:
– active– restrictEDS – indicates entry restricted to only owner
and authorized applications– restrictndonly – indicates entry restricted to
authenticated searches only– restrictFERPA – indicates privacy cannot be altered by
self-service; always coupled with restrictEDS
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 25
Directory Attributes: ndVisibilityControl
• Multi-valued attribute used to record access level for specific attributes
• Allowable values: Attribute name, +– private – indicates attribute restricted to only
owner and authorized applications– ndonly – indicates attribute restricted to
authenticated searches only
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 26
Directory Attributes: ndDisplayPreferences
• Multi-valued attribute used to record user preferences for the directory entry display screen
• Allowable values:– maskpriorsurname – indicates that common
name values based on prior surname should not be displayed
– maskuid – indicates that uid (NetID) should not be displayed
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 27
Directory Attributes: aci
• Entry level aci’s used to control access to entry attributes as specified in ndVisibilityControl
• OU level aci’s used to prevent unauthorized access to restricted attributes such as ndUniversityid, ndPermid, ndRolesAssigned
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 28
Directory Attribute Access Types
• Always restricted– exp. ndUniversityid, ndPermid,
ndRolesAssigned, internal attributes
• Never restricted– exp. dn, uid
• Restrictions based on user preference
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 29
Directory Attribute Access Groups
• Groups are used to allow applications to have access to entries and attributes.
• Use of groups reduces directory maintenance/administrative time
• Groups are not visible anonymously
• Group dn’s are also based on ndPVid’s
May 13, 2003 Copyright © 2003, University of Notre Dame du Lac 30
Steps Remaining
• Elimination of public access to ph/CSO• Provide web-application to Registrar to control
FERPA setting• Increase edit capability for FERPA entries• Automate data correction for FERPA entries• Implement a tie between the EDS opt-out and
FERPA settings and Registrar notification
LinksND Enterprise Directory Service, <http://www.nd.edu/~eds>
ND EDS Documentation, <http://www.nd.edu/~eds/docs>
ND EDS Schema Documentation, <http://www.nd.edu/~eds/docs/current_schema/EDS_ModelDoc.htm>
ND EDS Search, <http://www.nd.edu/~eds/search>
eduPerson object class, <http://www.educause.edu/eduperson/>
Internet2 Middleware, <http://middleware.internet2.edu/>
Contact Information
Brendan Bellina
Office of Information Technologies
University of Notre Dame du LacEmail: BBellina@nd.edu
Website: <http://www.nd.edu/~bbellina>
Directory Entry:
<http://www3.nd.edu/~eds/cgi-bin/nd_ldap_search.pl?ldapfilter=uid=bbellina>
vCard: <http://www3.nd.edu/~eds/cgi-bin/ldapvcard.pl?uid=bbellina>
top related