Modeling The Cross-organizational User Access Control Decision Space To Facilitate Secure Information Sharing DHS Science & Technology Directorate Command, Control and Interoperability Branch.
Download ReportTranscript Modeling The Cross-organizational User Access Control Decision Space To Facilitate Secure Information Sharing DHS Science & Technology Directorate Command, Control and Interoperability Branch.
Modeling The Cross-organizational User Access Control Decision Space To Facilitate Secure Information Sharing DHS Science & Technology Directorate Command, Control and Interoperability Branch Problem? 2 Problem? 3 Problem? 4 What is needed 5 Compliant with IA & Sharing Policy 6 Analysis 7 Policy ? 8 Policy ? 9 Policy Compliance? 10 Access Control Ensuring that requested actions on resource are only granted in compliance with applicable policy Attribute-Based Fine-grained Authorization Dynamic access Externalized policy Adaptability Role-Based Coarse-grained Authorization Declarative access by category Identity-Based Basic Authorization Declarative access by subject Gerry Gebel, M. N. (2009). User Authorization. Burton Group: Identity and Privacy Strategy 11 Access Control Essentials Access Control Policy 12 Why Concept Modeling? Captures Information Requirements Problem Specific & Technology-neutral 13 Why Concept Modeling? Semantic Alignment Identifies Business Terms Establishes Semantic Consensus 14 Why Concept Modeling? Framework Conceptual Foundation 15 Why Concept Modeling? Agility Baselines Technology Insertion 16 What is a Federal User? Desired View 17 What is a Federal User? Current View Desired View 18 What is a Federal User? Current View Desired View 19 ICAM User Concept Model Citizenship be issued by Identity Credential country identifier be a subgroup of grant group issue Organization certify organization unique identifier relationship to US government organization names administer Person Skill Certificate be certified by be certificate unique identifier certificate type certificate name certificate issue date certificate expire date certificate status certificate status date certificate LOA certification level person unique identifier identified biometrics by names identify birthdate birthplace Skill skill identifier skill level person association with organization be Position occupation be managed by manage Management level be be a member of Operational Domain operational domain identifier Assignment Condition Assignment be role assign cond type assign cond start date assign cond end date assign cond status assign cond status date composed of Activity activity identifier function be needed by affil cond type affil cond start date affil cond end date affil cond status affil cond status date Position Entitlement be position type be needed by Affiliation Condition Affiliation person unique affiliation identifier credential unique identifier credential secret credential name credential issue date credential expire date credential status credential status date credential LOA Technical Domain technical domain identifier pos entitle identifier pos entitle permission pos entitle start date pos entitle end date pos entitle status pos entitle status date need Assignment Entitlement assign entitle identifier assign entitle permission assign entitle start date assign entitle end date assign entitle status assign entitle status date need be granted by be administered by 20 ICAM User Concept Model Citizenship be issued by Identity Credential country identifier be a subgroup of grant group issue Organization certify organization unique identifier relationship to US government organization names administer Person Skill Certificate be certified by be certificate unique identifier certificate type certificate name certificate issue date certificate expire date certificate status certificate status date certificate LOA certification level person unique identifier identified biometrics by names birthdate identify birthplace Skill skill identifier skill level person association with organization be Position occupation be managed by manage Management level be be a member of Operational Domain operational domain identifier Assignment Condition Assignment be role assign cond type assign cond start date assign cond end date assign cond status assign cond status date composed of Activity activity identifier function be needed by affil cond type affil cond start date affil cond end date affil cond status affil cond status date Position Entitlement be position type be needed by Affiliation Condition Affiliation person unique affiliation identifier credential unique identifier credential secret credential name credential issue date credential expire date credential status credential status date credential LOA Technical Domain technical domain identifier pos entitle identifier posl entitle permission posl entitle start date posl entitle end date posl entitle status posl entitle status date need Assignment Entitlement assign entitle identifier assign entitle permission assign entitle start date assign entitle end date assign entitle status assign entitle status date need be granted by be administered by 21 ICAM User Concept Model Citizenship be issued by Identity Credential country identifier be a subgroup of grant group issue Organization certify organization unique identifier relationship to US government organization names administer Person Skill Certificate be certified by be certificate unique identifier certificate type certificate name certificate issue date certificate expire date certificate status certificate status date certificate LOA certification level person unique identifier identified biometrics by names birthdate identify birthplace Skill skill identifier skill level person association with organization be Position occupation be managed by manage Management level be be a member of Operational Domain operational domain identifier Assignment Condition Assignment be role assign cond type assign cond start date assign cond end date assign cond status assign cond status date composed of Activity activity identifier function be needed by affil cond type affil cond start date affil cond end date affil cond status affil cond status date Position Entitlement be position type be needed by Affiliation Condition Affiliation person unique affiliation identifier credential unique identifier credential secret credential name credential issue date credential expire date credential status credential status date credential LOA Technical Domain technical domain identifier pos entitle identifier posl entitle permission posl entitle start date posl entitle end date posl entitle status posl entitle status date need Assignment Entitlement assign entitle identifier assign entitle permission assign entitle start date assign entitle end date assign entitle status assign entitle status date need be granted by be administered by 22 ICAM User Concept Model Citizenship be issued by Identity Credential country identifier be a subgroup of grant group issue Organization certify organization unique identifier relationship to US government organization names administer Person Skill Certificate be certified by be certificate unique identifier certificate type certificate name certificate issue date certificate expire date certificate status certificate status date certificate LOA certification level person unique identifier identified biometrics by names birthdate identify birthplace Skill skill identifier skill level person association with organization be Position occupation be managed by manage Management level be be a member of Operational Domain operational domain identifier Assignment Condition be Assignment role assign cond type assign cond start date assign cond end date assign cond status assign cond status date composed of Activity activity identifier function be needed by affil cond type affil cond start date affil cond end date affil cond status affil cond status date Position Entitlement be position type be needed by Affiliation Condition Affiliation person unique affiliation identifier credential unique identifier credential secret credential name credential issue date credential expire date credential status credential status date credential LOA Technical Domain technical domain identifier pos entitle identifier posl entitle permission posl entitle start date posl entitle end date posl entitle status posl entitle status date need Assignment Entitlement assign entitle identifier assign entitle permission assign entitle start date assign entitle end date assign entitle status assign entitle status date need be granted by be administered by 23 ICAM User Concept Model Citizenship be issued by Identity Credential country identifier be a subgroup of grant group issue Organization certify organization unique identifier relationship to US government organization names administer Person Skill Certificate be certified by be certificate unique identifier certificate type certificate name certificate issue date certificate expire date certificate status certificate status date certificate LOA certification level person unique identifier identified biometrics by names birthdate identify birthplace Skill skill identifier skill level person association with organization be Position occupation be managed by manage Management level be be a member of Operational Domain operational domain identifier Assignment Condition Assignment be role assign cond type assign cond start date assign cond end date assign cond status assign cond status date composed of Activity activity identifier function be needed by affil cond type affil cond start date affil cond end date affil cond status affil cond status date Position Entitlement be position type be needed by Affiliation Condition Affiliation person unique affiliation identifier credential unique identifier credential secret credential name credential issue date credential expire date credential status credential status date credential LOA Technical Domain technical domain identifier pos entitle identifier pos entitle permission pos entitle start date pos entitle end date pos entitle status pos entitle status date need Assignment Entitlement assign entitle identifier assign entitle permission assign entitle start date assign entitle end date assign entitle status assign entitle status date need be granted by be administered by 24 ICAM User Concept Model Citizenship be issued by Identity Credential country identifier be a subgroup of grant group issue Organization certify organization unique identifier relationship to US government organization names administer Person Skill Certificate be certified by be certificate unique identifier certificate type certificate name certificate issue date certificate expire date certificate status certificate status date certificate LOA certification level person unique identifier identified biometrics by names birthdate identify birthplace Skill skill identifier skill level person association with organization be Position occupation be managed by manage Management level be a member of Operational Domain operational domain identifier Assignment Condition Assignment be be be a member of role assign cond type assign cond start date assign cond end date assign cond status assign cond status date composed of Activity activity identifier function be needed by affil cond type affil cond start date affil cond end date affil cond status affil cond status date Position Entitlement be position type be needed by Affiliation Condition Affiliation person unique affiliation identifier credential unique identifier credential secret credential name credential issue date credential expire date credential status credential status date credential LOA Technical Domain technical domain identifier pos entitle identifier posl entitle permission posl entitle start date posl entitle end date posl entitle status posl entitle status date need Assignment Entitlement assign entitle identifier assign entitle permission assign entitle start date assign entitle end date assign entitle status assign entitle status date need be granted by be administered by 25 ICAM User Concept Model Citizenship be issued by Identity Credential country identifier be a subgroup of grant group issue Organization certify organization unique identifier relationship to US government organization names administer Person Skill Certificate be certified by be certificate unique identifier certificate type certificate name certificate issue date certificate expire date certificate status certificate status date certificate LOA certification level person unique identifier identified biometrics by names birthdate identify birthplace Skill skill identifier skill level person association with organization be Position occupation be managed by manage Management level be be a member of Operational Domain operational domain identifier Assignment Condition Assignment be role assign cond type assign cond start date assign cond end date assign cond status assign cond status date composed of Activity activity identifier function be needed by affil cond type affil cond start date affil cond end date affil cond status affil cond status date Position Entitlement be position type be needed by Affiliation Condition Affiliation person unique affiliation identifier credential unique identifier credential secret credential name credential issue date credential expire date credential status credential status date credential LOA Technical Domain technical domain identifier pos entitle identifier pos entitle permission pos entitle start date pos entitle end date pos entitle status pos entitle status date need Assignment Entitlement assign entitle identifier assign entitle permission assign entitle start date assign entitle end date assign entitle status assign entitle status date need be granted by be administered by 26 Primary Authority Attributes for Users * DHS, Defining User Attributes for ABAC, Waterman & Hammer 5/15/07 27 User Attribute Contract Mappings • Reveal • Contract • Concept utilization and specialization • Policy focus • Unused concepts • Purpose (AuthN, AuthZ, Security, Preference) coverage • Organization and partner • Alignment • Discrepancies • Support • • • • Federation agreements Semantic consensus Policy analysis and development Identify authoritative source requirements 28 Waterman & Hammer Mapping Citizenship Sub-group group issue Employer grant be issued by Identity Credential country identifier organization unique identifier Employer Type Employer Name administer Person Special License certify certificate unique identifier certificate type certificate name be certificate issue date certified certificate expire date by certificate status certificate status date certificate LOA certification level person unique identifier (Personal Characteristics) Skill Skill Skill level credential unique identifier credential secret identify credential name credential issue date be credential expire date identified credential status by credential status date credential LOA be needed by be needed by Special Work Term Employee / Other Group Membership affil cond type affil cond start date affil cond end date affil cond status affil cond status date Employment Type Unique identifier be Position Entitlement be Employee Job Name / Job Designation position type Direct Reports manage Management be Employment Activity Management Level be be a member of Operational Domain Work Assignment Authorized Purpose Physical Location Assignment Condition Location Type assign cond start date assign cond end date assign cond status assign cond status date activity identifier function be administered by DRAFT be be need Clearance Active Clearance Employment Related Authority be Special Authority composed of Activity pos entitle identifier posl entitle permission posl entitle start date be posl entitle end date posl entitle status posl entitle status date Technical Domain technical domain identifier assign entitle type assign entitle start date assign entitle end date assign entitle status assign entitle status date be granted by need Key Mapped Primary Mapped Secondary Specialized Added 29 Waterman & Hammer Values group State Government Local Government Private industry Foreign Government be issued by Identity Credential country identifier issue Employer grant Citizenship Drive hazardous materials truck, prescribe narcotics Sub-group Person Special License certify certificate unique identifier certificate type certificate name be certificate issue date certified certificate expire date by certificate status certificate status date certificate LOA certification level organization unique identifier Employer Type Employer Name administer person unique identifier (Personal Characteristics) Skill Skill Skill level Veteran, Volunteer, Advisory Board Member Employee / Other Group Membership Unique identifier Employee, Contractor, Detail credential unique identifier credential secret identify credential name credential issue date be credential expire date identified credential status by credential status date credential LOA Special Work Term be OPM Occupational Series Position Entitlement Employee Job Name / Job Designation position type Direct Reports manage Management be Employment Activity Management Level be Al Queda, Mexican Border, Enron Investigation, etc. Authorized Purpose Physical Location Rater/Reviewer, Sworn Law composed Enforcement Officer of be a member of Operational Domain Work Assignment be needed Probation, be by Disciplined, utilized Weekend Shift by affil cond type affil cond start date affil cond end date affil cond status affil cond status date Employment Type be Supervisor, Program Lead, Senior Executive Team Leader, Military Rank be needed by Activity activity identifier function be administered by DRAFT Assignment Condition Location Type assign cond start date assign cond end date assign cond status assign cond status date pos entitle identifier posl entitle permission posl entitle start date be posl entitle end date posl entitle status posl entitle status date Permanent, Temporary, be Virtual be need Clearance Active Clearance Employment Related Authority be Special Authority Perform arrests, conduct criminal investigations, system admin Technical Domain technical domain identifier assign entitle type assign entitle start date assign entitle end date assign entitle status assign entitle status date be granted by need Key Mapped Primary Mapped Secondary Specialized Added 30 Federal ICAM BAE Mapping PIV Card Citizenship be a subgroup of issuingAgencyCode group (FASC-N AC) certifying Organization authority clearingAgency organizationIdentifier (F-OI) organizationCategory (F-OC) organization name administer be issued by personCitizenshipFIPS10-4Code be be Identity Credential usCitizen Person Skill Certificate certificate unique identifier certificationType certificationName be certified certificationDate certificate expire date by certificate status certificate status date certificate LOA certification level Skill skill identifier skill level Contact Preference person unique identifier photo identify fingerprintImage personGivenName be personMiddleName identified personSurname personNameSuffixText by personSexCode birthdate birthplace credential unique identifier credential secret be credential name needed by credential issue date credential expire date be credential status needed credential status date by credential LOA telephoneNumber Affiliation Condition Affiliation personOrganizationAssociationCategory (FASC-N POA) employeeNumber (FASC-N PI) Emergency Contact Preference chuid cardIssueDate cardExpirationDate cardStatus cardStatusDate chuidStatus chuidStatusDate issuedID (FASC-N CN) IssuingSystemCode (FASC-N SC) issuedSeries (FASC-N CS) issuedCredentialCode (FASC-N ICI cardAuthenticationCertificate keyManagementCertificate digitalSignatureCertificate affil cond type affil cond start date affil cond end date affil cond status affil cond status date be emergencyContactPersonGivenName emergencyContactPersonSurname emergencyContactPersonTelephoneNumber emergencyContactPersonEmail emergencyContactPersonPreferenceIndicator Position Entitlement be Position employeeRankText occupation be managed by Assignment Condition manage Management level be be be a member of Operational Domain nippSectorCode Assignment designatedRole assign cond type assign cond start date assign cond end date assign cond status assign cond status date composed of Activity esfCode Technical Domain pos entitle identifier posl entitle permission posl entitle start date posl entitle end date posl entitle status posl entitle status date Assignment Entitlement assign entitle identifier assign entitle permission assign entitle start date assign entitle end date assign entitle status assign entitle status date Clearance personSecurityClearance clearanceDate DRAFT need be technical domain identifier be be administered by need Key Mapped Specialized Preference 31 Federal ICAM BAE Values PIV Card ACT - Active, PRO-Provisional PER-Permanent OC=1 OC=2 OC=3 OC=4 – SP800-87 Code – State Code – Company Code – Country Code Citizenship be a subgroup of SP800-87 Code (if FASC-N OC = 1) clearingAgency issuingAgencyCode group (FASC-N AC) certifying Organization authority organizationIdentifier (F-OI) organizationCategory (F-OC) organization name administer 1 - Federal Government Agency 2 - State Government Agency 3 - Commercial Enterprise 4 - Foreign Government Person Skill Certificate certificate unique identifier certificationType certificationName be certified certificationDate certificate expire date by certificate status certificate status date certificate LOA certification level Skill skill identifier skill level Contact Preference person unique identifier photo identify fingerprintImage personGivenName be personMiddleName identified personSurname personNameSuffixText by personSexCode birthdate birthplace credential unique identifier credential secret be credential name needed by credential issue date credential expire date be credential status needed credential status date by credential LOA telephoneNumber Affiliation Condition Affiliation personOrganizationAssociationCategory (FASC-N POA) Emergency Contact Preference 1 Agriculture & Food 2 Banking & Finance 3 Chemical 4 Commercial Facilities 5 Dams 6 Defense Industrial Base 7 Emergency Services 8 Energy 9 Government Facilities 10 Information Technology 11 National Monuments & Icons 12 Commercial Nuclear Reactors, Materials & Waste 13 Postal & Shipping 14 Public Health & Healthcare 15 Telecommunications 16 Transportation Systems 17 Drinking Water & Water Treatment Systems 18 Critical Manufacturing be be Identity Credential usCitizen employeeNumber (FASC-N PI) emergencyContactPersonGivenName emergencyContactPersonSurname emergencyContactPersonTelephoneNumber emergencyContactPersonEmail emergencyContactPersonPreferenceIndicator be issued by personCitizenshipFIPS10-4Code chuid SUS - Suspended cardIssueDate TER - Terminated cardExpirationDate cardStatus cardStatusDate chuidStatus chuidStatusDate issuedID (FASC-N CN) IssuingSystemCode (FASC-N SC) issuedSeries (FASC-N CS) issuedCredentialCode (FASC-N ICI cardAuthenticationCertificate keyManagementCertificate digitalSignatureCertificate affil cond type affil cond start date affil cond end date affil cond status affil cond status date be 1 – Employee be 2 – Civil Position 3 – Executive Staff 4 – Uniformed Service employeeRankText 5 – Contractor 6 – Organizational Affiliate be managed by 7 – Organizational Beneficiary manage Management level be be be a member of Operational Domain nippSectorCode Assignment designatedRole composed of Activity esfCode Position Entitlement occupation pos entitle identifier posl entitle permission posl entitle start date posl entitle end date posl entitle status posl entitle status date need 1 Transportation 2 Communications 3 Public Works & Engineering Assignment 4 Firefighting Condition 5 Emergency Management 6 Mass Emergency Housing & Human Services assign Care, cond type 7 Logistics Management and Resource Support assign cond start date 8 Public Health Medical Services assign cond end&date Assignment Entitlement assign cond status 9 Search & Rescue assign entitle identifier status date 10assign Oil &cond Hazardous Materials Response assign entitle permission 11 Agriculture & Natural Resources assign entitle start date need 12 Energy assign entitle end date 13 Public Safety & Security assign entitle status 14 Long-Term Community Recovery assign entitle status date Technical Domain 15 External Affairs be technical domain identifier be be administered by Clearance personSecurityClearance clearanceDate DRAFT Key Mapped Specialized Preference 32 DHS HSIN Mapping HISN Credential Citizenship departmentName group sponsorOrg Organization organization unique identifier relationship to US government name administer agencyOrOrganizationName grant be issued by Identity Credential country identifier Skill Certificate certify Person certificate unique identifier certificate type certificate name be certificate issue date certified certificate expire date by certificate status certificate status date certificate LOA certification level Skill skill identifier skill level Contact Information telephoneNumber phoneExtension street1 Street2 Street3 email person unique identifier Biometrics personalTitle givenName middleName sn cn nameSuffix birthDate, birthplace gender credential unique identifier credential secret identify credential name credential issue date be credential expire date identified credential status by credential status date credential LOA localityName StateOrProvinceName postalCode co userUrl preferedTimeZone be needed by be needed by Affiliation Condition Affiliation person association with organization person unique affiliation identifier uid/login name userPassword uniquePin loginSecurityQues answerSecurityQues be twoFactorModule be investigativeSource affil cond type affil cond start date affil cond end date affil cond status affil cond status date be Position Entitlement be Position occupation job title be managed by Assignment Condition manage Supervisor / Sponsor level be Assignment jobRole be coiUserGroupRef applicantOrgRoleFitCoi assign cond start date assign cond end date assign cond status assign cond status date accessReason coiMmemberOf Operational Domain operational domain identifier hsinCoiGroup gid function be administered by DRAFT pos entitle identifier posl entitle permission posl entitle start date posl entitle end date posl entitle status posl entitle status date need Assignment Entitlement assign entitle identifier HSIN Access assign entitle start date assign entitle end date userActiveStatus assign entitle status date need be apps be referenced app Technical Domain technical domain identifier be granted by Key Mapped Specialized Preference 33 DOD DMDC EAS Mapping DRAFT CAC/PIV Citizenship Duty Organization Sub-Code Country Of Citizenship group issuingAgencyCode (FASC-N AC) Organization Administrative Organization Code OMP Standard Code relationship to US government name Duty Organization Code grant be issued by Identity Credential US Citizenship Status Indicator Code Person Skill Certificate certify certificate unique identifier certificate type certificate name be certificate issue date certified certificate expire date by certificate status certificate status date certificate LOA certification level Skill skill identifier skill level person unique identifier Biometrics SSN (PN_ID) Person Last Name Person First Name Person Birth Date birthplace be card authentication certificate card barcode id credentialTypeCode fingerprintimage FASC-N be credential unique identifier credential secret be identify credential name needed by credential issue date be credential expire date be identified credential status needed by credential status date by credential LOA Affiliation Condition Affiliation Persona Type Code / Personnel Category Code DOD EDI PI / Enterprise User Name Enterprise Display Name be Position Entitlement be Position Rank Pay Plan, Pay Grade Primary Occupational Code be managed by Assignment Condition manage Management level be be be a member of Operational Domain operational domain identifier Assignment Duty Occupational Code assign cond type assign cond start date assign cond end date assign cond status assign cond status date composed of Activity Technical Domain activity identifier function technical domain identifier be administered by DRAFT Guard\Reserve Status Code affil cond start date affil cond end date affil cond status affil cond status date pos entitle identifier posl entitle permission Clearance Eligibility posl entitle end date posl entitle status posl entitle status date need Assignment Entitlement assign entitle identifier Assigned Clearance For Access assign entitle start date assign entitle end date need assign entitle status assign entitle status date be granted by Key Mapped Specialized 34 DHS F/ERO Mapping DRAFT Citizenship be a subgroup of country identifier group issuer_id Organization grant organization unique identifier relationship to US government organization names administer Person Skill Certificate certify certificate unique identifier certificate type certificate name be certificate issue date certified certificate expire date by certificate status certificate status date certificate LOA certification level be issued by Id_Credential serial number person unique identifier credential secret Fingerprint identify credential name (DN,FASCN card id) Full name create_time birthdate be expiration birthplace identified status by credential status date credential LOA Skill skill identifier skill level be needed by be needed by Affiliation Condition Affiliation person association with organization name (FASC-N person id) affil cond type affil cond start date affil cond end date affil cond status affil cond status date be Position Entitlement be Position occupation position type be managed by Assignment Condition manage Management level be be a member of Operational Domain nippSectorCode Assignment be role assign cond type assign cond start date assign cond end date assign cond status assign cond status date composed of Activity esfCode be administered by DRAFT Technical Domain technical domain identifier pos entitle identifier posl entitle permission posl entitle start date posl entitle end date posl entitle status posl entitle status date need Assignment Entitlement assign entitle identifier assign entitle permission assign entitle start date assign entitle end date assign entitle status assign entitle status date be granted by need Key Mapped Specialized 35 GFIPM V2 Concept Model represent Driver’s License Citizenship Driver’s license Number grant group Employer / Assignment / Identity Provider* be certified by Point of Contact Street Address, PO Box City Name, Postal Code, County, State, Country URI Full Name, Email, Telephone Number be represented by be issued by Electronic Identity Person be be be Skill Certificate certify ORI; Id General Category Code Name; Sub Unit Name NCIC Certification certificate unique identifier certificate type certificate name certificate issue date certificate expire date certificate status certificate status date certificate LOA certification level Language skill identifier primary Contact Information TelephoneNumber FAX Number County Code Post Office Box Country Code Street Address Postal Code City Name Time Zone State Code Email address GFIPM:IDP:JNET:USER - federation Social Security Administration Employer – local person unique identifier Photo, Signature, Fingerprint Set Name Prefix Given Name Middle Name Sur Name Name Suffix Full Name Common Name Display Name Birth date Sex, Race, Height, Weight, Eye Color, Hair Color, be identified by Hire / Start Affiliation Federation Id1; Local Id2; Social Security Number3; Visa Number; Passport Id, Employee Id; TelephoneNumber Email Military Status Code; Employment Category Code be Employee / Assignment * Occupation Code; Affiliation Category Code; Occupation Category Code Position Name; Rank be managed by Management Level Mapped Specialized Preference Organization Category Code be be a member of Operational Domain NIPP Sector Code Assignment be Supervisor* be represented by represent Citizen Entry be be Passport Id Country Code Non-citizen Entry be Visa Number be Visa Category need be Federation be Resources be Federation Id federation logon Assignment Condition manage Key pos entitle identifier posl entitle permission posl entitle start date posl entitle end date posl entitle status posl entitle status date Full Name be needed by affil cond type Start Date End Date Status affil cond status date Position Entitlement be Emergency Contact Information identify be needed by credential unique identifier Effective Date Expiration Date Status Code Proofing Date Authentication LOA; Proofing LOA, Category PKI Certificate role assign cond type assign cond start date assign cond end date assign cond status assign cond status date composed of Activity activity identifier Emergency Support Function Organization Category Code be administered by DRAFT Technical Domain technical domain identifier Local Resources be Local Id Network logon Assignment Entitlement assign entitle identifier assign entitle permission assign entitle start date assign entitle end date assign entitle status assign entitle status date Security Clearance Granting Agency be a subgroup of be State Government – driver license U.S. Government – passport NCIC issue Military Branch country identifier need be Clearance Level be Effective Date be Expiration Date Sanction be Legal Jurisdiction Employment Jurisdiction 36 Federal ICAM BAE & DOD DMDC Mapping Overlay Citizenship Duty Organization Sub-Code Administrative Organization Code organizationIdentifier (F-OI) organizationCategory (F-OC) organization name Duty Organization Code be issued by personCitizenshipFIPS10-4Code issuingAgencyCode group (FASC-N AC) certifying Organization authority clearingAgency CAC/PIV Card be be Identity Credential usCitizen Person Skill Certificate certificate unique identifier certificationType certificationName be certified certificationDate certificate expire date by certificate status certificate status date certificate LOA certification level Skill skill identifier skill level chuid cardIssueDate/cardExpirationDate cardStatus/cardStatusDate chuidStatus/chuidStatusDate issuedID (FASC-N CN) IssuingSystemCode (FASC-N SC) issuedSeries (FASC-N CS) issuedCredentialCode (FASC-N ICI cardAuthenticationCertificate keyManagementCertificate digitalSignatureCertificate card barcode id credentialTypeCode photo fingerprintImage identify personGivenName personMiddleName be personSurname personNameSuffixText identified by personSexCode SSN (PN_ID) Person Birth Date birthplace credential unique identifier credential secret be credential name needed by credential issue date credential expire date be credential status needed credential status date by credential LOA Affiliation Condition Affiliation personOrganizationAssociationCategory (FASC-N POA) employeeNumber (FASC-N PI) Enterprise Display Name Persona Type Code / Personnel Category Code be Guard\Reserve Status Code affil cond start date affil cond end date affil cond status affil cond status date Affiliation Entitlement be Position Primary Occupational Code occupation employeeRankText Pay Plan, Pay Grade be managed by Assignment Condition manage Management level be be be a member of Operational Domain nippSectorCode Assignment designatedRole assign cond type assign cond start date assign cond end date assign cond status assign cond status date composed of Activity esfCode Technical Domain affil entitle identifier Clearance Eligibility entitle start date affil entitle end date affil entitle status affil entitle status date Assignment Entitlement assign entitle identifier assign entitle permission assign entitle start date assign entitle end date assign entitle status assign entitle status date Clearance personSecurityClearance clearanceDate DRAFT need be technical domain identifier be be administered by need Key Common DoD DMDC Federal ICAM BAE 37 Contact Information • Karyn Higa-Smith (DHS S&T) – Program Manager, Identity Management – [email protected] • Thomas Smith (JHU/APL) – Senior Engineer, DHS S&T IdM Testbed – [email protected] • Maria Vachino (JHU/APL) – Senior Engineer, DHS S&T IdM Testbed – [email protected] 38 Backup Slides Additional Information IEEE HST 2010 Conference Proceedings: Modeling the Federal User Identity, Credential, and Access Management (ICAM) Decision Space to Facilitate Secure Information Sharing 40 Why A Conceptual Data Model? • Captures Information Requirements • • • • • • Problem specific Technology-neutral Information representation, not process or policy Identifies business terms Establishes contextual consensus Expresses data semantics • Artifacts • • • • • Entities Attributes Relationships Identifiers Problem Terms Mind Your Business: Serving Business with Data Models that Focus Exclusively on Data, J. Maguire, 11-26-2008, Burton Group 41 Concept Data Model Uses • Knowledge management • Framework for technology insertion – logical/physical modeling • Establishes conceptual foundation • Baselines technological insertion • Aligns organizational information perception • Identifies important & distinguishing information • Establishes artifacts – entities, attributes, relationships, identifiers, problem terms • Improve productivity and agility • Semantic consensus • Identifies schema translation requirements • Starting point for information sharing agreements • Authoritative sources • Identifies policy information requirements • Policy creation & refinement • Identifies information valued by the enterprise • Identifies policy overlaps and gaps 42