Office of Information Technology

Access Management

Category: Accounts & Access

Overview

Access management is the process used to grant authorized users the right to use a service, while preventing access to non-authorized users.

For the University of Alaska, the access management service is broken down to Authentication and Authorization.

Authentication or login is the establishment of a connection between an identifier (like a username or ID #) and a record of verified information that pertains to that person. In many cases, authentication is established by presenting a password in connection with the identifier, but more rigorous forms of authentication are possible using multiple factors. UA supports central authentication using several protocols. Reference the AuthN_Methods for additional information.

Authorization or access control is distinguished from authentication or login. When a person logs in or authenticates, the result is the identification of the online user with a specific digital identity. Most services require additional information to determine what services or permissions are appropriate for that person, for example, whether that person may edit data as well as read, or whether that person can change system settings or access restricted information. Such determination is always made by the application, but may be assisted by receiving authoritative information about the person from a central service. UA's central authentication service has extensions that can provide applications information such as the authenticated user's campus, student and employee status, department, and other role information that can used by the application to determine the level of service to provide. See also Trusted Third Party secure access to resources for additional information.

Service Users

Access Management
The access management service is available to information service providers.

Affiliates
Any UA department may sponsor affiliates or work directly with the OIT Support Center to sponsor affiliates.

Authentication
All UA-affiliated persons are assigned unique identifiers and can establish their own password for use with many UA services.

Authorization
Applications that rely on UA central authentication service using any of the following protocols (LDAP, CAS, AuthServ, Shibboleth) can, if pre-arranged, receive additional role or attribute data about authenticated users.

Requirements

Access Management
1. Service owners are responsible for configuring their services authorization decisions. The central service provides attributes on which that decision can rely, such as student or faculty status or custom roles.
2. Custom roles can be created, provisioned and relayed to services as users log in (example: EMPLADMINXYZ may edit Directory records in units in college XYZ). Requires collaborative development and deployment to meet business requirements.

Affiliates
Affiliates or guests will have digital identities in UA's central authentication system; they do not automatically gain access to all information services; each service determines what level of service to provide to affiliates or guests.

Application Integration
OIT provides central authentication and can release attributes (e.g., UA roles) to applications using LDAP, CAS, or SAML.

Authentication
Applications or services must be able to utilize one of the several supported protocols for central authentication, including Kerberos, Microsoft Domain authentication, LDAP, CAS, or Shibboleth.

Authorization
Generally, only data stored and maintained on UA central systems is available, such as employee or student data. It is possible to create and store additional data relevant to a particular application (groups or classes of users) if the application owner is able and willing to maintain those data.

Rates

This service is free of charge to users.

Get Started

Initiate service request through the OIT Support Center.

Availability

Requests and planning for access management are addressed during university business hours. After request is received affiliate or guest status is generally given the same business day as the completed sponsorship form. Once assigned and integrated, this service is available 24 hours a day, 7 days a week. Exceptions include scheduled maintenance and unplanned outages.

Getting Help

Customers request general assistance and report problems with this service through the OIT Support Center.
Back to Top