Kuali OLE

Process Module: Deliver Entity

Process Title: Identify User

Definition:Identify User describes the process where a user requesting a resource or service is identified and their credentials checked and verified.  First, the user’s identify is authenticated. Next the user is authorized to access an application or resource based on attributes tied to their identity.

The Identify Manager that maintains the user’s credentials is also validated as a trusted system.  The user could be a person using a computer, the computer itself, or a computer program and could use protocols such as LDAP, Shibboleth, Secure Shell Keys, and Certificates.

Workflow / Process Diagrams:

Use Cases: An alumnus visits his college’s library and uses a public access computer to search a licensed resource (IP filtering).

At the beginning of a session, a student logs in with user name and password to access the complete range of resources offered by his library (LDAP).

A professor from a member library of a consortium that uses Shibboleth requests access to a licensed commercial video from a video repository.  A student requests access to a lecture in the video repository. (Shibboleth)

An emeritus professor logs in with user name and password to use his university’s interlibrary loan request service. (LDAP)

Reference(s):

1. (NLA Services Framework 1.1: Authenticate) Verify whether an identity claim made by an individual or entity (the principal) is true. The principal may be a person using a computer, the computer itself, or a computer program.
2. (NLA Services Framework 1.2: Authorise) Establish if an authenticated principal is permitted to perform a specific operation based on policy
3. (e-Framework Service Genre: Authenticate) Describes authentication, the process of uniquely identifying an individual or entity (the principal) based on objects provided for verification (credentials). Credentials should be difficult to falsify or forge, either by keeping them secret or by making them difficult to replicate. Authentication seeks to ensure that the principal is who they claim to be. The degree of certainty varies according to implementation and business context. Authentication typically verifies the principal’s association with an electronic identifier. Authentication may also determine that the principal has certain attributes or is a member of specified or predetermined groups. In security systems, authentication is distinct from authorization, which is the process of establishing what a principal is permitted to do, their access rights to system objects based on their identity.
4. (e-Framework Service Genre: Authorise) Process of establishing what a principal is permitted to do. Authorisation typically occurs after authentication so that the principal can be identified. Authorisation may also use a principal’s attributes, information about what the principal is intending to do (the target), and environment information to make authorisation decisions.
5. (CollectionSpace Functional Requirements: Rights Management) The management and documentation of the rights associated with the objects and information for which the organization is responsible for, in order to benefit the organization and to respect the rights of others.