Croquet Security Higher Ed Requirements
Ron Stewart, Ph.D. University of Wisconsin, Madison


Requirements for Higher Ed:
   Access/AuthZ Requirements
   Identity/AuthN Requirements
   System Requirements and Desireables
   Issues

Access Requirements (1):
   Rights (Partial list):
      Read/View
      Author
      Co-Author
      Version
      Create in a space
      Publish to WB
      Ability to Grant Access Rights and delegate

   Owner grants usage rights (update, change location, etc…) to a user, group, or role
   Hierarchical Path (Authorization Path)
   Hierarchical Rules

Access Requirements (2):
   Hierarchical Rule Example
   Objects default viewable by Lit  101 students
   Only Instructor can view quiz answers
   Rule 2 > Rule 1


Access Requirements (3):
   Control entry access to Spaces (hierarchically)
   Control access to Users via Avatars

Access Requirements (4):
   Based on IP (Lexis/Nexis)
   Based on Identity (Library good citizens, Registration)
   Based on Group  (Fac/Staff)
   Based on Role  (Manual)


Access Admin Requirements:
   Users self-admin own objects (or delegates, or distributed admin, or enterprise-level admin)
   User grants auth at any level (user, space, etc…)
   Must be able to identify user groups/roles (students in class, users at a campus)
   Must be able to identify groups of objects (all Chem 101 objects)
   Must be able to identify  objects by the space they are in.

Identity/Authentication Requirements:
   Users
   Objects

Identity/Authentication Requirements (Users):
   Use existing AuthN system (e.g Kerberos, Shibboleth, LDAP, GSS-API, X509)
   Identify an individual
   Authenticate via a local (possibly untrusted) service or an  institution-wide globally trusted service
   Logout/de-authenticate with removal of tokens/cached objects (kiosks)
   Private conversations (encryption)
   Non-repudiation (test submission)
   Identity credential pass through (e.g. X, implies SSO and Peer Trust)

Identity/Authentication Requirements (Objects):
   Authenticity of an object

System Requirements:
   Reliability
   Integrity
   Availability
   Use existing Enterprise admin mechanisms
   Hierarchical

Desireables:
   Scalability (obj/rights pairs)
   Scalability (simultaneous Authorization requests)
   Scalability (simultaneous users)
   Scalability (simultaneous logins)

Identity/Authentication Issues:
   What happens to a user’s objects when the user leaves the University?
   Model of Trust across institutions?
   Can a user be logged in to two or more Ips simultaneously?