Penn Computing

Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

 

Sunday, July 6, 2008
 
  Security Checklists & Policies
Secure desktop computing
Secure servers
Secure web applications
Tips for safe computing
Computing policies
 
  Email
Harassment & Forgery
Hoaxes, frauds & scams
Spam & Email relays
Encryption & digital signatures
 
  More in-depth information for
Local support providers
System administrators
Application developers
 
  Security initiatives
Critical host compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
 
  Related links
Electronic privacy
PennKey
Viruses
Worms, trojans, backdoors

Authentication and Authorization initiatives

Authentication is the process of confirming a user's identity. Authorization determines what services and access a user is authorized for.

Authentication

Penn's campus-wide authentication system is PennKey (link to www.upenn.edu/computing/pennkey. PennKey supports two authentication protocols: Kerberos and RADIUS.

PennKey uses PennNames to ensure a single campus-wide namespace (i.e. to avoid different people being assigned the same user ID.) Developers and systems administrators creating accounts and IDs for new users are strongly encouraged to use the PennNames service, and avoid creating numerous different IDs for people.

Campus web developers who want to use PennKey to authenticate users to their web-based applications may use Penn's Web Security Module. The Web Security Module allows application developers to require successful PennKey authentication and provides the user's PennID for use in determining whether or not the user is authorized for the application.

PennKey and the Web Security module are authentication systems only. PennKeys are issued to a wide range of individuals, including Faculty, Staff, Students, Guests, Visiting Scholars to list just a few. So possession of a PennKey alone tells the application owner nothing about what the end user is authorized to do. Application developers must make sure that after authenticating users, then determine whether or not the user is authorized to use their application.

Authorization

Authorization is usually done in one of two different ways. Often, a user's affiliation can be used to determine whether or not they are authorized to use an application or service. Biographical/Demographic data such as a user's affiliation (e.g. faculty/student/staff) or School/Department can be used to make authorization decisions. In other cases, there is no single piece of Bio/Demo data that can be used to make an authorization decision, but rather authorization is based on "need to know" For example, authorization for access to the minutes of a Dean search committee would be based on the list of all committee members. Such lists are known as Access Control Lists, or ACLs.

It is the responsibility of application developers to ensure proper authorization is performed before granting access to sensitive applications.

Last updated: Tuesday, January 2, 2007
top

Information Systems and Computing
University of Pennsylvania
Comments & Questions
Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania