Currently most data and applications provided within the CANRI framework are publicly accessible, with no restriction and few registration requirements. Where registration or user login is required this has been independently implemented in each application.

The current situation presents a number of weaknesses:

1. Sharing sensitive data within the CANRI framework requires considerable effort on the part of the Data Custodian and the application builders. Data are either not served or it are expensive to serve.
2. The levels of security development vary between applications.
3. Duplication of development effort.
4. Users with access to many restricted data and applications have to remember many UserIDs and passwords. This degrades the user experience, increases administration load, and adds a security risk as users will use weak passwords, or write them down.

The Access Management project will implement infrastructure that provides a central repository for usernames passwords and permissions that can be accessed by applications and datasets within the CANRI framework to ensure that the user making the request is properly authorised to do so. This system can be used by data custodians to build in authentication and authorisation into their applications or data. This has the following benefits:

1. Enables agencies to more easily share sensitive information.
2. Enables users to have a single UserID and password for access to all the data and applications within the CANRI framework for which they are registered and approved.
3. Allows a variety of authorisation policies to suit data custodian requirements
4. Facilitates stronger authentication in the future such as digital signatures, tokens or PKI.
5. Reduces costs of implementing authentication in applications.
6. Reduces the risks of weak application authentication design.

Simple administration, delegated administration, user self-registration and profile management.

This project includes the establishment of the authentication service within the DLWC computing environment, and the design of a number of models for use by data and application custodians.

One pilot project will be implemented to evaluate the system, the technology, and assess its effectiveness. Assessment of the administration loads placed on DLWC and resource custodian staff is included in the pilot evaluation.

This project does not include the upgrade of data custodian web servers or application as required to implement authentication (other than the pilot project).

The project also includes finalisation of the draft strategy developed in the 2001-2002 Authentication consultancy.

This project is dependent on the final outcomes of the 2001-2002 Authentication consultancy.

CA eTrust Access Control policy store will be located on one of DLWC’s Solaris web servers. It will access an eTrust Directory store.

OR

The Netegrity SiteMinder Policy Server will be located on one of DLWC’s Solaris web servers. It will access an existing directory store (iPlanet – free with Solaris 8; Netware e-Directory – existing).

Web agents will be installed (included in licence fees) on appropriate data custodian web sites.

Delegated management will allow access to the policy server by data custodians for administration.

A 500 user licence is sufficient for first year of operation.

DLWC infrastructure has the capacity for this implementation and are willing to contribute in-kind.

Agency chosen for Pilot will be willing to participate and contribute in-kind.

Vendors will be able to deliver to the requirements outlined in the 2001-2002 Authentication Consultancy.