CUAccess - Glossary

Last Updated: 05/18/2011

Identity: The set of personal characteristics by which an individual is recognizable.

Role/Group: Based on who they are, identities can belong to roles and groups. A professor on campus may have the role of “faculty member” and may belong to the Faculty Affairs Committee.

Authentication: This is how users prove they are who they say they are. OIT’s chosen method for authentication is Kerberos.

Authorization: This entails taking identification information and granting or not granting access to a service, resource, etc. based on that identity. A user’s role determines what they are authorized to have access to.

Enterprise Directory: In 2001,OIT implemented a directory on the CU-Boulder campus where identity information of students, faculty, staff, and many university affiliates is stored and can be looked-up quickly and efficiently using a standard protocol known as LDAP – Lightweight Directory Access Protocol. Many key services and applications on campus now use the LDAP directory to retrieve information about people. This directory is known as the Enterprise Directory.

Kerberos authentication framework: How the CU-Boulder campus uniquely identifies and allows someone to prove they are who they say they are. Kerberos uses two key pieces of information to do so: IdentiKey and password.

Information stored in the directory includes typical directory-type data, such as name and phone number, but also specific information about each person’s affiliation with the university, such as job class and title, department, or, for students, year and major. Managing this data and creating new data from it, such as user groups and roles, is what is called identity management (IdM). Assigning access permissions to individuals, roles, or groups is what is called identity and access management.

CUAccess: An Identity and Access Management tool built on HP’s Select Access product. It makes managing web resources simple, secure, and specific.