Appendix 3. Business Use for Applications and
Introduction
In order to help understand the contribution a Directory can make to the government sector it may be helpful to examine three areas.
-
What are directories and what do they do?
-
What is a "Community of Interest"?
-
Creating a "Departmental Security Officer" (DSO) community of interest
What are Directories and what do they do?
An easily recognisable form of a directory is Telecom's telephone White Pages. Given a person or organisation's name, their respective telephone numbers can easily be looked up. This is the essence of what a directory is and does: given one item of information about something, the directory provides more information about it. This is often not an exact process - there may be several candidates to choose from. However, by using other known information about the person or organisation, such as the address details also stored in the directory, the search quickly converges on the desired entry.
The following table gives some differences between telephone directories and electronic network directories.
|
Telephone Directory |
Network Directory Service |
|
A physically published document |
A dynamic service offered across a network |
|
Accessed directly |
Usually accessed indirectly via an application |
|
Distributed with multiple physical copies |
Distributed over the network integrating one or more instances of a directory |
|
Read only. Update is a separate process |
Optimised for read access, but can be updated |
|
Updated by physical redistribution of the whole directory once a year |
Incrementally updated in near real time |
|
No control over access to contents |
Relatively fine grained control over what can be seen and what can be modified |
The need for electronic Directory services has only emerged in the last 10 years or so. Before that, computers were largely isolated from each other and stored all data and applications locally. Now, most computers are connected to a network of some sort and users access many of their applications and much of their data over a network.
This interconnection of computers and applications across networks brings benefits but also creates new problems. For example users need to be able to locate services, people, and data wherever they are on the network. Once these have been located, it is then necessary to be able to prove that people are who they say they are before being allowed to use a service or being granted access to data. Thus, people can access applications from work or home or when on the move. Also, increasingly people can work collaboratively at a distance.
Directory services are designed to fill the need to make required cross-reference information available in a controlled fashion throughout the network.
Authentication is the process of confirming to a level of confidence that an entity (person, computer, application) is who or what it says it is. This requires that the entity to be authenticated supplies some set of information which is then compared to information held by an independent and trusted source. If it matches, then the entity is who it says it is (and vice versa). The Directory service's role in the process is to be that independent and trusted source.
Having determined that an entity (person, computer, application) is who it says it is, authorisation is the process of determining exactly what services and or data it is entitled to access. To this end, the Directory holds the rights or rules covering what all entities can or cannot do.
In summary, the role of a Directory service in both authentication and authorisation is to be the secure, searchable, and distributed repository for holding the authoritative information required to support these processes.
What is a "Community of Interest"?
As already alluded to, "Community of Interest" was chosen as a term that can cover a wide range of possible uses, including notions of groups, teams and 'clubs'. Two examples of communities of interest in the government context are:
-
An across-agency team working on a policy development project in say the education sector, which in turn might be hosted using the S.E.E. Shared Workspace solution
-
All Departmental Security Officers who might form a specific community for the purpose of sharing computer-related security information, supporting each other and co-ordinating their efforts.
The following diagram illustrates the relationship between communities of interest, organisations and persons. It shows how individuals (either in their own right or by virtue of holding a specific role) can participate in a community of interest. Each community is assumed to operate under a set of rules ("membership rules") set by its convenor or moderator, and all this information about the community of interest is held in the directory.
The most common form of participation would be by means of an organisation enrolling its staff in a particular community of interest, such as an across-agency policy development team. Another would be where the convenor is charged with establishing the criteria for a new community and then recruits or co-opts people into the community. An example of the latter is a possible community of Departmental Security Officers.
The S.E.E. Directory will play an important role in facilitating the formation and operation of communities of interest:
Organisations can notify the Directory of all of their personnel (employees and contractors) together with their job titles, roles, skills, interests etc.
The convenor of a community of interest (e.g. when creating a cross-agency team) can then use the Directory to locate:
-
All the agencies which should be involved in the project
-
Appropriate staff in each agency to invite or co-opt onto the project team
Convenors themselves can also be identified as such in the Directory, so that they can also be located, e.g. by a person wishing to have input into a particular area of interest
When a person moves into or out of a role such as Departmental Security Officer, then the appropriate Community of Interest records can be updated automatically and the convenor notified accordingly.
Once the S.E.E. Directory is in place, the Community of Interest mechanism will become a very powerful means of facilitating across-agency collaboration and interaction.
Creating a "Departmental Security Officer" (DSO) community of interest
The best way to see how this might work is to explore a particular example, in this case the one noted above of creating a community of interest for all Departmental Security Officers (DSO's).
Once the base entry has been created in the directory for this new community the convenor would need to establish the criteria by which people could be included. To do this the convenor would simply carry out a series of searches on the Directory to decide on the most useful criteria for his or her purposes. Examples of these searches would be:
-
All Roles where the word "security" appears in the title
-
All Roles where the word "security" appears in the text of the job's description
It is quite likely that these two searches would produce different results both in terms of the candidates identified and in terms of the make-up of the resulting group. Once the convenor is happy with the 'best' search, this can then be used to establish the community's "membership rules". Thus anyone who satisfies the set criteria can be automatically made a member of the community, without any further intervention on the part of the convenor.
However, the convenience of automatic membership of a community is just the beginning. Not only does it lower the cost of administration for communities, but it can also be used for other purposes as well, including:
-
immediate use as an email group
-
controlling access to a private web site with information targeted for DSO's in their role
-
establishing a private collaborative workspace for DSO's to share resources, ideas and issues, via the S.E.E. Workspace initiative
-
allocating digital certificates, via the S.E.E. PKI initiative, for the circulation of private correspondence between DSO's
[ Previous | Next ]
