User Management #
The following guide is intended for maintainers responsible for an application hosted on the AppDat platform. This guide details the processes and requirements surrounding AppDat user management.
Authentication Selection #
By default it is assumed that all AppDat applications that require authentication utilize the official NASA authentication method as prescribed by NASA ICAM. However AppDat does offer the ability to work with external authentication services under the right conditions described in the External User Authentication section below.
External User Authentication #
Currently AppDat supports the following external identity provider service for trusted external partner access:
- Google (IAL1)
- ORCID (IAL1)
- Login.gov (IAL2)
Approval for utilization of any of the above external user authentication is managed via the following process. An AppDat maintainer is required to complete the following:
Perform Identity Assurance Assessment #
The first step to utilize an external identity provider is to perform an impact as defined in NIST SP800-63-3 Section 5.3 launch . AppDat has an easy to use Identity Assurance Assessment (IAA) launch form that walks the system maintainer(s) through the process for determining what identity providers can be utilized. This form walks through the following process:
Review Assessed Assurance Level #
Once an Identity Assurance Assessment (IAA) form is completed by the requesting AppDat maintainer , an AppDat SRE will schedule a review of the IAA to support the next steps in the process depending on the following scenarios.
Scenario 1: Assessed assurance level matches desired #
If the assessed assurance level matches or is lower than the desired identity providers, then no risk assessment and review is required, and AppDat SRE can proceed with establishing the desired identity providers with the customer’s Keycloak realm .
Scenario 2: Assessed assurance level greater than desired #
If the assessed assurance level is higher than the desired identity providers, then a risk assessment report and review will need to be completed. This assessment will include the risk mitigation factors in support of a “Risk Based Decision (RBD)” to allow the application to implement an identity provider service that does not meet the assessed assurance level required. This process is handled on a case-by-case basis and approval requires system and data owner reviews for both AppDat and the applicable application.
NASA user management #
NASA end user management is still primarily done via NASA’s IdMax system launch , the only caveat is that AppDat user provisioning/deprovisioning is handled manually by the correct AppDat maintainers via the AppDat Keycloak administration web application.
External identity user management #
For systems integrated with an external user identity providers, the user management functions carry a larger set of user management requirements of the AppDat maintainers responsible for a given application hosted on AppDat.
User Management Roles #
AppDat customers who have systems integrated with an external user identity provider need to assign representatives to the following roles:
- Information Security Officer (ISO) or ISO designee(s): responsible for approving new user account creation, and for approving new role or group assignments on existing users.
- User Administrators: responsible for administrating user roles and group assignments within the AppDat Keycloak service.
User Access Requests #
AppDat customers are responsible for establishing their own external user access request processes, which would include:
- Request and approval of new user system accounts
- Modifications to an existing user system account
- Removal of user system accounts
Annual Review #
AppDat customers are responsible for reviewing all external user system accounts on an annual basis.