Infrastructure for Identification, Authentication and Authorization (I2A2): Why Use?
Why Use I2A2?
Here is a discussion of possible uses of I2A2, provided by George Wyncott.
Access to Purdue University resources, services, and benefits often takes place as a transaction where someone identifies himself or herself to the resource provider and the provider supplies the requested resource, service.
For example, the Microsoft Campus Agreement makes it possible for most Purdue faculty, staff, and students to purchase Microsoft software for only the cost of media and distribution. During the first year or so of the agreement, if someone presented a Purdue ID card to a BoilerCopyMaker sales clerk and signed a form, software was sold to the cardholder. The purchaser received a Purdue benefit. This benefit was not and is not intended for alumni, ex-students, former employees, or even all current employees. However, if the Purdue ID card doesn't have an expiration date on it, how do we know the card is still valid? Even if the card is valid, how can we tell if the cardholder is eligible for this specific University benefit?
Another example is use of restricted resources such as Purdue e-mail or web access to controlled material. To access these resources, a person typically provides an identifier (a registered alias) and a password for authentication. However, not everyone with a valid Purdue identifier and password combination is entitled to use the same resources. Access to WebCT pages may be limited to instructors and students enrolled in a given course. Persons working for the University as outside consultants may have use of a Purdue e-mail account but they may not be authorized to use licensed on-line journals from the Purdue Libraries. Without using a separate password for each resource, how can access to eligible resources be controlled?
These problems of identification, authentication, and authorization are addressed by Purdue's I2A2 project. No, it's not a Star Wars robot. I2A2 stands for "Infrastructure for Identification, Authentication, and Authorization." It provides the framework for computer-based applications to authenticate the identity of someone trying to use Purdue resources over a data network and it can help answer questions about a person's association with the University and his or her authorization to use various resources. I2A2 helps assure that University resources, services, and benefits are delivered only to persons entitled to them.
Each person associated with the University has been assigned a publicly available ten digit Purdue University Identification number (PUID), analogous to a badge number. Each night, I2A2 associates PUIDs with current information from a variety of official University records. Based on the requirements of Purdue service providers, this information is condensed into a set of "characteristics." Each characteristic has a value of "Yes" or "No". For instance, characteristics might include Employee or Student or Limited-Term Lecturer or Registered in CHEM 157 or Eligible for Recreational Sports Center usage. Computer-based application programs (developed by the service provider) can query these characteristics to see if someone fits the service provider's criteria for access to a University resource. Logical expressions can be used to combine characteristics, such as "Is the person with this PUID a Purdue employee (but not a limited-term lecturer) who is registered for CHEM 157?" New characteristics can be added as needed for each service provider. Service providers who utilize I2A2 are using the same data for their decisions, reducing the need for duplicate data files to be distributed around campus.
Purdue benefits are associated with each individual, and not necessarily with an identification card. If someone presents a Purdue identification card to a service provider, the provider needs to know if the cardholder is entitled to the service or resource being requested. In the I2A2 model, the only purpose of a Purdue photo ID card is to associate a person's name and face with his or her PUID. The PUID is then looked up in a network-connected computer database to determine which benefits are actually applicable. If a person is no longer associated with Purdue, Purdue benefits and services will no longer be available to that person. Until Purdue ID cards are modified to include PUIDs, a PUID can be looked up in the I2A2 database if an employee's HRID, a student's SID, or a PUID alias is provided.