Identity Management in Quercus<>

What is identity management?

The importance of identity – why Quercus needs identity management

“Hey John. Don’t I know your face, are ye Paddy Reilly or Brendan Grace,
Are ye Mary Black or Freddie White?” says he.

Christy Moore – Welcome to the Cabaret

In order to function correctly, Quercus needs to know the identity of someone who wishes to use a particular service. By identity we simply mean who you are – are you John Anonymous, Mary Black, Freddie White or Christy Moore?

Your identity is of critical importance because it provides the link to your user profile. Your user profile stores a range of information about you including your level of user privilege and your association with particular courses or organisations.

User privilege

Your level of user privilege determines what actions you can and cannot perform and what services you can and cannot access. For example, if you have applied for a particular course you will be able to view the progress of your application but you will not be able to download course materials. If you are registered on the course you will be able to download materials and communicate with your tutor. If you are the tutor for the course you can upload course materials and enter marks for your students. If you are a course administrator you can add and delete tutors and students from the course.

In Quercus, user privilege is controlled through your membership of LDAP groups. Membership of a specific LDAP group conveys various privileges to group members. So, if you are a member of the OAPL_APPLICATION LDAP group you can access service requests received through Case Manager services; if you are a member of the OAPL_SERVICE_ADMIN group you can set up and manage new student-facing Case Management services.

User association

Your association with with particular courses (or organisations), in combination with the Quercus security model, determines which information you are allowed to access. So, if the person security model is implemented, then you will only be able to view applications for the courses for which you are a tutor.

Summary: why your identity is important

Your identity is important because it allows Quercus to make the necessary judgements about what you can and cannot do and what information you can and cannot see. Quercus can do this because your identity is linked to a user profile which establishes your membership of LDAP groups and your association with courses and organisations.

For more information see http://docs.campusit.net/publications/quercus-8.0.2.-control-centre-user%E2%80%99s-guide/security-options-and-control-centre-access

How identity is established

Quercus can use its own methods to establish a user’s identity or it can outsource this process to a third-party identity management management system. In practice this means:

In the scenario where you log in directly to Quercus, Quercus establishes your identity by checking your user name and password against an internal table of usernames and password hash-values.

Note: for security reasons Quercus does not store actual passwords in the table. Only salt-protected one‑way hash values are stored. This makes it impossible to retrieve what password is user using whilst still enabling the password to be validated.

In other scenarios (which are described below) Quercus hands over the task of identity verification to an external identity management system.

What is an IDM?

An identity Management System or IDM is an application which centralises the authentication of users in situations where users need to access multiple applications within a corporate environment. Instead of each system having its own database of users, the individual systems make use of a central user database.