Grouper: A Toolkit for Managing Groups

Slides:



Advertisements
Similar presentations
File Server Organization and Best Practices IT Partners June, 02, 2010.
Advertisements

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.
Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Lesson 4: Configuring File and Share Access
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Widely Distributed Access Management Tom Barton University of Chicago.
Understanding Active Directory
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Signet and Grouper for Distributed Attribute Administration
Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Group Management at Brown James Cramton Brown University April 24, 2007.
Chapter 7: WORKING WITH GROUPS
Cornell University Replacing a System that (sorta) Works Tom Parker Joy Veronneau Identity Management Team OIT/CIT Security Office Central Authorization.
Access Management with Grouper Tom Barton University of Chicago.
Penn Groups PennGroups Central Authorization System June 2009.
IOS110 Introduction to Operating Systems using Windows Session 8 1.
Intro to Grouper There’s nothing fishy about Identity Management with Grouper.
Moving Beyond Implementation: Next Steps for Enterprise Directories Tom Barton University of Chicago.
Module 7 Active Directory and Account Management.
The DSpace Course Module – User management and authentication options.
UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma
Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.
Directories Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago.
Grouper Training Developers and Architects Advanced Topics Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.
Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University.
Grouper at Duke Klara Jelinkova, Duke University Shilen Patel, Duke University Internet 2 Fall Meeting San Diego 2007.
Chapter 10: Rights, User, and Group Administration.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Five Managing Addresses.
© 2006 The University of Chicago Grouper Backgrounder for Authorization WG Tom Barton, U Chicago.
Hands-On Microsoft Windows Server 2008 Chapter 4-Part 1 Introduction to Active Directory and Account Manager.
Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.
Implementing a Role Management System Mair é ad Martin Carrie Regenstein Internet2 Fall Meeting September 20, 2005.
UC Groups: An Access Management Service Tom Barton University of Chicago.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
Module 10: Implementing Administrative Templates and Audit Policy.
ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009.
Topics in Directories: Groups Dr. Tom Barton The University of Memphis.
Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.
Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago.
Grouper Training Developers and Architects How to Design Groups Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2.
Lesson 14: Configuring File and Folder Access MOAC : Configuring Windows 8.1.
Group Services CIO Council Update
I2/NMI Update: Signet, Grouper, & GridShib
ACTIVE DIRECTORY ADMINISTRATION
Identity Management Integration CAMP
Group Services Update September 18, 2017 CIO Council Smith 561
Identity and Access Management Program Update CIO Council Update
Moving Beyond Implementation: Authorization
Chris Hyzer, University of Pennsylvania
Moving Beyond Implementation: Next Steps for Enterprise Directories
Central Authorization System (Grouper) June 2009
Signet & Privilege Management
Managing Roles & Privileges with Grouper and Signet Middleware
Presentation transcript:

Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago

Outline The problem with groups Case study: U Chicago’s “USITE” computer labs Tour of Grouper USITE case study revisited Grouper project status Bonus round – personal groups Fall 2004 I2MM

Groups facilitate … Customization – application UI tailored to user’s affiliations with the organization Authorization “Lightweight” - relationship info feeding access decisions “Heavyweight” - assignment of structured privileges to groups Messaging, scheduling, & collaboration Departments, courses, programs, cmtes, teams, … Posix naming services Fall 2004 I2MM

Group management issues Coordinating many sources of information Provisioning groups in many locations Supporting several styles of access to group membership information Aging of groups and of memberships Use of subgroups vs. effective membership Referring to set theoretic combinations of groups (compound groups) Privacy & visibility requirements Fall 2004 I2MM

The USITE access problem Must control access to computers in labs independent of ability to authenticate U Chicago’s Networking Services & Information Technologies (NSIT) established the Identity Management Working Group to solve this type of problem You’ll see “nsit” and “usite” in names of things to follow Fall 2004 I2MM

USITE access policy Students Current faculty & staff are entitled 23 categories of current students Some entitle USITE access, some disenfranchise, others fail to entitle Time of year dependency for some categories Current faculty & staff are entitled Other more loosely affiliated people are not entitled Exceptional administrative admits and denies across all categories above Fall 2004 I2MM

Use of group management Various elemental USITE-related categories of people are modeled as groups Subgroups are used to roll-up effective admit or deny status Some groups are automatically managed, others manually Some roll-up groups are manually managed to deal with time dependency or change in access policy Fall 2004 I2MM

Groups model for USITE access (ACL is “shaded green but not red”) usite_eligible (manual) usite_barred (manual) admin_admit (manual) admin_deny (manual) uc:faculty (auto) uc:staff (auto) categories of barred students categories of entitled students time dependent student categories Fall 2004 I2MM

Management related groups Management privileges for manually managed groups also need to be managed! So, more groups list who has what authority in managing groups that mediate USITE access Director of Learning Environments Lab Managers Student staff Fall 2004 I2MM

Data flow & Grouper’s role in USITE access lab SIS Loaders Grouper API HR Person registry LDAP Grouper UI API Group registry Dir. Learning Environments uid: jdoe ucAffiliation: … isMemberOf: … Grouper API Lab Managers Student staff Fall 2004 I2MM

Grouper groups Stored in an RDBMS, the Group Registry Attributes of groups Name Description Members Possible to extend the set of attributes to support groups with more specific purposes Fall 2004 I2MM

Directory of groups Groups are created within a hierarchy of directories, like files within a computer’s directory system Directories are also named Sometimes need to use the full name of a group, like the full pathname of a file Example: /nsit/usite/admin_admit The directory delimiter can be configured for different effect Example: nsit:usite:admin_admit Fall 2004 I2MM

Grouper privileges Access privileges - who has what access (read, write) to a group’s attributes Naming privileges - who can create a group or subdirectory in what part of the directory of groups Fall 2004 I2MM

Access privileges VIEW group’s name in lists & can refer to it, e.g., make it a subgroup of another group READ basic information about a group UPDATE membership and administer VIEW, READ, & UPDATE privileges ADMIN can modify everything, including group name, description, & privileges, and can delete the group OPTIN can add self to the members list OPTOUT can remove self from the members list Fall 2004 I2MM

Naming privileges STEM privilege in a given directory enables creation of subdirectories and administration of CREATE and STEM privileges for the directory and its immediate subdirectories Motivating idea: a directory is a naming “stem” over which authority is exercised and delegated by those with stem privilege CREATE a group in a given directory Fall 2004 I2MM

Built-in privilege implementation All access & naming privileges can be assigned to individual members or to groups Subgroups, compound groups, and aging can be used to manage privileges Abstracted interfaces are presented for privilege management Sites can hook in their own privilege management and bypass Grouper’s built-in system Fall 2004 I2MM

USITE revisited – Grouper’s role Make an “nsit:usite” directory in the group registry Groups created within it dir_learning_env, lab_managers, student_staff usite_eligible, usite_barred admin_admit, admin_deny Give stem privilege for “nsit:usite” to the Director of Learning Environments She can run her groups empire within Fall 2004 I2MM

USITE group access privileges (unqualified names in nsit:usite namespace) usite_eligible A:dir_learning_env V,R:all usite_barred A:dir_learning_env V,R:all admin_admit U:usite_manage V,R:usite_view admin_deny U:usite_manage V,R:usite_view uc:faculty V,R:all uc:staff V,R:all categories of barred students V:all V:all V:all categories of entitled students V:all V:all time dependent student categories V:all V:all V:all V:all Fall 2004 I2MM

USITE group management privileges (unqualified names in nsit:usite namespace) Fall 2004 I2MM

Grouper v1 features API & UI for basic group management Create, read, update, delete, import, export Distributed management Subgroups & compound groups Aging of groups and memberships Abstracted interfaces for Group and directory privileges Subject lookup Last activity Fall 2004 I2MM

Phases of Grouper v1 development Phase 1: Basic management and export functions Phase 2: Compound groups & Signet integration Phase 3: Aging of groups and memberships Phase 1 API available before end of year (2004, that is!) Fall 2004 I2MM

Grouper deliverables U Chicago - Java API U Bristol - Java UI You – contributed loaders & connectors Subject Lookup implementation jointly with Signet project Group Registry creation scripts & sample batch import/export scripts Documentation Fall 2004 I2MM

Grouper UI status Conceptual mock-up completed Modular design for look and feel Grouper & Signet UIs will “leave the factory floor” bearing an I2 family resemblence Fall 2004 I2MM

Personal groups Any user can create groups named personal:username:groupname Good or evil? Yeah! Low overhead to let everyone do groups Booo! Valuable institutional data squirreled away in unknowable spaces that go away Configuration: on/off Root directory for personal namespace (“personal” above) Fall 2004 I2MM

Further info & participation MACE-Dir list MACE-Dir-groups conference calls http://middleware.internet2.edu/dir/groups Fall 2004 I2MM

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.