Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn McRae, Stanford University

2 Groups and Privilege management Groups Who someone is (identity) Populations sharing a common characteristic Institutional role, departmental, personal Privileges What someone can do (permissions) Involved person, action, resource, context Exploring Grouper and Signet… Groups for eligibility & authorization Privileges, policy & permissions

3 Stone Age Clark Leo George Lois Peter Nick Ed Admin Input Reporting ACL

4 Middle Ages Admin George Nick Input Reporting George Nick Clark Lois George Nick Clark Lois Peter Leo Ed Functional Groups

5 Renaissance Admin Owner George Nick Input Reporting Staff Clark Lois Clients Peter Leo Ed “Role” Groups

6 20th century Admin Owner Input Reporting Staff Client Staff Faculty Enterprise roles, affiliations Identity Management!

7 Groups Management Admin Input Reporting Staff Client Admins Staff Faculty Clients adds user-maintained groups

8 Something still missing Maint Admin Input Reporting Staff Client View Admin Update Delete Staff Client Check out Submit Staff Client Each system … interprets policy … separately. and sets access rules...

9 Privilege Management Maint Input Reporting Access Manager View Update Delete PEP Check out Submit Author Admins Staff Faculty Clients Manage Read ReadWrite Permissions Individuals Policy Reader

10 Identity & Access Management Reality Each person’s online activities are shaped by many Sources of Authority (SoAs) Institutional policy making bodies Resource managers Program/activity/project heads Self Management of the information it conveys should be distributed Hook up all of those SoAs to the middleware Common middleware infrastructure should be operated centrally To not oblige departments/programs/activities to build their own core middleware

11 Connecting SoAs, Integrating with Existing Infrastructure

12 Relative Roles of Signet & Grouper Grouper Signet RBAC model Users are placed into groups (aka “roles”) Privileges are assigned to groups Groups can be arranged into hierarchies to effectively bestow privileges Grouper manages, well, groups Signet manages privileges Separates responsibilities for groups & privileges

13 The duck test… Grouper Binary info – you’re either in some list or not Identity- or affiliation- based access control or distribution Identification layer of an encompassing access management scheme Locally tweak or combine other groups Signet Structured, qualified info – limits, conditions, scope, … Oriented to individuals rather than roles Human judgment and chain of authority essential for access decisions Enable functional, not just technical, people to manage privileges Supports policy control closer to source of authority Audit requirements

14 Illustrative Use Cases: Blackboard Collaboration Support What Setup tools to support collaboration for “organizations” or groups (in addition to classes) Grouper function Registration. Organization liaison given group in which to maintain organization membership Signet function Manage which tools are enabled for which organizations Coordinates services across systems

15 Illustrative Use Cases: Computer Cluster Access What Express complex access policy in LDAP attributes that condition workstation login Grouper function Group hierarchy based on fine-grained affiliations classifies all UChicago people according to eligibility policy Whitelist & blacklist policy exception capability given to cluster administrators Cluster admins tweak classifying hierarchy as needed Signet function None at present. Would be used if, for example, departments were to authorize access to their own computer labs

16 Illustrative Use Cases: Expense Management System What Import user profile data into an EMS Grouper function Maintain EMS-specific organizational hierarchy Signet function Assign who gets approval priv for which parts of the EMS Org Hierarchy

17 Nutshell Description of Grouper Mix of manual and automation processes manage a common Group Registry Stored in an RDBMS Automation processes provision info from the Group Registry into LDAP, AD, directly into app- specific databases, wherever the value of the info warrants spending the resources to place it there Two types of managed objects: groups and namespaces (or “naming stems”) Groups are created/named within a namespace Group management authority is delegatable By group or by namespace

18 Grouper Architecture

19 Group Attributes

20 Grouper Groups Any “subject” can be a group member or privilegee Persons, groups, site-defined subject types Uses Subject API developed by Grouper+Signet teams Subgroups (now), compound groups (v1.0), and aging (v1.1) of groups and memberships Privileges ADMIN, UPDATE, READ, VIEW, OPTIN, OPTOUT Group attribute set can be site-extended

21 Namespaces or Stems

22 Grouper Namespaces Groups are created within namespaces Limits the authority to create and name groups Support distinct activities with own authority Namespaces can be arranged hierarchically Privileges STEM Create subordinate namespaces Assign privs for this namespace CREATE – create groups in this namespace

23 Example: Computer Cluster Access it:labs:eligible (manual) it:labs:whitelist (manual) uc:faculty (auto) uc:staff (auto) categories of entitled students (auto) time dependent student categories (auto) it:labs:blacklist (manual) categories of barred students (auto) it:labs:barred (manual) Allow access if “eligible” but not “barred”

24 LDAP Data Flow & Grouper Roles in Computer Cluster Access uid: jdoe ucAffiliation: … isMemberOf: … SIS HR Lab Director ADMIN Lab Managers UPDATE Loaders Grouper API Person Registry Groups Registry Grouper UI Grouper API Grouper API On-site staff READ

25 Five Ways to Delegate Group Management 1.Create a group and assign someone to manage its membership (UPDATE) 2.Create a group and assign someone to manage who manages the group’s membership and who can see what about the group (ADMIN) 3.Create a namespace and assign someone to create groups within it (CREATE) 4.Create a namespace and assign someone to manage who can create groups within it (STEM) 5.Allow Self to OPTIN or OPTOUT of membership

26 Signet Privilege Management Brings privilege information together in one place -- a “Privilege Registry” Provides user access through a common UI, programmatic access through a common API Defined independent of specific vendors, systems, releases or technologies Provides central reporting, auditing, review But distributed management, control

27 When groups are not enough Exceed limits of group control Difficult to track who has what and when Can’t easily move people; need to delete/add Oriented to individuals Implementation of related access rules is scattered across systems different procedures, different contacts, managing changes across areas, over time Coordinating policy and privileges across systems is difficult

28 Signet Overview Analysts define privileges in Signet in “business terms” and specify associated permissions. Signet presents this view in a Web UI where users assign privileges and delegate authority across all areas in which they have authority. Signet internally maps assigned privileges into system-specific terms needed by applications. Privileges are exported, transformed, & provisioned into applications and infrastructure services. Signet provides automated lifecycle controls

29 Privileges Building Blocks Business view Subsystems Categories Functions Scope, Limits Prerequisites & Conditions System view Permissions Subject Action Resource Analysts define privileges in Signet in “business terms” and specify associated permissions.

30 Signet Components Define domains of ownership and responsibility Reflect real world boundaries Can be large or small Financial system Student Administration HR system Network access management Research administration Clinical resources Subscription services Signet (Privilege Registry) Grouper (Group Registry) Subsystems

31 Business View Subsystems contain… Limits Qualifiers, constraints for a privilege. Scope Organizational hierarchy governing distributed delegation, Functions The things a person can do; what they are getting privileges for. Categories Provide useful arrangement of functions within a subsystem; for reporting, ease of use.

32 Business View Categories Functions Subsystems Clinical Trial Protocol A Patient Records Materials Control Manage Grant Lab Access Admin Student Admin Course Support Add/Drop students Schedule Classes Process Applicants Award Scholarships Manage Accounts Financial Aid Limits Which term From Fund… Read/Write Hours For school… For fund… Which campus Qty/day $ constraints organizing actions

33 Signet User Interface Signet presents this view in a Web UI where users assign and delegate authority across all areas in which they have authority.

34 Systems View Permissions Atomic units of control that map to specific access rules in systems. Includes limits that must be evaluated when interpreting permissions. Resources The target of a specific privilege; things that have access rules to control their use. Signet internally maps assigned privileges into system specific terms needed by applications.

35 Business View  Permissions Resources/Permissions Student Admin Business View Course Support Add/Drop students Schedule Classes Process Applicants Award Scholarships Manage Accounts Financial Aid reserve_time view_schedules student_records applicant_data view_fund_data update_fund_data update_course_data reserve_room Calendar Course Facilities Financial Student categoriesfunctions

36 Systems Integration Toolkit interface Privileges document XML representation of privileges for an individual or group. Compatible with SAML and XACML representations of Subjects and Access Rules. Integration Site-specific Provisioning connectors LDAP access Privileges are exported, transformed, and provisioned into integrated systems and infrastructure services.

37 Privileges Document person Poole, Jean M formula-a 2005-formula-b none

38 Provisioning Permissions into Applications (connectors) or API reserve_time view_schedules student_records applicant_data view_fund_data update_fund_data update_course_data reserve_room Calendar Course Facilities Financial Student Calendar CourseWare Financials Reporting Space Mgmt Student

39 Provisioning Permissions into Infrastructure (LDAP) reserve_time view_schedules student_records applicant_data view_fund_data update_fund_data update_course_data reserve_room Calendar Course Facilities Financial Student Directory eduPersonEntitlement Calendar CourseWare Financials Reporting Space Mgmt Student

40 Privileges Lifecycle Conditions Provides automatic revocation of privileges Date controls -- from date, until date Based on person’s status, affiliation, etc. e.g., as long as person is at Stanford Prerequisites Pre-conditions that must be met to activate privileges e.g., training Signet provides automated lifecycle controls

41 Other features Assignments can be To an individual To a Group With/without ability to further delegate Distributed delegation using organizational hierarchy Records “chain of command ” Proxy assignment Temporary granting of one’s privilege to another

42 Privilege Elements by Example By authority of the Dean grantor principal investigators grantee (group/role) who have completed training prerequisite can approve purchases function in the School of Medicine scope for research projects resource up to $100,000 limit until January 1, 2006 as long as a faculty member at … conditions Privilege Lifecycle

43 Subject API: Site IAM Integration Requirements Subject - a person, group, application, or other type of object whose identity is managed by your IAM system Abstract the underlying technology and data model from a relying application Enable alternate identifier namespaces to be selected to match application needs Username vs. opaque registryID vs. … Scenarios Map authenticated user to internal security principal Reference/search objects within application

44 Subject API: Integration with Site’s IAM

45 Subject API: More Info Subject and Source interface specs are at v0.1 – they may yet change Searching Some per-subjectType methods? JDBC source adapter is included now, JNDI source adapter will be provided in a subsequent release Grouper includes a GroupSourceAdapter that is a provider of ‘group’ subjectTypes from the Groups Registry Subject API will not support the Join function

46 Signet & Grouper Roadmaps Now available Grouper v0.6. Basic group management, full GUI Demo release of Signet v0.5 toolkit and UI Signet Roadmap v0.6, early October 2005 – designated drivers, history v1.0, late November 2005 – lifecycle conditions, XML v1.x Toolkit / API release Grouper Roadmap v0.9, mid-November internal refactoring, some enhancement v1.0, mid-January 2006 – compound groups v1.1, mid-March 2006 – group & membership aging

47 Resources & Participation Grouper team: University of Chicago & University of Bristol Signet team: Stanford University Internet2 Middleware Initiative Documents, tarballs, cvs Details for subscribing to mailing lists Conference call agendas & dialing instructions