Using PennGroups Chris Hyzer ISC/ASTT Sept 19, /17/2015ISC1

Using PennGroups Overview of Grouper Grouper versions and roadmap Grouper at Penn Secure Space example Atlassian example eForms example PHP use case Grouper UI: groups, permissions, etc Grouper client example Grouper privileges Survey 6/17/2015ISC2

Using PennGroups Overview of Grouper Tom Barton’s recent presentation 6/17/2015ISC3

Using PennGroups Penn Roadmap Hopefully uses for central permissions –E.g. warehouse permissions –E.g. PennCommunity Direct permissions Always available read-only web services Shibboleth entitlement group membership integration PennCommunity Direct getPerson WS secure attributes FAST permissions integration?

Using PennGroups Atlas Penn’s Identity Management Strategy 6/17/20155 PennKey PennCard Ancillary Affiliates (Temp, VFAC, CHOP, etc..) Ancillary Affiliates (Temp, VFAC, CHOP, etc..) Penn Names Penn Community Penn Directory UPHS SRS PennGroups 3rd Party Apps 3rd Party Apps In-House Apps In-House Apps AuthZ Decisions via LDAP or WS HR

Using PennGroups Penn: example folder structure

Using PennGroups Getting started with PennGroups  When School/Center is purchasing or developing a new system –LSP (local support provider)/ application developer contacts Central IT –LSP/developer and Central IT collaborate to: Establish authorization use cases for the specific application Determine access method (LDAP or Web Services) Determine best approach for group creation and maintenance –School/Center fills out access forms –Central IT consults with LSP/developer on group hierarchy structure

Using PennGroups PennGroups use cases PTO – Paid Time Off –Penn Groups provides the flexibility so that the user selects their approver for time off. Warehouse Apps –Penn groups provides a feed for org based security based on active status School of Engineering and Applied Science –Affiliate level groups - faculty members, staff members, students, undergrads, grads, PhD students –Class level groups - everyone enrolled in every SEAS course, and several ad-hoc groups. –Ad hoc groups generated and maintained via specific applications and business rules.

Using PennGroups PennGroups architecture

Using PennGroups PennGroups UI Grouper has a built in user interface Penn generally uses the default UI, though: –We customized the authentication to use Penn’s single signon –We added custom code to require users to be in a grouper group to be able to log in (not everyone allowed) Penn did a facelift for the Grouper 1.3 release in Spring 2008, improving the usability and help documentation We have a separate app to run the grouper loader in a webapp and register kerberos principals (add in subject database, and keep track of who owns it)

Using PennGroups PennGroups ancillary UI

Using PennGroups PennGroups ancillary UI (continued)

Using PennGroups Penn’s experience with Grouper Live for 3+ years 77 thousand groups 2.7 million memberships 54 kerberos service principals allowed to use LDAP/WS –Some apps share, some are orphans

Using PennGroups Components used at Penn UI Lite-UI WS Client SQL interface We have our own secure LDAP feed External users GSH Notifications

Using PennGroups Components used at Penn (continued) Hooks (lightly) Rules (lightly) Permissions (lightly) Permissions UI Subject picker UI Kuali Rice – Grouper integration module Atlassian (Confluence / Jira) integration module Loader Encrypted passwords

Using PennGroups Penn’s Secure Space Penn launched Secure Space in Fall 2010 Initially it was for PennKey holders only Last month we released a version which uses Grouper external users

Using PennGroups Penn’s Secure Space (continued) Secure Space is built on Grouper with three groups per space: admins, users, readonly When logging in, the grouper client / WS is used to cache the list of groups for user On create/delete space, GC/WS is used to create/delete groups Group memberships are managed via the membership lite UI screen

Using PennGroups Penn’s Secure Space (continued) Penn’s Grouper has rules to only allow external users in certain SS folders Penn’s Grouper external users must be invited to be able to register SecureSpace uses InCommon EPPN is required for external users External users self-register their name, , institution

Using PennGroups Penn’s Secure Space (continued) Penn installed Shibboleth Discovery Service (DS/WAYF), customized: –Pennify –Support channel –Make it easy for Penn users –Recommend ProtectNetwork for users who don’t have an InCommon account which releases EPPN

Using PennGroups Penn’s Secure Space (continued) Grouper shows external users with different icon, and description: [unverifiedInfo] First Last - institution [externalUserId] External users do not show in results for groups which do not allow external users Demo

Using PennGroups FAST PennGroup’s integration FAST can link a FAST group to a PennGroup in the fastConfig FAST_ADMIN asserts that users are in the ISC org to be an admin (can be overridden in fastConfig) –Contractors can be added in Group in PennGroups PennKey to PennId translation uses PennCommmunity first, and if failure, then LDAP FAST PennGroups membership called are also redundant

Using PennGroups Atlassian – Grouper connector Penn using in production since Dec 2010, requires Grouper 1.6+ Implements the OpenSymphony osuser interfaces: –Credentials provider (optional?) –Access provider –Profile provider (optional?)

Using PennGroups Atlassian – Grouper connector (continued) Map a root folder for Confluence or Jira Groups (unnamespaced) are in that folder Can create/delete groups from atlassian, though sometimes there are issues… we just create/use from Grouper XMPP messaging from Grouper to Atlassian for real time updates Fail-safe cache so if Grouper is down, Atlassian is up –Note, cache at Penn configured to last 24 hours, failsafe cache lasts 48 hours

Using PennGroups Atlassian – Grouper connector (continued) If you have LDAP groups with memberOf and member, you can use Atlassian LDAP groups If not, you can use this Two-way editing is nice (if it works) If no anonymous access, there is a REMOTE_USER authenticator too

Using PennGroups Atlassian – Grouper demo See Group in Atlassian See Group in Grouper (lite UI) Edit membership in Grouper See Group unchanged in Atlassian See logs, after 2 minutes a message will appear from Grouper XMPP notifications Group is now changed in Atlassian Change group back, see message and change

Using PennGroups Atlassian – Grouper future Penn ISC is happy with it Could have better cache clearing –Currently it clears all groups, and with large deployments and lots of groups, and lots of membership updates, it can be a performance issue Fix two way membership changes –This used to work, then stopped working, and we just use Grouper (show demo)

Using PennGroups Atlassian – Grouper Penn config Show Penn config for atlassian connector

Using PennGroups Penn eForms: Paper form screenshot In 2009 Penn wanted to convert paper access management forms to eForms 28 – 6/17/2015, © 2009 Internet2

Using PennGroups Penn eForms: Paper form screenshot (continued) 29 – 6/17/2015, © 2009 Internet2

Using PennGroups 30 – 6/17/2015, © 2009 Internet2 Penn eForms: How to connect Rice to Grouper? Add two jars to Rice (grouperRice.jar and grouperClient.jar) Add and configure grouper.client.properties Configure Rice spring override to group and/or identity service Setup a Grouper folder for the “Rice root”

Using PennGroups 31 – 6/17/2015, © 2009 Internet2 Rice request grouperRice.jar Kuali DB Rice server Grouper Registry Grouper WS server Grouper.client.properties grouperClient.jar Penn eForms: Kuali Rice overridable services

Using PennGroups 32 – 6/17/2015, © 2009 Internet2 Grouper WS server Grouper.client.properties grouperClient.jar REST LDAP Penn eForms: Grouper client One jar (no conflicts with existing libraries) Supports all of Grouper WS API Command line example java –jar grouperClient.jar --operation=hasMemberWs --groupName=aStem:aGroup --subjectIds= Java library example new GcHasMember().assignGroupName("aStem:aGroup“).addSubjectId(" ").execute();

Using PennGroups Initiator fills out form Grouper Registry Kuali DB Get members to route to and s Grouper WS Routes to approver group Routes to approver groupN Final Add a member to a Grouper group/role and/or assign permissions On login to Rice, get subject details Archive the document data, and workflow history One in group approves Grouper UI Person / org pickers 2 Penn eForms: workflow with Grouper

Using PennGroups Initiator fills out form If on behalf of someone else, they need to approve it, unless it is a ‘remove access’ 1 4 Supervisor (person picker) 2 On behalf of remove? 3 No Yes Grouper group selected from available schools Note: supervisor cannot be the same as ‘On behalf of’ School adminHRPayroll HR and payroll could approve in parallel in future 8 Operations Grant access that isn’t automatically provisioned Change KEW initiator to ‘on behalf of’ user 7 Data admin Assert that form is valid 9 Data admin Assert that privileges were granted correctly Final Send to ‘on behalf of’ user eForms demo workflow

Using PennGroups Grouper Rice demo Demo movie Note, there is a larger pres about this toolarger pres

Using PennGroups PHP use case

Using PennGroups © Internet PHP simple use case Clay suggested a simple PHP use case... A Penn department wants to protect parts of their site based on group in PennGroups se+of+Grouper+and+webpage+access se+of+Grouper+and+webpage+access Note, you need to change settings to be specific for Penn, let me know if you need these settings

Using PennGroups Some grouper features

Using PennGroups © Internet Attribute framework Grouper previously had Group types and attributes In 1.5, this feature was redone and improved

Using PennGroups © Internet Can assign attributes to many object types Groups Folders Members Memberships (immediate or effective) Other attributes Attribute assignments (1 level deep)

Using PennGroups © Internet Attribute security Similar privileges to group security ATTR_READ (can see assignments) ATTR_UPDATE (can make assignments) ATTR_ADMIN (can edit attribute fields) ATTR_VIEW (can see that the attribute exists) ATTR_OPTIN (can assign to own member or membership) ATTR_OPTOUT

Using PennGroups © Internet Attribute security (continued) Anyone with CREATE in a folder can create attributes It takes more than attribute security to assign attributes, you need rights on the object as well –E.g. To assign a group attribute, you need ADMIN on the group and ATTR_UPDATE on the attribute One attribute definition can have multiple names (to reduce the security assignments)

Using PennGroups Attribute framework UI Attribute framework UI is an ajax UI (similar to lite membership screen) Creates, edits, assigns attributes For Grouper 2.0 Currently in SVN, you can create attributes, names, hierarchies, privileges, roles, role hierarchies, actions, action hierarchies etc

Using PennGroups Attribute framework UI (continued) Attributes and actions Attribute privileges Attribute names (including hierarchy) Attribute names Groups and roles (including hierarchy and privileges) Groups and roles Attribute assignments Permission assignments (including limits) Permission assignments

Using PennGroups Permission management In Grouper (in the API, GSH, WS, docs, etc) a privilege refers to being able to do something in Grouper (e.g. READ a group or CREATE objects in a folder) So, since privilege = permission, resources in the new privilege management features, a non-grouper privilege will be referred to as “permission” There are permissions as RBAC (Role Based Access Control), and individual permissions 45 – 6/17/2015, © 2009 Internet2

Using PennGroups © Internet Grouper permission management Roles: links up groups/subjects and permission resources Permission resources: a type of attribute (on Role or effective Membership) Permission sets: can bunch up permission resources into one resource (e.g. for hierarchies) Role inheritance: can allow roles to inherit permissions from other roles (e.g. Senior loan administrator inherits from loan administrator) Action: qualifier of permission assignment, e.g. read or write

Using PennGroups © Internet Grouper role or permission directed graphs Not a hierarchy (supports multiple parents) Supports circular references Image is test case

Using PennGroups Grouper permissions ALLOW/DENY This is an up-and-coming topic (v2.0) Explains permissions in Grouper and how you can set them up, and the issues involved Document

Using PennGroups Demo server Internet2 has a Grouper Demo ServerGrouper Demo Server Address is: Host various versions of Grouper Show features (e.g. permissions, external users, syncing between groupers) Allow users or potential users to kick the tires (not for production obviously)

Using PennGroups Penn’s test server Penn has a test environment for Grouper, which is the best place to test things out The production environment of Grouper has two top- level folders: –/penn/ –/test/ If you want to try simple things out in prod in the penn or test folder, go ahead –Note: if you are doing load testing or have a lot of sample data then do not use prod due to audit and point-in-time Note: Im not sure of the status of the test ldap

Using PennGroups Demo server setup folders for users Already done for all users except one (so I can demo) Show setup for mvm Create folder: users/penn2/mvm Create group: users/penn2/mvm/mvmAdmins Invite external user, conscript the eppn since it is known: Assign the CREATE GROUP and CREATE FOLDER privileges to mvmAdmins, and READ/UPDATE on mvmAdmins

Using PennGroups Demo server - register Google: grouper demo server external users Click on the register linkregister link Fill in name, institution, , etc After everyone is done, I will regenerate external subjects’ description via GSH, though Im not sure it is necessary gsh 1% GrouperSession.startRootSession() gsh 2% ExternalSubject.internal_daemonCalcFields();

Using PennGroups Group Group – a collection of subjects Create a group in your folder with the admin UI –Do not make it world readable –Add some subjects Do the same thing with the Lite UI

Using PennGroups Grouper group privileges Privileges (or Grouper Privileges) refer to control on Grouper objects Permissions refer to central permissions management Try to search for a group that your neighbor created –You shouldn’t be able to do it, you don’t have VIEW Grant VIEW to your neighbor’s EPPN, have them do it too (Admin UI) –Search for your neighbors group, try to view members, can’t without READ Grant READ with Lite UI to neighbor’s EPPN, try view members Try to update members, grant UPDATE, try to update members Try to change name of neighbor’s group, can’t without ADMIN Grant ADMIN to neighbor’s EPPN, change name of group

Using PennGroups Grouper folder privileges Create a folder in your folder Try to create a group in your neighbor’s new folder Can’t without CREATE GROUP (or other objects) Grant this privilege, try now Try to create a subfolder in neighbors folder Can’t without CREATE FOLDER Grant this privilege, try now

Using PennGroups See groups of a subject Search for your EPPN from menu on left of admin UI See which direct or indirect groups you are in –Note, this is a secure view. If there are groups that you cannot READ or ADMIN, then you wont see them in the list

Using PennGroups Grouper loader Grouper can load a group based on SQL query –Generally this is from the PennCommunity database or the warehouse –Schedule is croned Can also load a group of groups in one query –E.g. class lists –E.g. orgs Show examples ISC Data Administration can help write queries the PennGroups help list for information

Using PennGroups Loader include/exclude example Create a group Read/update should not be granted to everyone Use addIncludeExclude type Look in folder, there will be 5 groups created with that type. Open the system of record, and lets make that the loader group. The loader group is community:students Create this view in the DB (this is done): mysql> CREATE OR REPLACE VIEW loader_student AS \ (SELECT subjectId AS subject_id FROM SUBJECT WHERE \ subjectId LIKE 'fi%');

Using PennGroups Loader include/exclude example (continued) Add the students group to the system of record group Set the system of record group to be grouperLoader type Edit attributes on the group (already done, admin only): grouperLoaderDbName: grouper NOTE: configure other DB connections in grouper-loader.properties NOTE: every minute just for testing… grouperLoaderQuartzCron: 0 * * * * ? grouperLoaderQuery: select subject_id subject_id from \ loader_student grouperLoaderScheduleType: CRON grouperLoaderType: SQL_SIMPLE Bounce loader (CTRL-c, start again, don’t run twice at same time!) %./gsh.sh -loader

Using PennGroups Loader include/exclude example (continued) Never edit the loader group, unless you expect it to get overwritten Add fico to the excludes group Add bapo to the includes group Look at the overall group Generally the privileges are: Assign READ on all to admins Assign UPDATE on include/exclude groups to admins Assign READ to service principal of app for overall group or other people who need to use the group

Using PennGroups RequireInGroups example Create a folder under root: apps Create a folder under that folder: pto Create a group in that stem: apps:pto:ptoAdmins Select the requireInGroups type for that group This created another system of record group, and an overall group In the overall group, edit the attribute: requireAlsoInGroups The value should be: community:students Now see that the overall group is an intersection composite Add baco and fipo to the system of record group Which is in overall group Why?

Using PennGroups Get the Grouper Client Binary Edit the grouper.client.properties grouperClient.webService.url = grouperClient.webService.login = test1 grouperClient.webService.password = **************

Using PennGroups Get the Grouper Client (continued) Get usage: $ java -jar grouperClient.jar $ java -jar grouperClient.jar --operation=getMembersWs --groupNames=users:penn:mchyzer:apps:pto:mchyzerPtoUsers Customize the output (note, double quotes for windows, single quotes for unix): $ java -jar grouperClient.jar --operation=getMembersWs --groupNames=users:penn:mchyzer:apps:pto:mchyzerPtoUsers --outputTemplate='${wsSubject.id}$newline$'

Using PennGroups Grouper client uses XML POX $ java -jar grouperClient.jar --operation=getMembersWs \ --groupNames=test:testGroup --debug=true ################ REQUEST START (indented) ############### POST /test1_grouperWs/servicesRest/v1_6_003/groups HTTP/1.1 Content-Type: text/xml; charset=UTF-8 test:testGroup ################ REQUEST END ###############

Using PennGroups Grouper client uses XML POX (continued) ################ RESPONSE START (indented) ############### HTTP/ OK X-Grouper-resultCode: SUCCESS X-Grouper-success: T SUCCESS SUCCESS T babu jdbc

Using PennGroups Grouper client as library % cd ~/1.6.3/grouper.clientBinary % emacs GrouperClientExample.java import edu.internet2.middleware.grouperClient.api.GcGetMembers; import edu.internet2.middleware.grouperClient.util.GrouperClientUtils; import edu.internet2.middleware.grouperClient.ws.beans.*; public class GrouperClientExample { public static void main(String[] args) { WsGetMembersResults wsGetMembersResults = new GcGetMembers().addGroupName("test:testGroup").execute(); WsGetMembersResult wsGetMembersResult = wsGetMembersResults.getResults()[0]; for (WsSubject wsSubject : GrouperClientUtils.nonNull( wsGetMembersResult.getWsSubjects(), WsSubject.class)) { System.out.println(wsSubject.getId()); }

Using PennGroups Grouper client as library (continued) Note, colons for unix, semicolons for windows % javac -cp.:grouperClient.jar -sourcepath. GrouperClientExample.java % java -cp.:grouperClient.jar GrouperClientExample babu babr Babl %

Using PennGroups Grouper WS documentation and samples There are hundreds of samples of WS for each operation in: SOAP SOAP-lite POX POX-lite JSON XHTML These are auto generated for the release and stored in SVN.

Using PennGroups Grouper customized UIs Grouper UIs can have custom text or skins –E.g. membership lite UI –E.g. person picker Helps the Grouper screens integrate better with application Show example

Using PennGroups Lite UI export/import Go to the lite UI of ptoAdmins_systemOfRecord Under advanced, export entity id's of the group Save as csv, add elwi Import that, and see elwi added

Using PennGroups Admin UI audit log Go to the admin UI of ptoAdmins_systemOfRecord Click on Audit Log See all the actions taken to this group Why is the Create Group not there? Where is it?

Using PennGroups Survey Please fill out this survey to help us improve our training

Using PennGroups Questions? 6/17/2015ISC73