Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.

Slides:



Advertisements
Similar presentations
Unveiling ProjectWise V8 XM Edition. ProjectWise V8 XM Edition An integrated system of collaboration servers that enable your AEC project teams, your.
Advertisements

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
Lesson 17: Configuring Security Policies
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Copyright Jill M. Forrester This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,
Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.
Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.
Dspace – Digital Repository Dawn Petherick, University Web Services Team Manager Information Services, University of Birmingham MIDESS Dissemination.
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
Identity Management: The Legacy and Real Solutions Project Overview.
Widely Distributed Access Management Tom Barton University of Chicago.
1 Outsourcing Student & Other Collaboration Services Wendy Woodward Director, Technology Support Services Copyright Wendy Woodward This work.
Intellectual Property Protocol and Assessment for Distance Learning Liz Johnson Project Manager Advanced Learning Technologies Board of Regents of the.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Identity Management – Why and How Experiences at CU-Boulder Copyright Linda Drake, Director of Development and Integration, University of Colorado, Boulder,
1 No More Paper, No More Stamps: Targeted myWSU Communications Lavon R. Frazier April 27, 2005 Copyright Lavon R. Frazier, This work is the intellectual.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Signet and Grouper for Distributed Attribute Administration
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Managing Intellectual Property for Distance Learning Liz Johnson Project Manager Advanced Learning Technologies Board of Regents of the University System.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Group Management at Brown James Cramton Brown University April 24, 2007.
Cornell University Replacing a System that (sorta) Works Tom Parker Joy Veronneau Identity Management Team OIT/CIT Security Office Central Authorization.
Access Management with Grouper Tom Barton University of Chicago.
Penn Groups PennGroups Central Authorization System June 2009.
Managed by UT-Battelle for the Department of Energy 1 Integrated Catalogue (ICAT) Auto Update System Presented by Jessica Feng Research Alliance in Math.
Signet and Grouper A Use Case Study for Central Authorization at Cornell University March 2006.
Moving Beyond Implementation: Next Steps for Enterprise Directories Tom Barton University of Chicago.
The DSpace Course Module – User management and authentication options.
Directories Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago.
Grouper Training Developers and Architects Advanced Topics Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University.
Authority Process & Policy   Advanced CAMP July 9, 2003 Copyright Sandra Senti This work is the intellectual property of the author. Permission.
Windows Role-Based Access Control Longhorn Update
© 2006 The University of Chicago Grouper Backgrounder for Authorization WG Tom Barton, U Chicago.
Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.
Improving the Social Nature of OnLine Learning Tap into what students are already doing Tap into what students are already doing Educause SWRC07 Copyright.
1 Registry Services Overview J. Steven Hughes (Deputy Chair) Principal Computer Scientist NASA/JPL 17 December 2015.
Portals and Web Standards Lessons Learned and Applied David Cook Copyright The University of Texas at Austin This work is the.
Module 10: Implementing Administrative Templates and Audit Policy.
EDUCAUSE 2003 Copyright Toshiyuki Urata 2003 This work is the intellectual property of the author. Permission is granted for this material to be shared.
ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009.
Topics in Directories: Groups Dr. Tom Barton The University of Memphis.
Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.
Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.
Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago.
Grouper Training Developers and Architects How to Design Groups Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial.
Moving Forward in Stages Tom Barton, University of Chicago.
Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2.
IBM Software Group © 2008 IBM Corporation IBM Tivoli Provisioning Manager 7.1 Security Aspects of TPM 7.1.
Interstage BPM v11.2 1Copyright © 2010 FUJITSU LIMITED ADMINISTRATION.
I2/NMI Update: Signet, Grouper, & GridShib
Copyright Notice Copyright Bob Bailey This work is the intellectual property of the author. Permission is granted for this material to be shared.
Moving Beyond Implementation: Authorization
Moving Beyond Implementation: Next Steps for Enterprise Directories
Privilege Management: the Big Picture
Project for OnLine Instructional Support (POLIS)
Provisioning Groups, Memberships, and Permissions to LDAP
Central Authorization System (Grouper) June 2009
Open Source Web Initial Sign-On Packages
myIS.neu.edu – presentation screen shots accompany:
Signet Privilege Management
An App A Day Copyright Tina Oestreich and Brian Yuhnke This work is the intellectual property of the author. Permission is granted for this material.
Technical Topics in Privilege Management
Grouper: A Toolkit for Managing Groups
Managing Enterprise Directories: Operational Issues
Signet Privilege Management
Presentation transcript:

Introduction to Group Management Tom Barton, Blair Christensen University of Chicago

CAMP - 30 June Copyright Tom Barton, This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

CAMP - 30 June Outline Grouper’s place in the world Some Grouper guts Deployment scenarios “This session will offer an interactive introduction to Grouper and offer a demonstration of its tools.”

CAMP - 30 June Group services facilitate … Customization – application UI tailored to user’s affiliation with the organization “Lightweight” authorization –Groups provide binary relationship data feeding access decisions “Heavyweight” authorization –Assignment of structured privileges to groups Group messaging, scheduling, & collaboration –Departments, courses, programs, cmtes, teams, … Posix naming services …

CAMP - 30 June Group management issues Coordinating many sources of information Provisioning groups in multiple locations Supporting several styles of access to group membership information Maintaining referential integrity Aging of groups and of memberships Use of subgroups vs. effective membership Referring to set theoretic combinations of groups Meeting security, privacy, & visibility requirements  Grouper will deal with much of this

CAMP - 30 June Grouper in Context

CAMP - 30 June Grouper v1 features API & UI for basic group management –Create, read, update, delete, import, export –Distributed management –Subgroups & compound groups –Aging of groups and memberships Abstracted interfaces for –Naming and access privileges –Subject lookup –Last activity

CAMP - 30 June Grouper v1 features Signet integration Data model supports extensible group types Security, privacy & visibility requirements met in Groups Registry Not in v1: –Change history for change-based provisioning –Rule-driven membership –Presentation as a web service –Facilitation of group type management

CAMP - 30 June Grouper roadmap 3 phases of Grouper v1 development 1. Basic management and export functions 2. Compound groups & Signet integration 3. Aging of groups and memberships Deliverables –Java API, UI, Groups Registry creation scripts, sample batch import/export scripts, documentation –Phase 1 API due in November 2004 –Maybe phase 1 UI by then, too

CAMP - 30 June Grouper roadmap Developers –API: University of Chicago –UI: University of Bristol – just now coming aboard Contributed elements sought –Provisioning connectors (especially LDAP & AD) –LDAP Subject Lookup implementation –Interesting loaders –Alternate Privilege implementation (Maybe Signet? Maybe SPOCP? Others?)

CAMP - 30 June Phase 1 API highlights Session-oriented –Subject’s privileges cached in a session object “Flattened” membership –Immediate & effective memberships are updated together “List” and “non-list” data types –List fields are lists of principals or groups –Non-list fields are single string values Designed for management of group info, not high- volume run-time query service –Provision other repositories for that, such as directories or RDBMS’s

CAMP - 30 June What’s in a group Fields of “base” group type: –Name (non-list) –Description (non-list) –Members (list) –Additional list fields supporting the default access privilege interface implementation Site-defined group types can declare additional list and non-list fields

CAMP - 30 June Privileges: Access Interface VIEW group’s name in lists & can refer to group READ basic information about a group UPDATE membership and administer membership related privileges ADMIN can modify everything, including group name, description, & privileges, and can delete the group OPTIN can add self to the members list OPTOUT can remove self from the members list

CAMP - 30 June Privileges: Naming Interface Group names have two parts stem:descriptor CREATE group with specified name stem STEM – authority over a specified name stem –Assign CREATE & STEM privilege for a stem –Delegate STEM privilege to a subordinate stem –Example stem hierarchy: uc, uc:bsd, uc:bsd:obgyn –Hierarchical stem structure is visible only within the Naming Interface – rest of Grouper is oblivious Like pathnames, naming stems reflect authority but are often expected to also be lucent

CAMP - 30 June Default privilege implementation Access privileges are conferred by effective membership in list fields associated with each group (“updaters” list for UPDATE privilege, etc) Naming privileges conferred by effective membership in a system of naming groups –Hierarchical or flat stem space, per configuration All access & naming privileges can be assigned to both individuals and groups Personal groups – any user can CREATE groups named personal:username:descriptor –Configurable: on/off; stem for personal namespace –No delegation of naming authority for personal namespace

CAMP - 30 June Naming & privilege examples faculty:clinical (centrally auto-maintained) uc:nsit:netsec-update (a mail list) UPDATE: uc:nsit:netsec OPTIN: uc:members OPTOUT: uc:nsit:netsec-update student:privLoss (Registrar’s s**t-list) READ: uc:nsit:services

CAMP - 30 June Example: Delegate naming authority to Biological Sciences Division’s “Enterprise Systems Group” 1. Beginning state “uc”, STEM: uc:stem-root 2. uc:stem-root member creates “uc:bsd” naming stem & assigns STEM privilege to jdoe “uc:bsd”, STEM: jdoe 3. jdoe assigns “uc:bsd” CREATE privilege to self “uc:bsd”, STEM: jdoe, CREATE: jdoe 4. jdoe creates & populates group uc:bsd:es uc:bsd:es, ADMIN: jdoe, UPDATE: uc:bsd:es 5. jdoe completes delegation of naming authority “uc:bsd”, STEM: uc:bsd:es, CREATE: uc:bsd:es

CAMP - 30 June More examples uc:bsd:us (something only they can know) ADMIN: uc:bsd:es uc:bsd:obgyn:us UPDATE: uc:bsd:obgyn:it-staff VIEW: uc:bsd:us personal:tbarton:myFriends personal:tbarton:myTrueFriends OPTOUT: personal:tbarton:myTrueFriends

CAMP - 30 June LDAP Computer lab login access control scenario SIS HR Dir. Learning Environments Lab Managers Loaders Grouper API Person registry Groups registry Grouper UI Grouper API uid: jdoe ucAffiliation: … isMemberOf: … lab Grouper API

CAMP - 30 June Application access scenarios Status quo: app-specific “admin view” is used to manage access-control related lists of netIDs stored with the app Options for managing app-specific access 1. Incorporate Grouper API into app’s admin view 2. Use Grouper or Signet UI instead Options for application consumption of app-specific access lists 1. Incorporate Grouper API 2. Use standard protocol to read from standard repository When to recommend which approach?

CAMP - 30 June Probable UC deployment Central IT ID management extended to use API –Existing source -> person registry processing –Existing person registry -> consumer provisioning –UI access granted in parallel with delegation of group naming authority –Start small (flat stem space, no personal groups), then grow Placement of API in key distributed IT shops –Where there are significant and persistent authorization management operations LDAP & AD provisioning

CAMP - 30 June Other deployment musings UIs tailored to new group types in a common Groups Registry –Course groups –Signet –Mail list manager? API bundled into applications using a common Groups Registry –uPortal alternate Groups store –Implement appropriate uPortal Groups Service interfaces –IMS Membership Management Service API bundled with applications (with separate Groups Registry?) –Calendar –“Groupware”, of all things?

CAMP - 30 June Under discussion Multi-valued non-list fields How much built-in delegation capability is best? Identify memberships separately from members Group name aliases Group naming in inter-domain contexts UI requirements: –Defaulting privileges –Search & browse capabilities

CAMP - 30 June Further info & participation MACE-Dir list MACE-Dir-groups conference calls Stay tuned for further Signet & related participation opportunities Code samples, current javadoc, and Phase 1 specifications docCode samples current javadocPhase 1 specifications doc

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.