Access Management with Grouper Tom Barton University of Chicago.

Slides:



Advertisements
Similar presentations
Grouper Training End Users Lite UI – External Users
Advertisements

Towards Common Identity Services Tom Barton University of Chicago.
Federated Identity, Shibboleth, and InCommon Tom Barton University of Chicago © 2009 The University of Chicago.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.
A Middleware Unified Field Theory Identity Management / Directories Privileges / Groups Single Sign-On / Federation Enterprise Integration from network.
Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Signet and Grouper for Distributed Attribute Administration
Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
1 Kuali Identity Management Advanced CAMP: Identity Services Summit for Higher Ed Open / Community-Source Projects.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
Introduction to Grouper
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, /14/20151.
Eric Westfall – Indiana University Jeremy Hanson – Iowa State University Building Applications with the KNS.
RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.
Penn Groups PennGroups Central Authorization System June 2009.
Intro to Grouper There’s nothing fishy about Identity Management with Grouper.
Implementing MACE Grouper at Brown University James Cramton October 9, 2007 Internet2 Fall Member Meeting 2007 San Diego, CA.
Grouper Training Developers and Architects Web Services - Part 5 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Centralizing and Automating PeopleSoft Authority Management (Security) Session #20647 March 14, 2006 Alliance 2006 Conference Nashville, Tennessee.
Grouper after Groups Enabling Net+ Services with PAP, PEP, and PDP...Oh My! October 3rd, 2012 Bill Thompson IAM Architect, Unicon Chris Hyzer Grouper Developer,
Directories Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago.
Building Applications with the KNS. The History of the KNS KFS spent a large amount of development time up front, using the best talent from each of the.
Grouper Training Developers and Architects Advanced Topics Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Brown University Infrastructure Support for Teaching and Learning Applications at Brown University John Spadaro Sept. 24, 2008.
Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University.
Grouper Training - Admin Connectors Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.
Module 6 Securing Content. Module Overview Administering SharePoint Groups Implementing SharePoint Roles and Role Assignments Securing and Auditing SharePoint.
Kuali Rice A basic overview…. Kuali Rice Mission First and foremost to provide a consistent development framework and common middleware layer for Kuali.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 NMI R3 Enterprise Directory Components.
Windows Role-Based Access Control Longhorn Update
© 2006 The University of Chicago Grouper Backgrounder for Authorization WG Tom Barton, U Chicago.
Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.
UC Groups: An Access Management Service Tom Barton University of Chicago.
Grouper Training Developers and Architects Integration Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
KIM: Kuali Abstraction Layer for Identities, Groups, Roles, and Permissions.
Internet2 and Cyberinfrastructure Russ Hobby Program Manager,
Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.
Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago.
Grouper Training Developers and Architects How to Design Groups Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial.
Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.
What’s new with Grouper 26-April-2010, Spring Member Meeting Chris Hyzer, Grouper developer.
Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2.
CAMP Shibboleth: Next Steps Steve Carmody, Brown University Ann West, Educause/Internet2/Michigan Tech.
Networks ∙ Services ∙ People Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
OpenRegistry MACE-Dir 5/18/09 1 OpenRegistry Initiative Revisiting the Management of Electronic Identity Benjamin Oshrin Rutgers University May 2009.
OpenRegistry: What’s New Jasig San Diego 3/10 1 What’s New With OpenRegistry Scott Battaglia Benjamin Oshrin March 2010.
Sakai ID & Access Management
OpenRegistry Initiative
Introducing Access Management
I2/NMI Update: Signet, Grouper, & GridShib
Chris Hyzer, University of Pennsylvania
Privilege Management: the Big Picture
Provisioning Groups, Memberships, and Permissions to LDAP
Signet Privilege Management
Infrastructure Support for Teaching and Learning Applications at Brown University John Spadaro Sept. 24, 2008.
Grouper: A Toolkit for Managing Groups
PDI: Intro to Grouper Jeff Ruch Jeff Ruch ACNS Middleware
Signet & Privilege Management
Signet Privilege Management
Managing Roles & Privileges with Grouper and Signet Middleware
Presentation transcript:

Access Management with Grouper Tom Barton University of Chicago

Why? Lower cost by factoring access management out Simplify & make consistent by using one group in many places Let the right people manage access, directly See who can access what, in one place 2

Grouper: core concepts 3 Folders in hierarchies Group Direct members Subgroup Indirect members Composite groups Custom attributes

Security & delegation 4 Create groups Create subfolders Admin Update membership Read membership View group Opt-in Opt-out Delegation

5 Grouper integration

EXAMPLES 6

7

dn: uid=tbarton,ou=people,dc=uchicago,dc=edu ucismemberof: uc:org:nsit:integration:techag ucismemberof: uc:org:nsit:srdirs ucismemberof: uc:org:nsit:integration:iteco:wr ucismemberof: uc:applications:confluence:NSIT:esx ucismemberof: uc:org:nsit:integration:iteco:rd ucismemberof: uc:applications:confluence:NSIT:Directors ucismemberof: uc:org:nsit:staff ucismemberof: uc:applications:confluence:NSIT:Everyone ucismemberof: uc:org:nsit:integration:shib_group ucismemberof: uc:applications:bulkmail:users ucismemberof: uc:org:library:gnet:admins ucismemberof: uc:applications:gnetid:admins ucismemberof: uc:applications:wireless:authorized ucismemberof: uc:applications:cmail:users:authorized ucismemberof: uc:reference:affiliations:effective:staff LDAP entry for uid=tbarton,ou=people,dc=uchicago,dc=edu ucIsMemberOf : uc:org:nsit:srdirs ucIsMemberOf : uc:reference:affiliations:effective:staff Memberships become LDAP attributes 8 ucIsMemberOf : uc:applications:vpn:authorized

U Chicago: simple delegation Wireless & VPN Guest network ID management Business Objects access Different groups, different authorities 9 eligibleunauthorized student staff alumhospital closure locked authorized postdoc = ̶

Brown: Managing Access to Course Resources MACE Grouper Course Groups iTunesMajordomoConfluenceWebCT All Recipient list, Discussion SenderCan Use AdministratorInstructorBroadcast SenderSpace Admin Instructors (provisioned) Instructor Managers TAs TA and Designer ContributorInstructor Space Admin Content Developers Designer Mentors LearnerStudent Auditors Auditor Students (provisioned, read only) Student Vagabonds Auditor Other, outside MACE GrouperSuper Admin Super Admin(s)

11

12 NIH’s Cancer BioInformatics Grid

NEW IN V1.5.0 Just released … some capabilities are partial or “experimental” 13

Lite UI AJAX components for simple end-user tasks URL links directly to a group Integrated within Grouper UI webapp Two entry points: Admin UI & Lite UI Admin UI uses new components too More Lite UIs may be contributed by deployers 14

Performance 15

Audit Who did what when … Add/delete/update membership, group, folder, and Grouper privileges Attribute definition & assignment XML import Move/copy group or folder Audit reporting via Grouper Admin UI & Grouper Shell 16

Move & copy Copy/move groups/folders to another folder Why? Template groups & template folders Update organizational hierarchies Old group name optionally continues to refer to moved group Supported by Grouper Admin UI & Grouper Shell (Grouper-WS soon) 17

Notification Near real time provisioning of group info Group, membership, folder, and privilege changes Serialized Provided to registered consumers SQL & API access to transactions LDAP provisioning connector will use in v

Attribute framework Assign custom attributes to principal Grouper objects Groups Folders Memberships Attributes Will have several value types, multi-values, etc Only an enumerated type in Attributes are objects in folders, like groups, and their security model is similar to that of groups 19

Roles & permissions Role extends Group, links Subjects with Permissions Permission is a type of attribute assigned to a role or to a membership in a role Has an Action qualifier, eg, Read or Write Permission sets. Eg, organizational hierarchies Superior roles inherit subordinate permissions 20

Grouper & Identity Services Grouper’s roles & permissions are only low level capabilities, initially No high level interfaces have been implemented or even defined yet Looking for help with that from MACE- Paccman and from partner sites More later in this conference about Grouper and identity service interfaces in Kuali and in uPortal 21

Grouper roadmap Current version is v1.5+ Notification enhancements Attribute & permission enhancements New LDAPPC = shibboleth AA + SPMLv2 v1.6 Point-in-time audit Role management interface uPortal integration Kuali Rice integration 22

23

24

MACE/Internet2 IAM work Shibboleth InCommon Federation Grouper Comanage Identity services & application domestication Privilege & access management MACE-paccman working group !Signet Grouper to add some privilege management capability MACE-directories working group edu* schema, white papers, etc 25

Identity services activities & Higher Ed MACE-paccman working group Kuali Rice OSS projects, some JA-SIG affiliated Liberty, Identity Gang, etc International efforts akin to MACE’s Advanced CAMP June 2009 in Philly 26

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.