Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn McRae, Stanford University

2 Identity & Access Management Reality Each person’s online activities are shaped by many Sources of Authority (SoAs) Resource managers Program/activity heads Other policy making bodies Self Common middleware infrastructure should be operated centrally To not oblige departments/programs/activities to build their own core middleware Management of the information it conveys should be distributed Hook up all of those SoAs to the middleware

3 Connecting SoAs, Integrating with Existing Infrastructure

4 Relative Roles of Signet & Grouper Grouper Signet RBAC model Users are placed into groups Privileges are assigned to groups Groups can be arranged into hierarchies to effectively bestow privileges Signet manages privileges Grouper manages, well, groups

5 Nutshell Description of Grouper Mix of manual and automation processes manage a common Group Registry Many sources of authority are reflected in group memberships Automation processes provision info from the Group Registry into LDAP, AD, directly into app-specific databases, or … Wherever the value of the info warrants spending the resources to place it there Group management authority is delegatable

6 Grouper Groups Attributes of groups Names: name, displayName, guid Description Members Can extend the set of attributes to support groups with more specific purposes Subgroups, compound groups, and aging Stored in an RDBMS, the Group Registry

7 Grouper Namespaces Groups are created within namespaces Scopes the authority to create and name groups Support distinct activities with own authority Namespaces can be arranged hierarchically itall central IT activities it:labsmanage computer labs bsdall Bio Sci Division activities bsd:pedsPediatrics resource access

8 Example: Groups for Lab Access it:labs:eligible (manual) it:labs:whitelist (manual) uc:faculty (auto) uc:staff (auto) categories of entitled students (auto) time dependent student categories (auto) it:labs:blacklist (manual) categories of barred students (auto) it:labs:barred (manual) Allow access if “eligible” but not “barred”

9 LDAP Data Flow & Grouper Roles in Computer Lab Access uid: jdoe ucAffiliation: … isMemberOf: … SIS HR Lab Director Lab Managers Loaders Grouper API Person Registry Group Registry Grouper UI Grouper API lab Grouper API On-site staff

10 Grouper’s Privileges Access privileges Who has what access (read, write) to a group’s attributes Naming privileges Who can create a group in each namespace Who can create a new namespace subordinate to an existing one Privilege interfaces are abstracted Can use external privilege management system, like Signet Grouper’s built-in privilege management Subgroups, compound groups, and aging can be used to manage privileges with built-in capability

11 Four Ways to Delegate Group Management Create a group and assign someone to manage its membership Create a group and assign someone to manage who manages the group’s membership and who can see what about the group Create a namespace and assign someone to manage who can create groups within it Allow Self to opt-in or opt-out of membership

12 Representing Membership in Operational Contexts Standards for the I2MI community LDAP, SAML/Shibboleth: isMemberOf LDAP: hasMember Preserving privacy/visibility Representing access privileges in, e.g., LDAP Desirable local standards Naming of groups & namespaces Privacy classes Incremental update and referential integrity

13 Signet Overview Analysts define privileges in Signet in “business terms” and specify associated permissions. Signet presents this view in a Web UI where users assign privileges and delegate authority across all areas in which they have authority. Signet internally maps assigned privileges into system- specific terms needed by applications. Privileges are exported, transformed, and provisioned into applications and infrastructure services.

14 Privileges Building Blocks Business view Subsystems Categories Functions Scope, Limits Prerequisites & Conditions System view Permissions Subject Action Resource Analysts define privileges in Signet in “business terms” and specify associated permissions.

15 Signet Components Define domains of ownership and responsibility Reflect real world boundaries Can be large or small Financial system Student Administration HR system Network address plan management Network access management Research administration Clinical resources Person Registry Signet (Privilege Registry) Grouper (Group Registry) Subsystems

16 Business View Subsystems contain… Functions The things a person can do; what they are getting privileges for. Categories Provide useful arrangement of functions within a subsystem; for reporting, ease of use. Limits Qualifiers, constraints for a privilege. Scope Organizational hierarchy governing distributed delegation.

17 Business View Categories Functions Subsystems Clinical Trial Protocol A Patient Records Materials Control Manage Grant Lab Access Administration Student Admin Course Support Add/Drop students Schedule Classes Process Applicants Award Scholarships Manage Accounts Financial Aid Limits Which term From Fund… Read/Write Hours For school… For fund… Which campus Qty/day $ constraints organizing actions

18 Signet User Interface Signet presents this view in a Web UI where users assign and delegate authority across all areas in which they have authority.

19 Systems View Permissions Atomic units of control that map to specific access rules in systems. Includes limits that must be evaluated when interpreting permissions. Resources The target of a specific privilege; things that have access rules to control their use. Signet internally maps assigned privileges into system specific terms needed by applications.

20 Business View  Permissions Resources/Permissions Student Admin Business View Course Support Add/Drop students Schedule Classes Process Applicants Award Scholarships Manage Accounts Financial Aid reserve_time view_schedules student_records applicant_data view_fund_data update_fund_data update_course_data reserve_room Calendar Course Facilities Financial Student

21 Systems Integration Privileges document XML representation of privileges for an individual or group. Compatible with SAML and XACML representations of Subjects and Access Rules. Integration Site-specific Privileges are exported, transformed, and provisioned into integrated systems and infrastructure services.

22 Privileges Document Signet Privileges document (not final) Poole, Jean M. <Subsystem project-biox patient-record-access research-records protocol urn:oasis:names:tc:xacml:1.0:function:string-equal 2005-formula-b approve-requisitions

23 Provisioning Permissions into Applications reserve_time view_schedules student_records applicant_data view_fund_data update_fund_data update_course_data reserve_room Calendar Course Facilities Financial Student Calendar CourseWare Financials Reporting Space Mgmt Student

24 Provisioning Permissions into Infrastructure reserve_time view_schedules student_records applicant_data view_fund_data update_fund_data update_course_data reserve_room Calendar Course Facilities Financial Student Calendar CourseWare Financials Reporting Space Mgmt Student Directory eduPersonEntitlement

25 Other features Assignments can be To an individual To a Group With/without ability to further delegate Distributed delegation using organizational hierarchy Records “chain of command ” Proxy assignment Temporary granting of one’s privilege to another

26 Privileges Lifecycle Conditions Provides automatic revocation of privileges Date controls -- from date, until date Based on person’s status and affiliation, e.g., as long as person is at Stanford Prerequisites Pre-conditions that must be met to activate privileges e.g., training

27 Privilege Elements by Example By authority of the Dean grantor principal investigators grantee (group/role) who have completed training prerequisite can approve purchases function in the School of Medicine scope for research projects resource up to $100,000 limit until January 1, 2006 as long as a faculty member at … conditions Privilege Lifecycle

28

29 Subject API Common application need to lookup people or other types of subjects To search for and present them in a UI To translate between different identifiers for the same object Example: username  persistentID Subject API is a freestanding implementation meeting these needs. Site-configured … Subject types: people & groups, and maybe applications, computers, policies, whatever Sources for each site-specific subject type Specific query syntax for abstract query types

30 Signet & Grouper Development Now available Grouper API v Basic group management by automation processes Demo release of Signet v0.3 toolkit and UI June 2005 Grouper v0.6 - initial UI release Subject API - initial release September 2005 Signet - initial production-ready release Grouper team: U Chicago & U Bristol Signet team: Stanford University

31 Resources & Participation Grouper website Signet website Internet2 Middleware Initiative Documents, tarballs, cvs Details for subscribing to mailing lists Conference call agendas & dialing instructions