ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009.

Slides:



Advertisements
Similar presentations
Implementing Tableau Server in an Enterprise Environment
Advertisements

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Netcentives Inc. 475 Brannan St. San Francisco, CA NASDAQ: NCNT Netcentives Inc. 475 Brannan St. San Francisco,
HP Quality Center Overview.
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
Chapter 10: Analyzing Systems Using Data Dictionaries Instructor: Paul K Chen.
Accelerate Business Success With CRM CRM Interoperability.
PENN Community Project SUG Presentation April 8, 2002.
© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.
Nu Project Management Office A web based tool to Manage Projects.
1 NETWORK PLANNING TASK FORCE FY’07 “ Setting the Rates” 11/20/06.
Employee Central Presentation
Summary Maximo is an Enterprise Asset Management System used by Cornell University Facilities Services. Many of Cornell's physical assets found across.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
1 Data Strategy Overview Keith Wilson Session 15.
NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.
Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.
Technical Overview of Kuali Rice UC Davis, Information & Educational Technology January 2009.
Electronically approve and create Suppliers in Oracle Financials using a combination of APEX and Oracle Workflow. NZOUG Conference 2010 Brad Sayer Team.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
1 Kuali Identity Management Advanced CAMP: Identity Services Summit for Higher Ed Open / Community-Source Projects.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
DATA GOVERNANCE Presentation to CSG September 27, 2007 Mary Weisse Manager, MIT Data & Reporting Services
Integrating Applications with the Directory Andrea Beesing CIT/Integration and Delivery June 25, 2002.
The University of Wisconsin University Directory Service UDS A repository of people information Has been in production for about a year. Serves White pages,
Chapter 6: Foundations of Business Intelligence - Databases and Information Management Dr. Andrew P. Ciganek, Ph.D.
Penn Groups PennGroups Central Authorization System June 2009.
Developing Applications for SSO Justen Stepka Authentisoft, LLC
University of Michigan Enterprise Directory Services Appendix A Conceptual Architecture.
Intro to Grouper There’s nothing fishy about Identity Management with Grouper.
Using AS 10g with EBS What are the Benefits of Integrating AS 10g with Oracle Applications?
Siteman Cancer Center at Barnes-Jewish Hospital and Washington University School of Medicine Cancer Center Administration Database.
1 OPOL Training (OrderPro Online) Prepared by Christina Van Metre Independent Educational Consultant CTO, Business Development Team © Training Version.
© 2008 IBM Corporation ® IBM Cognos Business Viewpoint Miguel Garcia - Solutions Architect.
Grouper after Groups Enabling Net+ Services with PAP, PEP, and PDP...Oh My! October 3rd, 2012 Bill Thompson IAM Architect, Unicon Chris Hyzer Grouper Developer,
…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.
UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma
1 Schema Registries Steven Hughes, Lou Reich, Dan Crichton NASA 21 October 2015.
Grouper Training Developers and Architects Advanced Topics Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Storing Organizational Information - Databases
PS Security By Deviprasad. Agenda Components of PS Security Security Model User Profiles Roles Permission List. Dynamic Roles Static Roles Building Roles/Rules.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Stanford Authorization Existing mainframe based authority –homegrown, in operation since the 80’s –primarily for financial and personnel authority for.
Shibboleth: An Introduction
STRATEGY SESSION SEPTEMBER 15, YEAR SECURITY DISCUSSION 1 NETWORK PLANNING TASK FORCE.
6.1 © 2010 by Prentice Hall 6 Chapter Foundations of Business Intelligence: Databases and Information Management.
Getting Started with Chatter Nina Jameson Senior Business Analyst, ISU-ITS (office)
Windows Role-Based Access Control Longhorn Update
Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.
CASE (Computer-Aided Software Engineering) Tools Software that is used to support software process activities. Provides software process support by:- –
Penn Groups PennGroups Central Authorization System January 2009.
KIM: Kuali Abstraction Layer for Identities, Groups, Roles, and Permissions.
Introduction to Active Directory
Apereo Grouper Seminar Part 3 – Hands on Grouper Chris Hyzer University of Pennsylvania and Internet2.
Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago.
Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Ad-hoc Lists / Opt-In Problem Definition Access rules for many applications and services cannot be derived from an authoritative source and must therefore.
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
OpenRegistry MACE-Dir 5/18/09 1 OpenRegistry Initiative Revisiting the Management of Electronic Identity Benjamin Oshrin Rutgers University May 2009.
Group Services CIO Council Update
Introducing Access Management
TPM and TPM Security Technologies
Central Authorization System (Grouper) June 2009
Guests and Collaborators
Grouper: A Toolkit for Managing Groups
Presentation transcript:

ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009

The Fast Framework PennGroups Identity Management at Penn  Goal: To protect the confidentiality and privacy of information at Penn by: – Uniquely identifying entities associated with Penn – Providing access to appropriate facilities, services, and systems – Preventing unauthorized access to facilities, services, and systems 1/23/2016 Central Authorization at the University of Pennsylvania2

The Fast Framework PennGroups Elements of Identity Management  Components of identity management – Penn Community – central repository for a person’s bio/demo data as fed by core business systems (SRS, HR/Payroll, Atlas, UPHS) and entered directly for ancillary affiliates – Penn Directory – system that holds the preferred name and contact info for all Penn affiliates – Penn Card – system used to generate the physical ID card that is used for building access and commercial transactions across the university – PennNames - system used to associate a unique username to each individual at Penn, providing a common and consistent University namespace for online services – PennKey – unique identifier for Penn’s central authentication system; with associated password, provides an electronic means to authenticate an individual and provide access to systems across the university – PennGroups – system for creating and managing groups to facilitate authorization decisions by applications with hooks to LDAP or web services 1/23/2016 Central Authorization at the University of Pennsylvania3

The Fast Framework PennGroups Atlas Penn’s Identity Management Strategy 1/23/2016 Central Authorization at the University of Pennsylvania4 PennKey PennCard Ancillary Affiliates (Temp, VFAC, CHOP, etc..) Ancillary Affiliates (Temp, VFAC, CHOP, etc..) Penn Names Penn Community Penn Directory UPHS SRS PennGroups 3 rd Party App 3 rd Party App Home Grown App Home Grown App AuthZ Decisions via LDAP or WS HR

The Fast Framework PennGroups  PennGroups is derived from the Internet2 open source Grouper initiative  Has been adopted and deployed at other ivy league universities (Brown, Cornell, Yale)  Penn has worked with the Grouper team to enhance the baseline product – Better meets the needs of Penn – Provides additional useful functionality to other grouper users – Allows Penn to benefit from future grouper enhancements without maintaining a separate source code instance 1/23/2016 Central Authorization at the University of Pennsylvania5 What Is PennGroups

The Fast Framework PennGroups Benefits  Facilitates consistent application of University business rules – Managed through a common UI and web services  Streamlines maintenance of authorization data – Brings scattered redundant groups together for re-use – Allows useful actions on these groups -- group math, group nesting, exclusion criteria  Leverages Penn Community data for accurate, up to date authorization decisions – Can leverage existing attribute information  Distributed/delegated model of control – Supports the creation of new groups by schools and centers 1/23/2016 Central Authorization at the University of Pennsylvania6

The Fast Framework PennGroups How It Works  Authorization by application  After authentication the application can interrogate PennGroups for access to group membership data – Web services – LDAP  Changes to group membership are reflected automatically and propagate to the application dynamically 1/23/2016 Central Authorization at the University of Pennsylvania7

The Fast Framework PennGroups  Two modes for creating and managing groups – Automated Web services - build and run a query from your data store and send group membership information to PennGroups via the web service API Stored SQL – Configure a SQL query within the PennGroups UI to run on a scheduled basis to modify group membership – Manual UI – log onto the PennGroups UI to manually manage your group membership –You cannot manually add members to or remove members from a group that is managed in an automated fashion 1/23/2016 Central Authorization at the University of Pennsylvania8 Managing PennGroups

The Fast Framework PennGroups 1/23/2016 Central Authorization at the University of Pennsylvania9 PennGroups Hierarchy

The Fast Framework PennGroups PennGroups in a Decentralized Environment  When School/Center is purchasing or developing a new system – LSP/ application developer contacts Central IT – LSP/developer and Central IT collaborate to: Establish authorization use cases for the specific application Determine access method (LDAP or Web Services) Determine best approach for group creation and maintenance – School/Center fills out access forms – Central IT consults with LSP/developer on group hierarchy structure 1/23/2016 Central Authorization at the University of Pennsylvania10

The Fast Framework PennGroups  PTO – Paid Time Off – Provides ability to select a person that doesn’t manage their time off through PTO as a supervisor/approver  ISC Warehouse Apps – Provides a feed from the warehouse for employees in 3 orgs. If you are active in the org, you will be in the group, and the app will let you in  Abramson's Cancer Center – Builds custom research related applications and needs an means to confirm that users who log in currently have an active status  School of Engineering and Applied Science – Affiliate level groups - faculty members, staff members, students, undergrads, grads, PhD students – Class level groups - everyone enrolled in every SEAS course, and several ad-hoc groups. – Kept up to date via a SEAS data store and propagated to PennGroups via the SQL loader – Group hierarchy (groups such as freshman, sophomore, etc are members in the group uGrad). – Ad hoc groups generated and maintained via specific applications and business rules. – Use of groups to determine access to various resources such as SSH (with different groups allowed to access different machines), IMAP, POP, SMTP, etc. 1/23/2016 Central Authorization at the University of Pennsylvania11 Use Cases

The Fast Framework PennGroups More Information  For technical documentation see the Internet2 Grouper wiki at: – General info – Web services info 1/23/2016 Central Authorization at the University of Pennsylvania12

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.