Topics in Directories: Groups Dr. Tom Barton The University of Memphis.

Slides:



Advertisements
Similar presentations
Easy-to-access Forkie has developed a suite of web-based applications specifically for sports administrators, committee members and team managers – called.
Advertisements

1 Capability Set - Bullet. 2 Common Community Problems Too Much Information –Institutions have to SPAM their faculty and students –Too many online sources.
04 June 2002, TERENA, Limerick MACE: Directories at Work Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Chair, MACE-Dir Working Group.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Internet2 Middleware BASE CAMP slides Michael R. Gettes Principal Technologist Georgetown University
Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
UCB Enterprise Directory Services. Directory Services – Project History  Requirements defined  Project commission & goals articulated  Project teams.
Exchange server Mail system Four components Mail user agent (MUA) to read and compose mail Mail transport agent (MTA) route messages Delivery agent.
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
SIMI: ISO Perspective Al ISO CSU Northridge
Web-Enabling the Warehouse Chapter 16. Benefits of Web-Enabling a Data Warehouse Better-informed decision making Lower costs of deployment and management.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
Signet and Grouper for Distributed Attribute Administration
CASE STUDY: Implementing and Administering SAS® Enterprise Guide® Across the Enterprise As a Solution for Data Access Security Ulf Borjesson Evangeline.
Management Primer on Middleware Louise Miller-Finn, Johns Hopkins University Renee Woodten Frost, Internet2 & University of Michigan.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
Presentation on Facilities / Assets Management by Satyam Computers Services Ltd.
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
23/4/2001LDAP Overview - HEPix - LAL 2001 LDAP Overview HEPix – LAL Apr Michel Jouvin
01 February 2002 Directories are Fundamental Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect University.
GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.
Global Customer Partnership Council Forum | 2008 | November 18 1IBM - GCPC MeetingIBM - GCPC Meeting IBM Lotus® Sametime® Meeting Server Deployment and.
Chapter 7: WORKING WITH GROUPS
Enterprise Directories: Design, Implementation, and Operational Strategies Dr. Tom Barton.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Information Technologies Jeremy Mortis 1 hi LDAP The Online Directory.
H.350 Case Study: University of Alabama at Birmingham Jason L. W. Lynn IT Academic Computing University of Alabama at Birmingham.
Riva Managed Identity Integration for Active Directory and Novell ® GroupWise ® Aldo Zanoni CEO, Managing Director Omni Technology Solutions
Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.
MEDIU Learning for HE Ahmad Nimer | Project Manager.
Tech Ed North America /24/2017 1:59 AM SESSION CODE: SIA327
Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University.
PS Security By Deviprasad. Agenda Components of PS Security Security Model User Profiles Roles Permission List. Dynamic Roles Static Roles Building Roles/Rules.
Stanford Authorization Existing mainframe based authority –homegrown, in operation since the 80’s –primarily for financial and personnel authority for.
Sonoma State White Pages Implementation Barry Blackburn Andru Luvisi Brian Biggs.
Directory Workshop Parallel Sessions Rob Banz, Univ. of Maryland, Baltimore County Tom Barton, University of Memphis Keith Hazelton, University of Wisconsin,
Windows Role-Based Access Control Longhorn Update
Information Technology Current Work in System Architecture January 2004 Tom Board Director, NUIT Information Systems Architecture.
8th Sakai Conference4-7 December 2007 Newport Beach Integration: Users and Groups Mark J. Norton Nolaria Consulting.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.
Advanced CAMP: BoF Summaries. 2 Role-based Access Control (RBAC)
Registries, ebXML and Web Services in short. Registry A mechanism for allowing users to announce, or discover, the availability and state of a resource:
Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.
GRID Centralized Management of the Globus grid-mapfile Carlo Rocca, INFN Catania.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.
Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago.
Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2.
Directory Services CS5493/7493. Directory Services Directory services represent a technological breakthrough by integrating into a single management tool:
Mobile Analyzer A Distributed Computing Platform Juho Karppinen Helsinki Institute of Physics Technology Program May 23th, 2002 Mobile.
V7 Foundation Series Vignette Education Services.
The Four Pillars of Identity: A Solution for Online Success Tom Shinder Principle Writer and Knowledge Engineer, SCD iX Solutions Group Microsoft Corporation.
Finding Information in an LDAP Directory Info. Tech. Svcs. University of Hawaii Russell Tokuyama 05/02/01 University of Hawaii © 2001.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
I2/NMI Update: Signet, Grouper, & GridShib
ESA Single Sign On (SSO) and Federated Identity Management
Grouper: A Toolkit for Managing Groups
Managing Enterprise Directories: Operational Issues
Presentation transcript:

Topics in Directories: Groups Dr. Tom Barton The University of Memphis

25 June 2002Base CAMP2 Outline What is it for? Design factors – how to approach the design of a groups implementation Examples & vignettes Group management issues Vaporware References

25 June 2002Base CAMP3 Why do groups? Leverage existing enterprise directory infrastructure to: Supply data for access control policies to directory integrated applications and service platforms. Supply data for customization needs, especially CMSs and portals. Facilitate group messaging. Facilitate automated IT resource provisioning.

25 June 2002Base CAMP4 Design factors for a groups implementation How the group information is to be most commonly accessed. How the group information is to be maintained. How potential interactions arise between: the type of group representation the nature of the group (eg, size or privacy requirements) capabilities of the particular directory service agent being used

25 June 2002Base CAMP5 Design factors: Representations of groups Static: group object with multivalued membership attribute. groupOfNames groupOfUniqueNames dn: cn=groupA, ou=groups, dc=some, dc=edu objectclass: groupOfUniqueNames cn: groupA uniquemember: uid=user1,ou=people,dc=some,dc=edu uniquemember: uid=user2,ou=people,dc=some,dc=edu uniquemember: uid=user3,ou=people,dc=some,dc=edu

25 June 2002Base CAMP6 Design factors: Representations of groups Dynamic: membership determined by executing an ldap url groupOfURLs (iPlanet proprietary) No group object – ldap url exists only in applications using it. dn: cn=groupB, ou=groups, dc=some, dc=edu objectclass: groupOfURLs cn: groupB memberURL: ldap://ldap.some.edu389/ou=people, dc=some,dc=edu?dn?2?(ou=staff)

25 June 2002Base CAMP7 Design factors: Representations of groups Forward reference: multivalued attribute (isMemberOf) in an object lists its memberships. dn: uid=user1, ou=people, dc=some, dc=edu objectclass: someEduPerson cn: Some Body sn: Body uid: user1 isMemberOf: groupA isMemberOf: groupB

25 June 2002Base CAMP8 Design factors: Representations of groups Spatial: membership is inferred from object’s location in the DIT.

25 June 2002Base CAMP9 Design factors: Application access questions How will applications query for group information? Is object X in group A? List all members of group A. List all groups to which X belongs. List all members of some boolean combination of groups. List all members of group A meeting specified additional criteria.

25 June 2002Base CAMP10 Design factors: Application access questions Are there application restrictions on: group names static group objectclass selection ability to use object attributes (dynamic groups) where in the DIT to look for group objects Are there application constraints impacting access policy? Can application BIND as a given user (aka serviceDN), enabling directory ACLs to accurately implement institutional access policy?

25 June 2002Base CAMP11 Design factors: Group maintenance questions Will membership info be automatically maintained based upon institutional data? Will membership info be manually maintained? How will delegation of group update priviledges be managed? Is it a personal group? What institutional policy pertains to the visibility of the group or privacy of its membership information?

25 June 2002Base CAMP12 Design factors: Group maintenance questions Both automatic and manual processes update the same group? Need a group maintenance application. Is there a need to hide personal groups from certain enterprise applications? Limited expressiveness of directory ACLs might limit ability to delegate maintenance of member object attributes without use of an intervening group maintenance application.

25 June 2002Base CAMP13 Design factors: DSA interactions Size limit for static groups? Replication performance for large static groups. Processor and return size limits vs. listing membership of large dynamic groups. Access control language vs. delegated maintenance of dynamic (or forward reference) groups.

25 June 2002Base CAMP14 Core middleware for an integrated architecture

25 June 2002Base CAMP15 Example: Class website Students & instructor(s) use a course website to support class activities. The website provides views only to those resources associated with the role they have in each class. class: ENGL U instructor: uid=user1, … student: uid=user2, … student: uid=user3, … class: COMP U instructor: uid=user4, … student: uid=user5, … student: uid=user6, … SIS Metadirectory MyClass

25 June 2002Base CAMP16 Example: Data Warehouse Access GUI web reporting tool (BRIO) for DW access has native LDAP authentication, but groups used for application security are stored in the DW. Application level security priviledges are determined by combination of DW administrators and business office personnel. owner: uid=DWadmin,… uniquemember: uid=user1, … uniquemember: uid=user2, … owner: uid=BOadmin,… uniquemember: uid=user3, … uniquemember: uid=user4, … DW GASP Duper BRIO

25 June 2002Base CAMP17 Student vignette Mary is a grad student at Alpha U, taking courses both in a traditional classroom and online and interns at a biotech company nearby. Using her laptop, Mary needs to access her , courseware, calendar and library resources from all three locations; home, campus and work. She also uses a wireless PDA when on- campus to stay in touch with her lab mates. Mailbox Calendar Wireless Gateway NAS Server Lib Proxies CMS authN attrs

25 June 2002Base CAMP18 Provisioning vignette The new Chair of the Dept. of Physiology has arrived on campus over the weekend. Dr. Agnew is very anxious to get access to campus IT resources such as , calendar, web services and the mainframe. He does not want to wait for the requisite 3-5 business days it takes to get the accounts setup. Since IT already knows of him, he can use a self-service interface to accomplish his goal. HRS Metadirectory Acct Init Service authN attrs

25 June 2002Base CAMP19 Group management issues Maintenance & indexing of membership attributes Delegating management Referential integrity Personal groups Privacy & visibility Group math Forward referencing Aging Namespace issues

25 June 2002Base CAMP20 Vapor groupware GASP (Group Authorized Service Process). Utility that provides group create, rename, update, delete capabilities within an access controlled environment. Grouper. Extension to DSA presenting group math capabilites to ldap clients. RIbot. Referential Integrity maintenance utility. Maintains integrity of forward references too.

25 June 2002Base CAMP21 References Practices in Directory Groups – Tom Barton LDAP Recipe 2.0 – Michael Gettes (forthcoming) Groups Implementation Guide – Eileen Shepard

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.