Presentation is loading. Please wait.

Presentation is loading. Please wait.

GRS & BuzzAPI IAM Users Group Sept 2016.

Published byMelissa Warren Modified over 6 years ago

Similar presentations

Presentation on theme: "GRS & BuzzAPI IAM Users Group Sept 2016."— Presentation transcript:

1 GRS & BuzzAPI IAM Users Group Sept 2016

2 Agenda Bash GRS BuzzAPI Overview & Concepts Getting Started Gotchas
Usage

3 GRS Overview GRS: GT Role System
“Role:” A label put on People (or accounts) Automated Rules GTED Filters Adding & Removing People Manual Additions Automated Cleanup Reads and updates GTED Entitlements GTED Entitlements feeds: GTED Posix Groups GTAD Groups Data Warehouse

4 GRS Concepts: Roles & Folders
Folders created (By IAM) for Departments & Services Subfolders created as needed Access-control: Roles have X access to Folder Full Control, Edit, Override, Read, View Role Path & Name (Determines Entitlement value) Description (Automated data dictionary in FY2017) Type: People or Accounts (more later) Rules Overrides

5 GRS Concepts: Rules Match People Affect Memberships GTED Filter
GTED Group (Sympa Lists) Another Role Affect Memberships Enabling (Add to Role) Filtering out (Simple subtraction) Disabling (Exceptional Subtraction) Prerequisite (Requirement in addition to other Rules)

6 GRS Concepts: People vs Accounts
People have multiple accounts Same person: Alt Primary, Secondary Diff “Person:” Service & Guest Recommend People Roles except: High Security Abundance of Service Accounts with siblings Resource ownership is per-account and is critical Account Selection Overall Primary: gtAccountCategory=overall-primary-account Employee Account: gtAccountCategory=primary-account:e

7 Need Folder and/or Permissions Zork Client: ssh roles.iam.gatech.edu
GRS: Getting Started Need GRS account Need Folder and/or Permissions Zork Client: ssh roles.iam.gatech.edu Person-Centric: Status, Override, History Role-Centric: Everything else Role Navigating Role/Folder Creation Role Editing Rule Viewing & Editing Overrides Steps: Find Person, Find Account (Optional), Set Duration/Condition

8 GRS: Zork Client Tricks
First, the client is painful Tricks Use the defaults Everything is case insensitive Find roles with =prefix or =.*substring

9 GRS: Performance & APIs
Overrides: <<10 minutes, faster with BuzzApi New rules: Small ~10 minutes Large: Up to an hour Data changes: Up to a day APIs   [Yes, I know the certificate is bad] BuzzApi central.iam.grs.overrides

10 Things that could be better
GRS: Gotchas Things that could be better Confusing AccountSearch —> Person —> Account Selection Changing GTED Branch Bad LDAP Filters People vs Accounts Deleting large rules: Call IAM Team Following/Documenting cascading IAM Team has grs-rules script to make this easier

11 GRS: Questions?? ?

12 BuzzApi: Agenda Background Available Services Access Control
Idea & Motivation Goals Available Services Access Control Using BuzzApi

13 BuzzApi: Overview Motivation Idea
History of independent API implementations More APIs and More Access (inc Students) Modularity and Simpler integrations Idea API Broker with deep functions Loosely coupled providers (polyglot, multiple owners) Common sandbox, Direct Client-Provider communication

14 BuzzApi: Features Consistent details, implemented as few times as possible Hostnames, Firewalls, etc Authentication: Username/Password, CAS Proxy Authorization Parameter names Operations (Create, Read, Update, Delete, Ping, Documentation, Provide) Logging Metadata Documentation Discovery Monitoring Redundancy

15 BuzzApi: Services IAM (Public): People-searching, GTED, GRS, GTAD, Duo, Password Info, GTAccount creation, Service Roles, User-personal groups, Event Queues, Guests, Logs (Mage, Passport, GRS, CAS, Duo), Grouper Aliases & Primary Addresses, Sympa Lists, Destination Preferences, Office365 Exchange PeopleSoft: Ethics Compliance, Holidays,  Banner: Course Catalog, Seat Counts, Instructors, Deposits, Charges BuzzCard: Issuance Info, Photos App Specific: Touchnet, Symplicity, Udacity, GTPE, Student Orgs Internal: Message Queues, WebServers, Diagnostics IAM (Private): Vetting Q&A, Splunk, RBAC

16 BuzzApi: Usage Using BuzzApi Access Control URLs: Authentication
Coarse Grained: Resources & Operations Fine Grained: Checks on Apps, Users, and Parameters URLs: api.gatech.edu, test.api.gatech.edu iat.gatech.edu Authentication App [Always] User [Sometimes] Parameters: URL, JSON Body or Both Request Modes: Async [Default], Sync: api_request_mode=sync

17 BuzzApi: Results Result data
Always get back a significant response envelope  Info on request Backend info & logs Result Success (api_result_data), Failure (api_error_info), Timeout (neither)

18 BuzzApi: Questions Docs
Doc for client: Buzzapi-AccessingResources

Download ppt "GRS & BuzzAPI IAM Users Group Sept 2016."

Similar presentations

Program Management Portal: Overview for the Client

Program Management Portal: Overview for the Client
File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
Eyeblaster 6.1.6. Std. banner code generation AM permissions Removing post click reports for publishers Transparent Video Loader background Playing assets.

Eyeblaster Std. banner code generation AM permissions Removing post click reports for publishers Transparent Video Loader background Playing assets.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Important when you launch Yammer Enterprise Create an engaged and trusted community Decide about User Profile Syncs Various User and Admin.

Important when you launch Yammer Enterprise Create an engaged and trusted community Decide about User Profile Syncs Various User and Admin.
Identity and Access Management

Identity and Access Management
Page 1 of 29 To the OASIS Roles Online Training Course Each company has an assigned ETS Site Administrator who is responsible to create their company's.

Page 1 of 29 To the OASIS Roles Online Training Course Each company has an assigned ETS Site Administrator who is responsible to create their company's.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
1 © 2001, Cisco Systems, Inc. All rights reserved. Voice Connector Features 4.0.5 Voicemail Interoperability – 4.0(5) Voice Connector features Rahul Singh.

1 © 2001, Cisco Systems, Inc. All rights reserved. Voice Connector Features Voic Interoperability – 4.0(5) Voice Connector features Rahul Singh.
December 5, 2008 1 OBIEE Technical Conference Security Overview Dan Malone.

December 5, OBIEE Technical Conference Security Overview Dan Malone.
Team - CA CSCI 5234 Web Security.  Collect and document information of ecommerce security mechanisms.  Using: wiki engine for collaboration.

Team - CA CSCI 5234 Web Security.  Collect and document information of ecommerce security mechanisms.  Using: wiki engine for collaboration.
Module 2 Creating Active Directory ® Domain Services User and Computer Objects.

Module 2 Creating Active Directory ® Domain Services User and Computer Objects.
SCO Insight Connector Training. The SCO Insight Connector  Product Overview  Technical Specifications  Installation  Using the Components  Target.

SCO Insight Connector Training. The SCO Insight Connector  Product Overview  Technical Specifications  Installation  Using the Components  Target.
REDUNDANT SLIDES Email, email syncing & calendar syncing 1.

REDUNDANT SLIDES , syncing & calendar syncing 1.
©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.

©Kwan Sai Kit, All Rights Reserved Windows Small Business Server 2003 Features.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam 70-217 Microsoft® Windows® 2000 Directory Services Infrastructure Goals 

5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
Module 9 Configuring Messaging Policy and Compliance.

Module 9 Configuring Messaging Policy and Compliance.
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.

Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
Module 11: Implementing ISA Server 2004 Enterprise Edition.

Module 11: Implementing ISA Server 2004 Enterprise Edition.
Module 3: Administrator Set-Up Intuit Financial Services University Internet Banking Certification Training.

Module 3: Administrator Set-Up Intuit Financial Services University Internet Banking Certification Training.

Similar presentations

Ads by Google