Presentation is loading. Please wait.

Presentation is loading. Please wait.

Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to."— Presentation transcript:

1

2 Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to Tom Barton, University of Chicago Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to Tom Barton, University of Chicago JA-SIG, Vancouver, BC, 06/06/06

3 2 Identity & Access Management A person’s privileges are shaped by many Sources of Authority Institutional policy making bodies Resource managers Program/activity heads Individuals -- friends and self Management of privileges should be distributed Hook up all of Sources of Authority to the middleware Common middleware infrastructure should be operated centrally Departments/programs/activities/applications should not have to build their own core middleware Resources should be shared through the infrastructure

4 3 Access Control Decision Q: Subject + Resource + Action + Context Subject = who or what wants to take an action Resource = what is the action against, e.g., file, building, data, service, etc. Action= what they want to do, e.g., view, modify, enter, approve, run, etc. Context= time of day, academic term, weather, etc. A: Policy interpretation and decision, e.g. Resource and action are available to a group, e.g., Faculty at MIT, Students in a class Available to anyone with “entitlement” for the service

5 4 …by any other name Signet and XACML Subject Action Resource Context uPortal Permission Principal Activity Target

6 5 Policy based authorization Identity Provider Service Provider Rules auth’d Subject tries to access resource Provider evaluates required identity attributes against rules for resource Provider grants or denies access

7 6 Policy interpretation Policy can be very simple In group “uportal-sysadmins” In role “faculty” or more and more complicated Faculty in Law School or designated TAs or other faculty teaching a Law school course for courses offered this term can or cannot submit grades

8 7 Groups and Privileges Two kinds of Subject information are used in making access control decisions Who you are aka “groups” or “roles” cf RBAC What you can do aka “privileges” cf “value-based authority” or “row-based authority” Both types of information are conveyed through attributes about a person Grouper and Signet are tools that let you enrich descriptive attributes about people in both ways

9 8 Big picture, without Grouper/Signet

10 9 Filling the gap Identity Management Affiliation: faculty Instructor: CS-313 The Professor What about my TAs? … my auditors? … extensions/makeup? HR SIS Courses SIS Courses Shib Allow CS-313 Allow CS-313 CourseWare CS-313 grades CourseWare CS-313 grades allow CS teaching allow CS teaching Library CompSci resources Library CompSci resources allow CS affiliates External Partner External Partner

11 10 Extending Course infrastructure Identity Management Affiliation: faculty Instructor: CS-313 The Professor Grouper Class:CS-313:TA isMemberOf: CS-313 U = HR SIS Courses SIS Courses Shib Allow CS-313 Allow CS-313 CourseWare CS-313 grades CourseWare CS-313 grades allow CS teaching allow CS teaching Library CompSci resources Library CompSci resources allow CS affiliates External Partner External Partner

12 11 Privilege management Identity Management Affiliations Sib Marin Alsop special_collections (manuscripts,view) (king_papers,copy) printing (max100) athletic (golf_course) facilities (pool,after5) faculty, staff, student guest faculty, staff, student guest Athletic Facilities Athletic Facilities staff, guest staff, guest Printing student, guest student, guest Black board Black board Marc Crawford James Billington blackboard (music103) music (practice_room) Signet

13 12 uPortal specific permissions Identity Management Affiliation: temp Sib Portal Admin Signet tab_admin(module3) uportal_access(level1) admin uPortal spon. guest spon. guest uPortal Dept Admin tab_admin(module8) Signet a long as “staff” expiration date

14 13 Big picture, without Grouper/Signet

15 14 Big picture

16 15 Signet & Grouper Overview

17 16 Grouper Middleware software/toolkit User access through a common UI Program access through a common API Defines a “Groups Registry” Brings scattered duplicative groups together for re-use Allows useful actions on these groups -- group math, group nesting, exclusion criteria Hierarchical name-space (name stems & substems) Can leverage existing group information Supports the creation of new groups By schools, departments, and individuals! Distributed/delegated model of control

18 17 Signet Middleware software/toolkit User access through a common UI Program access through a common API Brings privilege information together in one place -- a “Privilege Registry” Central granting, can apply across multiple systems Central reporting, history, auditing, review Accessible to managers AND holders of privileges Independent of specific vendors, systems, releases or technologies Distributed/delegated model of control

19 18 Shared Subject API Subject - a person, group, application, or other type of object whose identity is managed by your IAM system Abstract the underlying technology and data model from a relying application Source Adapters Identify attributes/columns distinguished as “subjectID”, “name” and “description” Specify back-end-specific searches for each type and each search method Select Search by identifier Search

20 19 Grouper Overview Mix of manual and automation processes manage a common Groups Registry Stored in an RDBMS Automation processes provision info from the Groups Registry into LDAP, AD, directly into application- specific databases, wherever the value of the info warrants spending the resources to place it there Two types of managed objects: groups and naming stems Groups are created & named with a naming stem Group management authority is delegatable By group or by naming stem

21 20 Grouper Groups Any “subject” can be a group member or privilegee Persons, groups, site-defined subject types Uses Subject API developed by Grouper+Signet teams Subgroups (now), composite groups (v1.0), and aging (v1.1) of groups and memberships Privileges ADMIN, UPDATE, READ, VIEW, OPTIN, OPTOUT Group attribute set can be site-extended

22 21 Naming Stems Groups are created with naming stems Limits the authority to create and name groups Support distinct activities with own authority Naming stems can be arranged hierarchically eg, uc, uc:nsit, uc:nsit:labs Privileges STEM Create subordinate naming stems Assign privs for this naming stem CREATE – create groups with this naming stem

23 22 Composite Groups Membership is defined by composing the memberships of 2 other groups A = B U C union A = B  C intersection A = B – C relative complement Common use – “tweak” existing groups Whitelist or blacklist factored in to another group

24 23 Example: Computer Cluster Access nsit:labs:eligible (manual) nsit:labs:whitelist (manual) uc:faculty (auto) uc:staff (auto) categories of entitled students (auto) time dependent student categories (auto) nsit:labs:blacklist (manual) categories of barred students (auto) nsit:labs:barred (manual) Allow access if in (nsit:labs:eligible – nsit:labs:barred)

25 24 Systems Integration API XML Import/Export Tool Snapshots Groups Registry, including naming stems and privileges A single group All subordinate to a specified naming stem All matching a search condition Entire Registry

26 25 uPortal - Grouper Example: Managing e-Reserves Task: Some library staff can manage e- Reserves (a group of some 100 members) Library knows who they are So let’s delegate management of group to them Well…

27 26 Example: Managing e-Reserves With uPortal today, privilege to manage groups is on or off for given person Delegating group management to library staff gives authority over all groups So instead, a central IT staff person manages e-Reserve group membership

28 27 Example: Managing e-Reserves If uPortal used Grouper Create a library “stem” One assignment by central IT staff to a library staff member giving them “stem” privilege over the library stem They in turn create an e-Reserve group under that stem and manage its membership And the Grouper UI gives them a good way to do that

29 28 uPortal - Grouper Example: Institutional Affiliations Tabs in UW-Madison’s uPortal install are specific to broad institutional affiliations (read groups) Student, Faculty, Staff, Advisor,… But it’s not only the portal that cares about membership in these affiliations Best to manage them as part of shared infrastructure via Grouper Loaders from Systems of Record populate the groups (single integration point for them) uPortal and other apps consume as needed

30 29 Reuse of subject info maintained by Grouper & Signet Grouper Signet uPortal Library LMS

31 30 Reuse of subject info maintained by Grouper & Signet Grouper Signet uPortal Library LMS

32 31 Signet Overview Analysts define privileges in functional terms and specify associated system-level permissions Signet presents this functional view in a Web UI where users assign privileges & delegate authority across all areas in which they have authority Signet internally maps assigned privileges into system-specific terms needed by applications Privileges are exported, transformed, & provisioned into applications and infrastructure services Signet provides automated lifecycle controls

33 32 Privileges Building Blocks Functional view Subsystems Categories Functions Scope, Limits Prerequisites & Conditions System view Permissions Subject Action Resource

34 33 Functional View Subsystems contain… Limits Qualifiers, constraints for a privilege Scope Organizational hierarchy governing distributed delegation Functions The things a person can do; what they are getting privileges for Categories Provide useful arrangement of functions within a subsystem; for reporting, ease of use

35 34 Functional View Categories Functions Subsystems Clinical Trial Protocol A Patient Records Materials Control Manage Grant Lab Access Admin Student Admin Course Support Add/Drop students Schedule Classes Process Applicants Award Scholarships Manage Accounts Financial Aid Limits Which term From Fund… Read/Write Hours For school… For fund… Which campus Qty/day $ constraints organizing actions

36 35 Systems View Permissions Atomic units of control that map to specific access rules in systems Includes limits that must be evaluated when interpreting permissions Resources The target of a specific privilege; things that have access rules to control their use

37 36 Functional View  Permissions Resources/Permissions Student Admin Functional View Course Support Add/Drop students Schedule Classes Process Applicants Award Scholarships Manage Accounts Financial Aid reserve_time view_schedules student_records applicant_data view_fund_data update_fund_data update_course_data reserve_room Calendar Course Facilities Financial Student categoriesfunctions

38 37 Privilege Management Java API Permissions document XML representation of privileges for an individual or group Will be compatible with XACML For provisioning of privilege data into applications Systems Integration

39 38 Privileges Lifecycle Conditions Provides automatic revocation of privileges Date controls -- from date, until date Will be based on person’s status, affiliation, etc. e.g., as long as person is at Stanford Prerequisites Pre-conditions that must be met to activate privileges e.g., training

40 39 Other features Assignments can be To an individual To a Group With/without ability to further delegate Distributed delegation using organizational hierarchy Records “chain of command ” Proxy assignment Temporary granting of one’s privilege to another

41 40 Privilege Elements by Example By authority of the Dean grantor principal investigators grantee (group/role) who have completed training prerequisite can approve purchases function in the School of Medicine scope for research projects resource up to $100,000 limit until January 1, 2007 as long as a faculty member at … conditions Privilege Lifecycle

42 41

43 42

44 43 Signet & Grouper Roadmaps Now available Grouper v0.9. UI & API source release Signet 1.0. UI, binary release Subject API v0.1b Signet Roadmap v1.1, Summer 2006 – full API source release, rules processor Grouper Roadmap v1.0, July 2006 – group math v1.1, September 2006 – group & membership aging Subject API v1.0, ? 2006 – minor changes, updates to reference implementations

45 44 Resources & Participation Grouper team: University of Chicago & University of Bristol http://grouper.internet2.edu Signet team: Stanford University http://signet.internet2.edu Internet2 Middleware Initiative http://middleware.internet2.edu/ Documents, software, cvs Details for subscribing to mailing lists Conference call agendas & dialing instructions

Download ppt "Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to."

Similar presentations

EzScoreboard.com A Fully Integrated Administration Service.

EzScoreboard.com A Fully Integrated Administration Service.
Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.
Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.

Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.

Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.

Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.

Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.
CAMP: Building a Distributed Access Management Infrastructure Lynn McRae, Stanford University Denver, Nov 7-9, 2006.

CAMP: Building a Distributed Access Management Infrastructure Lynn McRae, Stanford University Denver, Nov 7-9, 2006.
Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.

Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.
Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.

Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Understanding Active Directory

Understanding Active Directory
#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.

#CONVERGE2014 Session 1304 Managing Telecom Directories in a Distributed or Multi-Vendor Environment David Raanan Starfish Associates.
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.

Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Signet and Grouper for Distributed Attribute Administration

Signet and Grouper for Distributed Attribute Administration
Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.

Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.
Digital Identity Management Strategy, Policies and Architecture Kent Percival 2005 06 23 A presentation to the Information Services Committee.

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Technical Overview of Kuali Rice UC Davis, Information & Educational Technology January 2009.

Technical Overview of Kuali Rice UC Davis, Information & Educational Technology January 2009.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Similar presentations

Ads by Google