Presentation is loading. Please wait.

Presentation is loading. Please wait.

Signet and Grouper for Distributed Attribute Administration

Published byNora Payne Modified over 9 years ago

Similar presentations

Presentation on theme: "Signet and Grouper for Distributed Attribute Administration"— Presentation transcript:

1 Signet and Grouper for Distributed Attribute Administration
Tom Barton University of Chicago

2 Group and Privilege Management
Groups Who someone is (identity) Populations sharing a common characteristic Organizational role, departmental, personal Privileges What someone can do (permissions) Subject, action, resource, context Exploring Grouper and Signet… Groups for eligibility & authorization Privileges, policy & permissions GGF15

3 Identity & Access Management Reality
Each person’s online activities are shaped by many Sources of Authority (SoAs) Institutional policy making bodies Resource managers Program/activity/project heads Self Management of the information it conveys should be distributed Hook up all of those SoAs to the middleware Common IAM infrastructure should be operated centrally To not oblige departments/programs/activities/projects to build & operate their own IAM infrastructure GGF15

4 Connecting SoAs, Integrating with Existing Infrastructure
GGF15

5 Relative Roles of Signet & Grouper
RBAC model Users are placed into groups (aka “roles”) Privileges are assigned to groups Groups can be arranged into hierarchies to effectively bestow privileges Grouper manages, well, groups Signet manages privileges Separates responsibilities for groups & privileges Grouper Signet GGF15

6 Grouper Overview Mix of manual and automation processes manage a common Group Registry Stored in an RDBMS Automation processes provision info from the Group Registry to wherever the value of the info warrants spending the resources to place it there Two types of managed objects: groups and namespaces (or “naming stems”) Groups are created & named within namespaces Group management authority is delegatable By group or by namespace GGF15

7 Grouper Architecture GGF15

8 Grouper Groups Any “subject” can be a group member or privilegee
Persons, groups, site-defined subject types Uses Subject API developed by Grouper+Signet teams Subgroups (now), compound groups (v1.0), and aging (v1.1) of groups and memberships Privileges ADMIN, UPDATE, READ, VIEW, OPTIN, OPTOUT Group attribute set can be site-extended GGF15

9 Grouper Namespaces Groups are created within namespaces
Limits the authority to create and name groups Support distinct activities with own authority Namespaces can be arranged hierarchically Privileges STEM Create subordinate namespaces Assign privs for this namespace CREATE – create groups in this namespace GGF15

10 Five Ways to Delegate Group Management
Create a group and assign someone to manage its membership (UPDATE) Create a group and assign someone to manage who manages the group’s membership and who can see what about the group (ADMIN) Create a namespace and assign someone to create groups within it (CREATE) Create a namespace and assign someone to manage who can create groups within it (STEM) Allow Self to OPTIN or OPTOUT of membership GGF15

11 Signet Overview Analysts define privileges in Signet in functional terms and specify associated permissions Signet presents this view in a Web UI where users assign privileges and delegate authority across all areas in which they have authority Signet internally maps assigned privileges into system-specific terms needed by applications Stored in an RDBMS, the Privilege Registry Privileges are published as XML docs, transformed, & provisioned into applications and infrastructure services GGF15

12 Privileges Building Blocks
Functional view Subsystems Categories Functions Scope, Limits Prerequisites & Conditions System view Permissions Subject Action Resource GGF15

13 Signet Components Subsystems
Financial system Student Administration HR system Network access management Research administration Clinical resources XYZGrid Signet (Privilege Registry) Grouper (Group Registry) Subsystems Define domains of ownership and responsibility Reflect real world boundaries Can be large or small GGF15

14 Functional View Subsystems contain… Functions Limits Scope Categories
The things a person can do; what they are getting privileges for. Categories Provide useful arrangement of functions within a subsystem; for reporting, ease of use. Limits Qualifiers, constraints for a privilege. Scope Organizational hierarchy governing distributed delegation, GGF15

15 Functional View  Permissions
Calendar Student Admin reserve_time view_schedules Course Support Add/Drop students Course Schedule Classes update_course_data Facilities reserve_room Financial Aid Process Applicants Financial Award Scholarships view_fund_data Manage Accounts update_fund_data Student student_records categories functions applicant_data Functional View Resources/Permissions GGF15

16 Provisioning Permissions into Applications (connectors)
reserve_time view_schedules student_records applicant_data view_fund_data update_fund_data update_course_data reserve_room Calendar Course Facilities Financial Student Calendar <Privileges> <Subject> <Permission> CourseWare Financials or Reporting API Space Mgmt Student GGF15

17 Provisioning Permissions into Infrastructure (LDAP)
reserve_time view_schedules student_records applicant_data view_fund_data update_fund_data update_course_data reserve_room Calendar Course Facilities Financial Student Calendar eduPersonEntitlement CourseWare Directory Financials Reporting Space Mgmt Student GGF15

18 Privileges Lifecycle Conditions Prerequisites
Provides automatic revocation of privileges Date controls -- from date, until date Based on person’s status, affiliation, etc. e.g., as long as person is at Stanford Prerequisites Pre-conditions that must be met to activate privileges e.g., training GGF15

19 Privilege Elements by Example
By authority of the UPCI IRB grantor UPCI Researchers grantee (group/role) who have an approved UPCI IRB protocol prerequisite can access de-identified data and order tissue function from the network of caTIES participants scope for Study HD7687 resource up to 100 patients limit until January 1, 2006 as long as approved for material transfer… conditions Privilege Lifecycle GGF15

20 The duck test… Grouper Signet
Binary info – you’re either in some list or not Identity- or affiliation-based access control or distribution Identification layer of an encompassing access management scheme Locally tweak or combine other groups Signet Structured, qualified info – limits, conditions, scope, … Oriented to individuals rather than roles Human judgment and chain of authority essential for access decisions Enable functional, not just technical, people to manage privileges Supports policy control closer to source of authority Audit requirements GGF15

21 Signet & Grouper Roadmaps
Now available Grouper v0.6. Basic group management, full GUI Demo release of Signet v0.5 toolkit and UI Signet Roadmap v0.6, early October 2005 – designated drivers, history v1.0, late November 2005 – lifecycle conditions, XML v1.1 Toolkit / API release Grouper Roadmap v0.9, mid-November internal refactoring, some enhancement v1.0, mid-January 2006 – compound groups v1.1, mid-March 2006 – group & membership aging GGF15

22 Attribute Management & Delivery: Affiliation, Privilege, & Privacy
uid: jdoe eduPersonAffiliation: … isMemberOf: … eduCourseMember: … eduPersonEntitlement: … SIS Person Registry Loaders HR Core Business Systems Group Registry Grouper LDAP Subject API Privilege Registry Signet Distributed Authorities Shibboleth/ GridShib Attribute Release Policies ShARPe Attribute Authority Library ERMs/ Self GGF15

23 Distributed Authorities
Session authentication credential Attribute Authority Authorities Home Org Affiliated Org Grid user Signet, Grouper Virtual Org Grid Service GGF15

24 name='urn:mace:dir:attribute-def:eduPersonAffiliation'
$ ./bin/shibecho -s Response: SAMLAttribute { name='urn:mace:dir:attribute-def:eduPersonAffiliation' namespace='urn:mace:shibboleth:1.0:attributeNamespace:uri' value #1 ='member' notBefore=' T13:47:44Z' notOnOrAfter=' T14:17:44Z' }SAMLAttribute name='urn:mace:uchicago.edu:attribute-def:ismemberof' value #1 ='vo:xyzgrid:members' } GGF15

Download ppt "Signet and Grouper for Distributed Attribute Administration"

Similar presentations

Ken Klingenstein Director, Internet2 Middleware and Security Current stuff.

Ken Klingenstein Director, Internet2 Middleware and Security Current stuff.
Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.

Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.

Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.

Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.
CAMP: Building a Distributed Access Management Infrastructure Lynn McRae, Stanford University Denver, Nov 7-9, 2006.

CAMP: Building a Distributed Access Management Infrastructure Lynn McRae, Stanford University Denver, Nov 7-9, 2006.
Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.

Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.
Ken Klingenstein Director, Internet2 Middleware and Security Current stuff (or things no one else has talked about yet) (at least while I was in the meeting)

Ken Klingenstein Director, Internet2 Middleware and Security Current stuff (or things no one else has talked about yet) (at least while I was in the meeting)
Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.

Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.
Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.

Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.

Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.

Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.
Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington.

Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Similar presentations

Ads by Google