Presentation is loading. Please wait.

Presentation is loading. Please wait.

Penn Groups PennGroups Central Authorization System June 2009.

Published byGilbert Johnson Modified over 9 years ago

Similar presentations

Presentation on theme: "Penn Groups PennGroups Central Authorization System June 2009."— Presentation transcript:

1 Penn Groups PennGroups Central Authorization System June 2009

2 Penn Groups  PennGroups is derived from the Internet2 open source Grouper initiative  Has been adopted and deployed at many other universities (Brown, Cornell, Yale)  Penn has a programmer on the Grouper development team to enhance the baseline product (UI, web services, SQL loaded groups) – Better meets the needs of Penn – Provides additional useful functionality to other grouper users  PennGroups will be managed by ISC-Data Administration – Transition from dev team and definition of service level is in progress  There is no additional charge to use PennGroups including consulting from ISC 10/5/2015 Central Authorization at the University of Pennsylvania2 PennGroups

3 Penn Groups  Open source group management  Internet2 has been working on group management for 8 years  Generally used in educational institutions, but could be anywhere  Funded by Internet2 Internet2 Grouper 10/5/2015 University of Pennsylvania3

4 Penn Groups  Instead of apps managing own groups  Reuse group lists  Central place to see which groups a person is in  Central auditing of group and membership actions  Central management of authorization  Security: – Who can view/edit groups and memberships – Opt-in/Opt-out – Delegate authority  Automatic or manual membership management  Composite groups for group match: and / or / minus  Groups of groups Why use PennGroups? 10/5/2015 University of Pennsylvania4

5 Penn Groups How It Works  Authorization by application  After authentication the application can interrogate PennGroups for access to group membership data – Web services – LDAP  Changes to group membership are reflected automatically and propagate to the application dynamically 10/5/2015 Central Authorization at the University of Pennsylvania5

6 Penn Groups  Two modes for creating and managing groups – Automated Web services - build and run a query from your data store and send group membership information to PennGroups via the web service API SQL loaded groups– Configure a SQL query within the PennGroups UI to run on a scheduled basis to modify group membership – Manual UI – log onto the PennGroups UI to manually manage your group membership –You cannot manually add members to or remove members from a group that is managed in an automated fashion –You can simulate this with include/exclude composite groups 10/5/2015 Central Authorization at the University of Pennsylvania6 Managing PennGroups

7 Penn Groups 10/5/2015 Central Authorization at the University of Pennsylvania7 PennGroups Hierarchy

8 Penn Groups PennGroups in a Decentralized Environment  When School/Center is integrating with PennGroups – LSP (local support provider)/ application developer contacts ISC: penngroups-help@lists.upenn.edu – LSP/developer and ISC collaborate to: Establish authorization use cases for the specific application Determine access method (LDAP or Web Services) Determine best approach for group creation and maintenance – School/Center fills out access forms – ISC consults with LSP/developer on group hierarchy structure 10/5/2015 Central Authorization at the University of Pennsylvania8

9 Penn Groups  PTO – Paid Time Off – Self service system used to request/track vacation/sick time – Penn Groups provides the flexibility so that the user selects their approver for time off. – Time off can be routed and approved by other than a direct supervisor  Warehouse Apps – Only active employess in certains orgs are allowed to access the application  Secure Share – Can share files with a group of collaborators  Email lists (coming soon)  Facilities Website – Only facilities employees or contractors can access the facilities website 10/5/2015 Central Authorization at the University of Pennsylvania9 Use Cases

10 Penn Groups PennGroups architecture 10/5/2015 Central Authorization at the University of Pennsylvania10

11 Penn Groups Grouper user interface (continued) 10/5/2015 Central Authorization at the University of Pennsylvania11

12 Penn Groups Grouper web services  Penn/Internet2 spent a lot of effort in winter/spring 2008 to help create the Grouper web services  They can be REST or SOAP  They can be simple “Lite” calls, or batched  REST accepts formats: XML, XHTML, JSON, HTTP params  There are a dozen operations exposed, including managing: – Groups – Memberships – Permissions – Folders  Penn uses HTTP credentials sent to kerberos and penn:etc:webServiceUsers group required for authorization 10/5/2015 ISC, ASTT12

13 Penn Groups Grouper web services (continued) 10/5/2015 Central Authorization at the University of Pennsylvania13

14 Penn Groups Grouper web services (continued) 10/5/2015 Central Authorization at the University of Pennsylvania14

15 Penn Groups Grouper web services (continued) 10/5/2015 Central Authorization at the University of Pennsylvania15

16 Penn Groups PennGroups LDAP  There is a Grouper LDAP provisioning connector called LDAPPC, though Penn does not use this  We have some simple triggers in Oracle which add records to a change log  Then a process pulls records off of that table to sends diffs to openLDAP (runs every 10 minutes)  Daily all records are refreshed  Only users in penn:etc:ldapUsers can login to ldap  Users can only read group membership lists they have privileges to read in Grouper 10/5/2015 Central Authorization at the University of Pennsylvania16

17 Penn Groups Grouper client  LDAP and web services are low level  Grouper client exposes Grouper LDAP and web services to a command line API or a Java library  It can also be used to generate custom web service samples (can log requests and responses)  Institutions can customize the client before distributing so the LDAP config is done (e.g. Penn allows ID lookups)  Callers aren’t tied to output, they can tell the client the output format that is expected 10/5/2015 Central Authorization at the University of Pennsylvania17

18 Penn Groups Grouper client (continued) 10/5/2015 Central Authorization at the University of Pennsylvania18

19 Penn Groups Grouper client (continued)  Sample command line web service call: c:\grouper> java -jar grouperClient.jar --operation=getMembersWs --groupNames=aStem:aGroup --outputTemplate=${index}: ${subject.id} 0: 12345 1: 23456 c:\grouper>  Sample Java web service call: WsAddMemberResults wsAddMemberResults = new GcAddMember().assignGroupName("aStem:aGroup").addSubjectId("12345").execute(); 10/5/2015 Central Authorization at the University of Pennsylvania19

20 Penn Groups Grouper loader  Penn contributed the “Grouper loader” in spring 2008  This keeps groups in sync with results of sql queries 10/5/2015 Central Authorization at the University of Pennsylvania20

21 Penn Groups Grouper loader (continued) 10/5/2015 Central Authorization at the University of Pennsylvania21

22 Penn Groups Grouper loader (continued) SQL> select * from authz_employee_active_v where rownum < 10 PENN_ID PENN_NAME ---------- ------------------------ 12345 jsmith 12346 asmith 12347 bsmith 12348 rjohnson 12349 sjohnson 12350 tjohnson 12351 ajones 12352 bjones 12353 cjones 10/5/2015 Central Authorization at the University of Pennsylvania22

23 Penn Groups Grouper loader (continued) 10/5/2015 Central Authorization at the University of Pennsylvania23

24 Penn Groups Grouper loader (continued) SQL> select * from employee_org_groups_v where rownum < 10 SUBJECT_ID GROUP_NAME ---------- ------------------------ 12345penn:community:employee:orgs:employeeOrg123 12346 penn:community:employee:orgs:employeeOrg123 12347 penn:community:employee:orgs:employeeOrg123 12348 penn:community:employee:orgs:employeeOrg124 12349 penn:community:employee:orgs:employeeOrg124 12350 penn:community:employee:orgs:employeeOrg124 12351 penn:community:employee:orgs:employeeOrg128 12352 penn:community:employee:orgs:employeeOrg128 12353 penn:community:employee:orgs:employeeOrg128 10/5/2015 Central Authorization at the University of Pennsylvania24

25 Penn Groups More Information  For technical documentation see the Internet2 Grouper wiki at: – PennGroups site: http://www.upenn.edu/computing/penngroups/ – PennGroups wiki: http://prowiki.isc.upenn.edu/wiki/PennGroups – Grouper product https://wiki.internet2.edu/confluence/display/GrouperWG/Grouper+Project – Grouper project https://wiki.internet2.edu/confluence/display/GrouperWG/Grouper+Project – Web services info https://wiki.internet2.edu/confluence/display/GrouperWG/Grouper+-+Web+Services 10/5/2015 Central Authorization at the University of Pennsylvania25

Download ppt "Penn Groups PennGroups Central Authorization System June 2009."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
1 Integration Made Easy Agile Integration: Connecting Salesforce With Your Enterprise.

1 Integration Made Easy Agile Integration: Connecting Salesforce With Your Enterprise.
PennGroups Intro / HA / UI May 2014. 2 Agenda Introduction to PennGroups (Grouper) Recent use cases Recent improvements in availability –Architecture.

PennGroups Intro / HA / UI May Agenda Introduction to PennGroups (Grouper) Recent use cases Recent improvements in availability –Architecture.
Edoclite and Managing Client Engagements What is Edoclite? How is it used at IU? Development Process?

Edoclite and Managing Client Engagements What is Edoclite? How is it used at IU? Development Process?
SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)

SOFTWARE PRESENTATION ODMS (OPEN SOURCE DOCUMENT MANAGEMENT SYSTEM)
ManageEngine TM Applications Manager 8 Monitoring Custom Applications.

ManageEngine TM Applications Manager 8 Monitoring Custom Applications.
Cornell University Library Instruction Statistics Reporting System Members: Patrick Chen (pyc7) Soo-Yung Cho (sc444) Gregg Herlacher (gah24) Wilson Muyenzi.

Cornell University Library Instruction Statistics Reporting System Members: Patrick Chen (pyc7) Soo-Yung Cho (sc444) Gregg Herlacher (gah24) Wilson Muyenzi.
© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.

© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.
Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases 1234576891011 Copyright Wonderlane Studios.

Effort in hours Duration Over Weeks Or Months Inception Launch Web Lifecycle Methodology Maintenance Phases Copyright Wonderlane Studios.
Make your messaging reliable use it Messaging. A single and global solution Send, receive and process any type of message through the appropriate channel.

Make your messaging reliable use it Messaging. A single and global solution Send, receive and process any type of message through the appropriate channel.
Live Meeting APIs Robert Devine Program Manager Microsoft Corporation.

Live Meeting APIs Robert Devine Program Manager Microsoft Corporation.
©2011 Quest Software, Inc. All rights reserved. Steve Walch, Senior Product Manager Blog: November, 2011 Partner Training Webcast.

©2011 Quest Software, Inc. All rights reserved. Steve Walch, Senior Product Manager Blog: November, 2011 Partner Training Webcast.
Towards Bboogle 3.0.0: a Technical Walkthrough Patricia Goldweic Sr. Software Engineer AR&T, Northwestern University Brian Nielsen Manager, Faculty Support.

Towards Bboogle 3.0.0: a Technical Walkthrough Patricia Goldweic Sr. Software Engineer AR&T, Northwestern University Brian Nielsen Manager, Faculty Support.
“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”

“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”
Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.

Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Electronically approve and create Suppliers in Oracle Financials using a combination of APEX and Oracle Workflow. NZOUG Conference 2010 Brad Sayer Team.

Electronically approve and create Suppliers in Oracle Financials using a combination of APEX and Oracle Workflow. NZOUG Conference 2010 Brad Sayer Team.
Chris Hyzer University of Pennsylvania

Chris Hyzer University of Pennsylvania
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Kuali eDoclite and Grouper for access forms workflow at Penn 9-Nov-2010, Kuali Days Chris Hyzer, University of Pennsylvania developer.

Kuali eDoclite and Grouper for access forms workflow at Penn 9-Nov-2010, Kuali Days Chris Hyzer, University of Pennsylvania developer.

Similar presentations

Ads by Google