Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grouper Tom Barton University of Chicago. I2MM Spring 2004 2 Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.

Published byJohn Pierce Modified over 9 years ago

Similar presentations

Presentation on theme: "Grouper Tom Barton University of Chicago. I2MM Spring 2004 2 Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios."— Presentation transcript:

1 Grouper Tom Barton University of Chicago

2 I2MM Spring 2004 2 Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios

3 I2MM Spring 2004 3 Core middleware for an integrated architecture

4 I2MM Spring 2004 4 Attribute & group services facilitate …  Customization – application UI tailored to user’s affiliation with the organization  “Lightweight” authorization Groups & attributes in directories  “Heavyweight” authorization Assignment of structured privileges to groups  Group messaging, scheduling, & collaboration Departments, courses, programs, cmtes, teams, …  Posix naming services  …

5 I2MM Spring 2004 5 Group management issues  Coordinating many sources of information  Provisioning groups in multiple locations  Supporting several styles of access to group membership information  Maintaining referential integrity  Aging of groups and of memberships  Use of subgroups vs. effective membership  Referring to set theoretic combinations of groups  Meeting security, privacy, & visibility requirements  Grouper will deal with much of this

6 I2MM Spring 2004 6 Grouper in Context

7 I2MM Spring 2004 7 Features in Grouper v1  Basic group management  Subgroups & compound groups  Aging of groups and memberships  Abstracted interfaces for Privileges Subject Lookup Last Activity  Signet integration  Data model supports extensible group types

8 I2MM Spring 2004 8 Grouper roadmap  3 phases of Grouper v1 development Basic management and export functions Compound groups & Signet integration Aging of groups and memberships  Deliverables Java API, UI, Groups Registry creation scripts, sample batch import/export scripts, documentation Some type of prototype demo at AuthZ CAMP

9 I2MM Spring 2004 9 Grouper roadmap  Developers API, etc: University of Chicago I2+UofC funded UI: University of Bristol JISC funded  Contributed elements sought Provisioning connectors (especially LDAP & AD) LDAP Subject Lookup Interface Signet-based Privilege Interface implementation Interest expressed in SPOCP-based Privilege Interface implementation

10 I2MM Spring 2004 10 What’s in a group  Fields of “base” group type: name description members  Additional “list” fields supporting default access privilege management  Site-defined group types can declare additional list fields and non-list fields A Grouper “list” is a list of individuals or groups

11 I2MM Spring 2004 11 Access Privileges  VIEW group’s name in lists & can refer to group  READ basic information about a group  UPDATE membership and administer membership related privileges  ADMIN can modify everything, including group name, description, & privileges, and can delete the group  OPTIN can add self to the members list  OPTOUT can remove self from the members list

12 I2MM Spring 2004 12 Naming Privileges  Group names have two parts stem:descriptor  CREATE group with specified name stem  STEM – authority over a specified name stem Manage who has CREATE privileges for a stem Delegate STEM privilege to a subordinate stem  Grouper enforces authority over flat or hierarchical stem space Egs: uofc, uofc-bsd, uofc-bsd-obgyn

13 I2MM Spring 2004 13 Grouper’s privilege implementation  Hierarchical or flat stem space, per configuration  Personal groups – any user can CREATE groups named personal-username:descriptor Configurable: on/off; stem for personal namespace No delegation of naming authority for personal namespace  Naming privileges conferred by effective membership in system of naming groups  Access privileges conferred by effective membership in lists associated with each group (updaters list for UPDATE privilege, etc)  All access & naming privileges can be assigned to both individuals and groups

14 I2MM Spring 2004 14 Sample mayhem  uofc:faculty (centrally auto-maintained)  uofc-bsd (initial delegation to BioSci Division) STEM: jdoe  uofc-bsd (resultant delegation of naming authority) STEM: uofc-bsd:enterprise-IT-group  uofc-bsd:us (something only they can know) ADMINs: uofc-bsd:enterprise-IT-group  uofc-bsd-obgyn:us (delegated to OB/GYN dept) UPDATERs: uofc-bsd-obgyn:it-staff VIEWers: uofc-bsd:us

15 I2MM Spring 2004 15 More mayhem  uofc-nsit:netsec-update (a mail list) UPDATERs: uofc-nsit:netsec OPTINs: uofc:uofc OPTOUTs: uofc-nsit:netsec-update  student:privLoss (Registrar’s s***-list) READers: uofc-nsit:services  personal-tbarton:myFriends  personal-tbarton:myTrueFriends OPTOUTs: personal-tbarton:myTrueFriends

16 I2MM Spring 2004 16 Phase 1 API highlights  Session-oriented Session subject’s privileges constrains API  “Flattened” membership Immediate & effective memberships are updated together  Designed for management of group info, not high-volume run-time query service Provision other technologies for that, such as directories or RDBMS’s  Code samples & javadoc are linked in the specifications doc on last slide Code samples javadoc But it’s not yet stable!

17 I2MM Spring 2004 17 Probable UofC deployment  Central IT ID Mgmt extended to use API Existing source -> person registry processing Existing person registry -> consumer provisioning UI access granted in parallel with delegation of group naming authority –Start small (flat stemspace, no personal groups), then grow  Placement of API in key distributed IT shops Where there are significant and persistent authorization mgmt operations  LDAP & AD provisioning

18 I2MM Spring 2004 18 Other deployment musings  Additional UIs tailored to new group types, common Groups Registry Course groups Signet Mail list manager?  API bundled into application, common Registry uPortal alternate Groups store Implement appropriate uPortal Groups Service interfaces  API bundled with application, separate Groups Registry? Calendar “Groupware”, of all things?

19 I2MM Spring 2004 19 Further info & participation  MACE-Dir list  MACE-Dir-groups conference calls  Upcoming Authorization CAMP  Stay tuned for further Signet & related participation opportunities  http://home.uchicago.edu/~tbarton/draft- barton-christensen-grouper-phase1- specs-04.html http://home.uchicago.edu/~tbarton/draft- barton-christensen-grouper-phase1- specs-04.html

Download ppt "Grouper Tom Barton University of Chicago. I2MM Spring 2004 2 Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios."

Similar presentations

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.

Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.

Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.

Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.
Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.

Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.
Presented by IBM developer Works ibm.com/developerworks/ 2006 January – April © 2006 IBM Corporation. Making the most of Creating Eclipse plug-ins.

Presented by IBM developer Works ibm.com/developerworks/ 2006 January – April © 2006 IBM Corporation. Making the most of Creating Eclipse plug-ins.
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.

Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Signet and Grouper for Distributed Attribute Administration

Signet and Grouper for Distributed Attribute Administration
UPortal 3 – What's New? JA-SIG Conference, Spring 2008 uPortal 3.0.0 What's New? Eric Dalquist University of Wisconsin - Madison.

UPortal 3 – What's New? JA-SIG Conference, Spring 2008 uPortal What's New? Eric Dalquist University of Wisconsin - Madison.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.

Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.

I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Group Management at Brown James Cramton Brown University April 24, 2007.

Group Management at Brown James Cramton Brown University April 24, 2007.
Cornell University Replacing a System that (sorta) Works Tom Parker Joy Veronneau Identity Management Team OIT/CIT Security Office Central Authorization.

Cornell University Replacing a System that (sorta) Works Tom Parker Joy Veronneau Identity Management Team OIT/CIT Security Office Central Authorization.

Similar presentations

Ads by Google