Presentation is loading. Please wait.

Presentation is loading. Please wait.

ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009.

Published byBethanie Brown Modified over 9 years ago

Similar presentations

Presentation on theme: "ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009."— Presentation transcript:

1 ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009

2 The Fast Framework PennGroups Identity Management at Penn  Goal: To protect the confidentiality and privacy of information at Penn by: – Uniquely identifying entities associated with Penn – Providing access to appropriate facilities, services, and systems – Preventing unauthorized access to facilities, services, and systems 1/23/2016 Central Authorization at the University of Pennsylvania2

3 The Fast Framework PennGroups Elements of Identity Management  Components of identity management – Penn Community – central repository for a person’s bio/demo data as fed by core business systems (SRS, HR/Payroll, Atlas, UPHS) and entered directly for ancillary affiliates – Penn Directory – system that holds the preferred name and contact info for all Penn affiliates – Penn Card – system used to generate the physical ID card that is used for building access and commercial transactions across the university – PennNames - system used to associate a unique username to each individual at Penn, providing a common and consistent University namespace for online services – PennKey – unique identifier for Penn’s central authentication system; with associated password, provides an electronic means to authenticate an individual and provide access to systems across the university – PennGroups – system for creating and managing groups to facilitate authorization decisions by applications with hooks to LDAP or web services 1/23/2016 Central Authorization at the University of Pennsylvania3

4 The Fast Framework PennGroups Atlas Penn’s Identity Management Strategy 1/23/2016 Central Authorization at the University of Pennsylvania4 PennKey PennCard Ancillary Affiliates (Temp, VFAC, CHOP, etc..) Ancillary Affiliates (Temp, VFAC, CHOP, etc..) Penn Names Penn Community Penn Directory UPHS SRS PennGroups 3 rd Party App 3 rd Party App Home Grown App Home Grown App AuthZ Decisions via LDAP or WS HR

5 The Fast Framework PennGroups  PennGroups is derived from the Internet2 open source Grouper initiative  Has been adopted and deployed at other ivy league universities (Brown, Cornell, Yale)  Penn has worked with the Grouper team to enhance the baseline product – Better meets the needs of Penn – Provides additional useful functionality to other grouper users – Allows Penn to benefit from future grouper enhancements without maintaining a separate source code instance 1/23/2016 Central Authorization at the University of Pennsylvania5 What Is PennGroups

6 The Fast Framework PennGroups Benefits  Facilitates consistent application of University business rules – Managed through a common UI and web services  Streamlines maintenance of authorization data – Brings scattered redundant groups together for re-use – Allows useful actions on these groups -- group math, group nesting, exclusion criteria  Leverages Penn Community data for accurate, up to date authorization decisions – Can leverage existing attribute information  Distributed/delegated model of control – Supports the creation of new groups by schools and centers 1/23/2016 Central Authorization at the University of Pennsylvania6

7 The Fast Framework PennGroups How It Works  Authorization by application  After authentication the application can interrogate PennGroups for access to group membership data – Web services – LDAP  Changes to group membership are reflected automatically and propagate to the application dynamically 1/23/2016 Central Authorization at the University of Pennsylvania7

8 The Fast Framework PennGroups  Two modes for creating and managing groups – Automated Web services - build and run a query from your data store and send group membership information to PennGroups via the web service API Stored SQL – Configure a SQL query within the PennGroups UI to run on a scheduled basis to modify group membership – Manual UI – log onto the PennGroups UI to manually manage your group membership –You cannot manually add members to or remove members from a group that is managed in an automated fashion 1/23/2016 Central Authorization at the University of Pennsylvania8 Managing PennGroups

9 The Fast Framework PennGroups 1/23/2016 Central Authorization at the University of Pennsylvania9 PennGroups Hierarchy

10 The Fast Framework PennGroups PennGroups in a Decentralized Environment  When School/Center is purchasing or developing a new system – LSP/ application developer contacts Central IT – LSP/developer and Central IT collaborate to: Establish authorization use cases for the specific application Determine access method (LDAP or Web Services) Determine best approach for group creation and maintenance – School/Center fills out access forms – Central IT consults with LSP/developer on group hierarchy structure 1/23/2016 Central Authorization at the University of Pennsylvania10

11 The Fast Framework PennGroups  PTO – Paid Time Off – Provides ability to select a person that doesn’t manage their time off through PTO as a supervisor/approver  ISC Warehouse Apps – Provides a feed from the warehouse for employees in 3 orgs. If you are active in the org, you will be in the group, and the app will let you in  Abramson's Cancer Center – Builds custom research related applications and needs an means to confirm that users who log in currently have an active status  School of Engineering and Applied Science – Affiliate level groups - faculty members, staff members, students, undergrads, grads, PhD students – Class level groups - everyone enrolled in every SEAS course, and several ad-hoc groups. – Kept up to date via a SEAS data store and propagated to PennGroups via the SQL loader – Group hierarchy (groups such as freshman, sophomore, etc are members in the group uGrad). – Ad hoc groups generated and maintained via specific applications and business rules. – Use of groups to determine access to various resources such as SSH (with different groups allowed to access different machines), IMAP, POP, SMTP, etc. 1/23/2016 Central Authorization at the University of Pennsylvania11 Use Cases

12 The Fast Framework PennGroups More Information  For technical documentation see the Internet2 Grouper wiki at: – General info https://wiki.internet2.edu/confluence/display/GrouperWG/Grouper+Project – Web services info https://wiki.internet2.edu/confluence/display/GrouperWG/Grouper+-+Web+Services 1/23/2016 Central Authorization at the University of Pennsylvania12

Download ppt "ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Netcentives Inc. 475 Brannan St. San Francisco, CA 94107 415. 615. 2000 www.netcentives.com NASDAQ: NCNT Netcentives Inc. 475 Brannan St. San Francisco,

Netcentives Inc. 475 Brannan St. San Francisco, CA NASDAQ: NCNT Netcentives Inc. 475 Brannan St. San Francisco,
HP Quality Center Overview.

HP Quality Center Overview.
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
Copyright JNT Association 20051Optional www.ukfederation.org.uk Copyright JNT Association 2007 1 Joining the UK Access Management Federation 4th April.

Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park

June 1, 2001 Enterprise Directory Service at College Park David Henry Office of Information Technology University of Maryland College Park
Chapter 10: Analyzing Systems Using Data Dictionaries Instructor: Paul K Chen.

Chapter 10: Analyzing Systems Using Data Dictionaries Instructor: Paul K Chen.
Accelerate Business Success With CRM CRM Interoperability.

Accelerate Business Success With CRM CRM Interoperability.
PENN Community Project SUG Presentation April 8, 2002.

PENN Community Project SUG Presentation April 8, 2002.
© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.

© 2004, The Trustees of Indiana University 1 OneStart Workflow Basics Brian McGough, Manager, Systems Integration, UITS Ryan Kirkendall, Lead Developer.
Nu Project Management Office A web based tool to Manage Projects.

Nu Project Management Office A web based tool to Manage Projects.
1 NETWORK PLANNING TASK FORCE FY’07 “ Setting the Rates” 11/20/06.

1 NETWORK PLANNING TASK FORCE FY’07 “ Setting the Rates” 11/20/06.
Employee Central Presentation

Employee Central Presentation
Summary Maximo is an Enterprise Asset Management System used by Cornell University Facilities Services. Many of Cornell's physical assets found across.

Summary Maximo is an Enterprise Asset Management System used by Cornell University Facilities Services. Many of Cornell's physical assets found across.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
1 Data Strategy Overview Keith Wilson Session 15.

1 Data Strategy Overview Keith Wilson Session 15.
NERCOMP 2007 - Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.

NERCOMP Managing Campus Affiliates Managing Campus Affiliates Faculty? Student? Faculty? Student? Staff? Criss Laidlaw Director of Administrative.
Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.

Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.

Similar presentations

Ads by Google