access management with grouper
DESCRIPTION
Access Management with Grouper. Tom Barton University of Chicago. Why?. Lower cost by factoring access management out Simplify & make consistent by using one group in many places Let the right people manage access, directly See who can access what, in one place. Grouper: core concepts. - PowerPoint PPT PresentationTRANSCRIPT
Access Management with Grouper
Tom BartonUniversity of Chicago
2
Why?
• Lower cost by factoring access management out
• Simplify & make consistent by using one group in many places
• Let the right people manage access, directly
• See who can access what, in one place
3
Grouper: core concepts
Folders in hierarchies
Group
Direct members
Subgroup
Indirect members
• Composite groups• Custom attributes
4
Security & delegation
• Create groups• Create subfolders
• Admin• Update membership• Read membership• View group• Opt-in• Opt-out
Delegation
5
Grouper integrationApplication
LDAP/ADPersonsOrgs
Identity Management
ShibbolethIdP
SAMLLDAP/AD
SO
AP
RE
ST
Grouper Client
Grouper Shell
GrouperDatabase
Web Services
JavaAPI
UIJNDI Source Adapter
JDBC Source Adapter
Subject API
Grouper Loader
LDAP Provisioning Connector
Systems of Record
XMLscript
gsh%
6
EXAMPLES
7
8
dn: uid=tbarton,ou=people,dc=uchicago,dc=eduucismemberof: uc:org:nsit:integration:techagucismemberof: uc:org:nsit:srdirsucismemberof: uc:org:nsit:integration:iteco:wrucismemberof: uc:applications:confluence:NSIT:esxucismemberof: uc:org:nsit:integration:iteco:rducismemberof: uc:applications:confluence:NSIT:Directorsucismemberof: uc:org:nsit:staffucismemberof: uc:applications:confluence:NSIT:Everyoneucismemberof: uc:org:nsit:integration:shib_groupucismemberof: uc:applications:bulkmail:usersucismemberof: uc:org:library:gnet:adminsucismemberof: uc:applications:gnetid:adminsucismemberof: uc:applications:wireless:authorizeducismemberof: uc:applications:cmail:users:authorizeducismemberof: uc:reference:affiliations:effective:staff
LDAP entry foruid=tbarton,ou=people,dc=uchicago,dc=edu
ucIsMemberOf : uc:org:nsit:srdirsucIsMemberOf :
uc:reference:affiliations:effective:staff
Memberships become LDAP attributes
ucIsMemberOf : uc:applications:vpn:authorized
9
U Chicago: simple delegation
• Wireless & VPN• Guest network ID management • Business Objects access• Different groups, different authorities
eligible unauthorized
studentstaff
alum hospital
closure
lockedauthorized
postdoc
= ̶B
Brown: Managing Access to Course Resources
MACE Grouper Course Groups
iTunes Majordomo Confluence WebCT
All Recipient list, Discussion Sender Can Use
Administrator Instructor Broadcast Sender Space Admin
Instructors (provisioned) Instructor
Managers
TAs TA and Designer
Contributor Instructor Space Admin
Content Developers Designer
Mentors
Learner Student
Auditors Auditor
Students (provisioned, read only) Student
Vagabonds Auditor
Other, outside MACE Grouper Super Admin Super Admin(s)
11
12 NIH’s Cancer BioInformatics Grid
13
NEW IN V1.5.0Just released … some capabilities are partial or “experimental”
14
Lite UI
• AJAX components for simple end-user tasks
• URL links directly to a group• Integrated within Grouper UI webapp
• Two entry points: Admin UI & Lite UI• Admin UI uses new components too
• More Lite UIs may be contributed by deployers
15
Performance
1 10 10010
100
1000
10000
100000
71
440
16955
48 48
111Grouper 1.4.2Grouper 1.5
number of indirect memberships due to single direct membership
mill
isec
onds
16
Audit
• Who did what when …• Add/delete/update membership, group,
folder, and Grouper privileges• Attribute definition & assignment• XML import•Move/copy group or folder
• Audit reporting via Grouper Admin UI & Grouper Shell
17
Move & copy
• Copy/move groups/folders to another folder• Why?
• Template groups & template folders• Update organizational hierarchies
• Old group name optionally continues to refer to moved group
• Supported by Grouper Admin UI & Grouper Shell (Grouper-WS soon)
18
Notification
• Near real time provisioning of group info• Group, membership, folder, and privilege
changes• Serialized• Provided to registered consumers• SQL & API access to transactions
• LDAP provisioning connector will use in v1.5.1
19
Attribute framework
• Assign custom attributes to principal Grouper objects• Groups• Folders• Memberships• Attributes
• Will have several value types, multi-values, etc• Only an enumerated type in 1.5.0
• Attributes are objects in folders, like groups, and their security model is similar to that of groups
20
Roles & permissions
• Role extends Group, links Subjects with Permissions
• Permission is a type of attribute assigned to a role or to a membership in a role• Has an Action qualifier, eg, Read or Write• Permission sets. Eg, organizational hierarchies
• Superior roles inherit subordinate permissions
21
Grouper & Identity Services
• Grouper’s roles & permissions are only low level capabilities, initially
• No high level interfaces have been implemented or even defined yet
• Looking for help with that from MACE-Paccman and from partner sites
• More later in this conference about Grouper and identity service interfaces in Kuali and in uPortal
22
Grouper roadmap
• Current version is 1.5.0• v1.5+
• Notification enhancements• Attribute & permission enhancements• New LDAPPC = shibboleth AA + SPMLv2
• v1.6• Point-in-time audit• Role management interface• uPortal integration• Kuali Rice integration
23
www.internet2.edu/grouper