![Page 1: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/1.jpg)
Managing Roles & Privileges with Grouper and Signet MiddlewareManaging Roles & Privileges with Grouper and Signet Middleware
Tom Barton, University of Chicago
Lynn McRae, Stanford University
Tom Barton, University of Chicago
Lynn McRae, Stanford University
Internet2 Spring Members Meeting, April 26, 2006
![Page 2: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/2.jpg)
2
Groups and RolesGroups and Roles
• Roles and Groups• Who someone is (identity)• People sharing a common trait, e.g., rank or privilege
• Roles -- you know it when you see it• Institutional role, e.g., faculty, Dean• Departmental roles, e.g., chair, admin• Professional role, e.g., mathematician, buyer• Project role, e.g., analyst, engineer
• Groups• Any collection of people, role-holders or not?• Depends on how you name it?
• Role vs group is not what matters
![Page 3: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/3.jpg)
3
Groups and PrivilegesGroups and Privileges
• Two categories of information are used in making access control decisions• Who you are
• aka “roles”• cf RBAC
• What you can do• aka “privileges”• cf “value-based authority”
• Both types of information are conveyed through attributes about a person
• Grouper and Signet are tools that let you enrich descriptive attributes about people in both ways
![Page 4: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/4.jpg)
4
GrouperGrouper
Grouper• Middleware software/toolkit
• User access through a common UI• Program access through a common API
• Defines a “Groups Registry”• Brings scattered duplicative groups together for re-use• Allows useful actions on these groups -- group math,
group nesting, exclusion criteria• Hierarchical name-space (name stems & substems)
• Can leverage existing group information• Supports the creation of new groups
• By schools, departments, and individuals!• Distributed/delegated model of control
![Page 5: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/5.jpg)
5
SignetSignet
Signet• Middleware software/toolkit
• User access through a common UI• Program access through a common API
• Brings privilege information together in one place -- a “Privilege Registry”• Central granting, can apply across multiple systems• Central reporting, history, auditing, review• Accessible to managers AND holders of privileges
• Independent of specific vendors, systems, releases or technologies
• Distributed/delegated model of control
![Page 6: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/6.jpg)
6
Relative Roles of Signet & GrouperRelative Roles of Signet & Grouper
Grouper Signet
RBAC model• Users are placed into
groups
• Grouper allows local creation and management of group membership
• Privileges can then be assigned to groups
• Signet manages privileges to groups (as well as to individuals)
• Both “role” and privilege information can be leveraged by systems
![Page 7: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/7.jpg)
7
Access Control DecisionAccess Control Decision
Q: Subject + Resource + Action + Context• Subject = who wants to take an action, typically a person• Resource = what is the action against, e.g., file, building,
data, service, etc.• Action = what they want to do, e.g., view, modify, enter,
approve, run, etc.• Context = time of day, academic term, weather, etc.
A: Policy interpretation and decision, e.g.• Resource and action are available to a group, e.g., Faculty
at MIT, Students in a class• Available to anyone with “entitlement” for the service
![Page 8: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/8.jpg)
8
Access Control DecisionAccess Control Decision
IdentityProvider
ServiceProvider
Rules
auth’d
Subject tries toaccess resource
Provider evaluatesrequired identity attributes againstrules for resource
Provider grants ordenies access
![Page 9: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/9.jpg)
9
Palace AccessPalace Access
M (MUSKETEER)Who are you?
What can you do?
organization=RoyalCourtaffiliation=musketeer
permission=palace_access
![Page 10: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/10.jpg)
10
Identity & Access ManagementIdentity & Access Management
• Each person’s online activities are shaped by many Sources of Authority • Institutional policy making bodies• Resource managers• Program/activity heads• Self
• Management of the information it conveys should be distributed• Hook up all of those Sources of Authority to the middleware
• Common middleware infrastructure should be operated centrally • Departments/programs/activities should not have to build their
own core middleware
![Page 11: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/11.jpg)
11
Big pictureBig picture
![Page 12: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/12.jpg)
12
Big picture, without Grouper/SignetBig picture, without Grouper/Signet
![Page 13: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/13.jpg)
13
allowBIO_XallowBIO_X
WIKIdefineBIO_X
WIKIdefineBIO_X
allowBioX
allowBioX
Email Lists
defineBioX
Email Lists
defineBioX
“Groups is good”“Groups is good”
IdentityManagement
Affiliation: facultyDept: Biology
What about my team?…my project?
…my senior staff?
The Boss
HRHRallowBio-XallowBio-X
CalendardefineBio-X
CalendardefineBio-X
![Page 14: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/14.jpg)
14
Departmental & other local groupsDepartmental & other local groups
IdentityManagement
Affiliation: facultyDept: Biology
The Boss
Grouper
biology:bio-x
biology:bio-x:admin
biology:bio-x:staff
HRHR
allowBio-XallowBio-X
WIKIWIKI
allowBio-XallowBio-X
EmailLists
EmailLists
allowBio-XallowBio-X
CalendarCalendar
![Page 15: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/15.jpg)
15
Filling the gapFilling the gap
IdentityManagement
Affiliation: facultyInstructor: CS-313
TheProfessor
What about my TAs?… my auditors?
… extensions/makeup?
HRHR
SISCourses
SISCourses
Shib
AllowCS-313
AllowCS-313
CourseWare
CS-313grades
CourseWare
CS-313grades
allow CSteaching
allow CSteaching
LibraryCompSciresources
LibraryCompSciresources
allow CS affiliates
allow CS affiliates
ExternalPartner
ExternalPartner
![Page 16: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/16.jpg)
16
Extending Course infrastructureExtending Course infrastructure
IdentityManagement
Affiliation: facultyInstructor: CS-313
TheProfessor
Grouper
Class:CS-313:TA
isMemberOf: CS-313
U
=
HRHR
SISCourses
SISCourses
Shib
AllowCS-313
AllowCS-313
CourseWare
CS-313grades
CourseWare
CS-313grades
allow CSteaching
allow CSteaching
LibraryCompSciresources
LibraryCompSciresources
allow CS affiliates
allow CS affiliates
ExternalPartner
ExternalPartner
![Page 17: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/17.jpg)
17
CourseWare
CourseWare
Extending Course infrastructureExtending Course infrastructure
IdentityManagement
Affiliation: faculty
TheProfessor
Grouper
class:CS-313:TA
isMember: CS-313
U
=
faculty: CS-313SIS
CoursesSIS
Courses
HRHR
Shib
allowCS-313
allowCS-313
CourseWare
CS-313grades
CourseWare
CS-313grades
allow CSteaching
allow CSteaching
LibraryCompSciresources
LibraryCompSciresources
allow CS affiliates
allow CS affiliates
ExternalPartner
ExternalPartner
![Page 18: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/18.jpg)
18
GuestIDs
GuestIDs
Creating new identityCreating new identity
IdentityManagement
Affiliation: ???
Sib
Rula Lenska
“Friends are herefrom Europe!”
faculty,staff,
studentguest
faculty,staff,
studentguest
AthleticFacilitiesAthletic
Facilities
staff,gueststaff,guest
PrintingPrinting
student,guest
student,guest
BlackboardBlackboard
![Page 19: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/19.jpg)
19
Creating new identityCreating new identity
IdentityManagement
Affiliation: guest
Sib
Rula Lenska
Grouper
guestids:admin
guestids:guests
Signet
printing(max100)
blackboard(music103)
athletic(gym,after5)
effective dateexpiration date
GuestIDs
GuestIDs
faculty,staff,
studentguest
faculty,staff,
studentguest
AthleticFacilitiesAthletic
Facilities
staff,gueststaff,guest
PrintingPrinting
student,guest
student,guest
BlackboardBlackboard
![Page 20: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/20.jpg)
20
FinanceFinance
Distributing control of authorityDistributing control of authority
A.Greenspan
“Unless the situation is reversed, these …trends will cause
serious economic disruptions”
phone
ticket
IdentityManagement
Affiliation: staff
who canview
who canview
ReportingReporting
who canapprovewho canapprove
Reimburse-ments
Reimburse-ments
who canspend
who canspend
RequisitionsRequisitions
![Page 21: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/21.jpg)
21
DeptsDepts
Distributing control of authorityDistributing control of authority
IdentityManagement
Affiliation: staff
A.Greenspan
Grouper
Signet
school:dept1 (view,all)
B.Bernake
school:dept2 (approve,1472,$100)
Accounts
Scope
while staff
FinanceFinance
who canview
who canview
ReportingReporting
who canapprovewho canapprove
Reimburse-ments
Reimburse-ments
who canspend
who canspend
RequisitionsRequisitions
![Page 22: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/22.jpg)
22
Distributing control of authorityDistributing control of authority
IdentityManagement
Affiliation: staff
A.Greenspan
Grouper
school:dept
school
Signet
school:dept1 (view,all)
school:dept:unit
scope
school:dept2 (approve,1472,$100)
B.Bernake
while staff
FinanceFinance
who canview
who canview
ReportingReporting
who canapprovewho canapprove
Reimburse-ments
Reimburse-ments
who canspend
who canspend
RequisitionsRequisitions
![Page 23: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/23.jpg)
23
The duck test…The duck test…
Grouper• Binary info – you’re
either in some list or not• Locally tweak or
combine other groups• Identification layer of an
encompassing access management scheme
• Identity- or affiliation-based access control or distribution
Signet• Structured, qualified info –
limits, conditions, scope, …• Assignments to individuals as
well as groups• Delegation and chain of
authority essential for access decisions
• Enable functional, not just technical, people to manage privileges
• Supports policy control closer to source of authority
• Audit requirements
![Page 24: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/24.jpg)
24
Consider Signet when …Consider Signet when …
• Complex group intersections and hierarchies become cumbersome• Difficult to track who has what and when• Can’t easily move people; need to delete/add
• Implementation of related access rules is scattered across systems• different procedures, different contacts,
managing changes across areas, over time
• You need to coordinate policy, privileges and audit activities across systems
![Page 25: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/25.jpg)
25
Signet & Grouper OverviewSignet & Grouper Overview
![Page 26: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/26.jpg)
26
Grouper OverviewGrouper Overview
• Mix of manual and automation processes manage a common Groups Registry• Stored in an RDBMS• Automation processes provision info from the Groups
Registry into LDAP, AD, directly into application-specific databases, wherever the value of the info warrants spending the resources to place it there
• Two types of managed objects: groups and naming stems• Groups are created & named with a naming stem
• Group management authority is delegatable• By group or by naming stem
![Page 27: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/27.jpg)
27
Grouper GroupsGrouper Groups
• Any “subject” can be a group member or privilegee• Persons, groups, site-defined subject types• Uses Subject API developed by Grouper+Signet
teams
• Subgroups (now), composite groups (v1.0), and aging (v1.1) of groups and memberships
• Privileges• ADMIN, UPDATE, READ, VIEW, OPTIN, OPTOUT
• Group attribute set can be site-extended
![Page 28: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/28.jpg)
28
Naming StemsNaming Stems
• Groups are created with naming stems• Limits the authority to create and name groups• Support distinct activities with own authority
• Naming stems can be arranged hierarchicallyeg, uc, uc:nsit, uc:nsit:labs
• Privileges• STEM
• Create subordinate naming stems• Assign privs for this naming stem
• CREATE – create groups with this naming stem
![Page 29: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/29.jpg)
29
Composite GroupsComposite Groups
• Membership is defined by composing the memberships of 2 other groups• A = B U C union• A = B ∩ C intersection• A = B – C relative complement
• Common use – “tweak” existing groups• Whitelist or blacklist factored in to another
group
![Page 30: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/30.jpg)
30
Example: Computer Cluster Access Example: Computer Cluster Access
nsit:labs:eligible (manual)
nsit:labs:whitelist (manual)
uc:faculty(auto)
uc:staff(auto)
categories of entitled students (auto)
time dependent student categories (auto)
nsit:labs:blacklist(manual)
categories of barred students (auto)
nsit:labs:barred (manual)
Allow access if in (nsit:labs:eligible – nsit:labs:barred)
![Page 31: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/31.jpg)
31
Systems IntegrationSystems Integration
• API
• XML Import/Export Tool • Snapshots Groups Registry, including
naming stems and privileges• A single group• All subordinate to a specified naming stem• All matching a search condition• Entire Registry
![Page 32: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/32.jpg)
32
Signet OverviewSignet Overview
• Analysts define privileges in functional terms and specify associated system-level permissions
• Signet presents this functional view in a Web UI where users assign privileges & delegate authority across all areas in which they have authority
• Signet internally maps assigned privileges into system-specific terms needed by applications
• Privileges are exported, transformed, & provisioned into applications and infrastructure services
• Signet provides automated lifecycle controls
![Page 33: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/33.jpg)
33
Privileges Building BlocksPrivileges Building Blocks
Functional view• Subsystems• Categories• Functions• Scope, Limits• Prerequisites &
Conditions
System view• Permissions
• Subject• Action• Resource
![Page 34: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/34.jpg)
34
Functional ViewFunctional View
Subsystems contain…
LimitsQualifiers, constraints for a privilege
ScopeOrganizational hierarchy governing distributed delegation
FunctionsThe things a person can do; what they are getting privileges for
CategoriesProvide useful arrangement of functions within a subsystem; for reporting, ease of use
![Page 35: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/35.jpg)
35
Functional ViewFunctional View
Categories FunctionsSubsystems
Clinical Trial Protocol A Patient Records
Materials Control
Manage Grant
Lab AccessAdmin
Student Admin Course Support
Add/Drop students
Schedule Classes
Process Applicants
Award Scholarships
Manage Accounts
FinancialAid
Limits
Which term
From Fund…
Read/Write
Hours
For school…
For fund…
Which campus
Qty/day
$ constraints
organizing actions
![Page 36: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/36.jpg)
36
Systems ViewSystems View
Permissions• Atomic units of control that map to specific
access rules in systems• Includes limits that must be evaluated when
interpreting permissions
Resources• The target of a specific privilege; things that
have access rules to control their use
![Page 37: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/37.jpg)
37
Functional View PermissionsFunctional View Permissions
Resources/Permissions
Student Admin
Functional View
Course Support Add/Drop students
Schedule Classes
Process Applicants
Award Scholarships
Manage Accounts
Financial Aid
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
categories functions
![Page 38: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/38.jpg)
38
• API
• Permissions document• XML representation of privileges for an
individual or group• Will be compatible with XACML
Systems IntegrationSystems Integration
![Page 39: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/39.jpg)
39
Privileges LifecyclePrivileges Lifecycle
Conditions• Provides automatic revocation of privileges• Date controls -- from date, until date• Will be based on person’s status, affiliation, etc.
e.g., as long as person is at Stanford
Prerequisites• Pre-conditions that must be met to activate privileges
e.g., training
![Page 40: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/40.jpg)
40
Other featuresOther features
Assignments can be• To an individual• To a Group
With/without ability to further delegate• Distributed delegation using organizational hierarchy
• Records “chain of command”
Proxy assignment• Temporary granting of one’s privilege to another
![Page 41: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/41.jpg)
41
Privilege Elements by ExamplePrivilege Elements by Example
By authority of the Dean grantor
principal investigators grantee (group/role)
who have completed training prerequisite
can approve purchases function
in the School of Medicine scope
for research projects resource
up to $100,000 limit
until January 1, 2007as long as a faculty member at…
conditions
Privilege Lifecycle
![Page 42: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/42.jpg)
42
Generic Integration ArchitectureGeneric Integration Architecture
![Page 43: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/43.jpg)
43
Further Integration TasksFurther Integration Tasks
• Automated loading of groups & privileges• Authentication service• Application-specific integration capabilities• Site-specific LDAP schema• Authoring/maintaining subsystem metadata• Solution requisites
• Which groups should be made available to the calendaring, email list, & wiki systems?
• The Boss may need an automatic grant of a Signet privilege to manage his wiki space
• Implementing service policies – Grouper naming stems & privileges or Signet privileges
![Page 44: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/44.jpg)
44
Subject API:Site IAM Integration RequirementsSubject API:Site IAM Integration Requirements
• Subject - a person, group, application, or other type of object whose identity is managed by your IAM system
• Abstract the underlying technology and data model from a relying application
• Enable identifier namespaces to be selected to match application needs• Username vs. opaque registryID vs. …
• Scenarios• Map authenticated user to internal security
principal• Reference/search objects within application
![Page 45: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/45.jpg)
45
Subject API:Integration with Site’s IAM Subject API:Integration with Site’s IAM
![Page 46: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/46.jpg)
46
Source Adapter ConfigurationSource Adapter Configuration
• Name the source & specify connection details• Name the type or types of subjects residing there• Identify attributes/columns distinguished as “subjectID”, “name”
and “description”• Specify back-end-specific searches for each type and each
search method• Select• Search by identifier• Search
• Sites should make consistent assignment of source and type names across all source adapter instances• They are persisted by Subject API clients
![Page 47: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/47.jpg)
47
Signet & Grouper RoadmapsSignet & Grouper Roadmaps
• Now available• Grouper v0.9. UI & API source release• Signet 1.0. UI, binary release• Subject API v0.1b
• Signet Roadmap• v1.1, ? 2006 – full API source release• v1.2, ? 2006, – rules processor
• Grouper Roadmap• v1.0, May 2006 – group math• v1.1, ? 2006 – group & membership aging
• Subject API• v1.0, ? 2006 – minor changes, updates to reference
implementations
![Page 48: Managing Roles & Privileges with Grouper and Signet Middleware](https://reader036.vdocuments.site/reader036/viewer/2022070416/56815193550346895dbfc867/html5/thumbnails/48.jpg)
48
Resources & ParticipationResources & Participation
• Grouper• team: University of Chicago & University of Bristol• http://grouper.internet2.edu
• Signet• team: Stanford University • http://signet.internet2.edu
• Internet2 Middleware Initiative• http://middleware.internet2.edu/
• Documents, software, cvs• Details for subscribing to mailing lists
• Conference call agendas & dialing instructions