introduction to grouper. open source, community-driven project of the internet2 middleware...
Post on 21-Dec-2015
230 views
TRANSCRIPT
![Page 1: Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d6d5503460f94a4d410/html5/thumbnails/1.jpg)
Introduction to Grouper
![Page 2: Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d6d5503460f94a4d410/html5/thumbnails/2.jpg)
• Open source, community-driven project of the Internet2 Middleware Initiative• Initial release v0.5 in December 2004
• Grouper originally focused on robust management of groups, emphasizing:• Delegation and distributed management• Integration with most any existing IdM infrastructure. See
case studies and campus contributions at:• https://spaces.internet2.edu/display/Grouper/Community+
Contributions• Grouper v2.0 provides broader set of access
management capabilities, including roles & permissions• Released 6 September 2011
2 October 2011
Grouper story
![Page 3: Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d6d5503460f94a4d410/html5/thumbnails/3.jpg)
1. Start out using a single user attribute, affiliation, in LDAP or AD to let applications implement access policies
2. Enrich centralized access management using groups determined from systems of record • Courses, financial accounts, departments• Define service specific access policies in central IAM system
3. Get central IT out of the loop• Distributed management• Exceptions• Departmental apps
4. Increase integration of access management• Direct application integration with web services• ESB/SOA, REST/SOAP• Roles & privileges to support applications more deeply
3 October 2011
Access management is a process:making authZ more than authN
![Page 4: Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d6d5503460f94a4d410/html5/thumbnails/4.jpg)
4
Grouper: core concepts
October 2011
Folders in hierarchies
Group
Direct members
Subgroup
Indirect members
Composite groups=
U
![Page 5: Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d6d5503460f94a4d410/html5/thumbnails/5.jpg)
5
Security & delegation in Grouper
October 2011
• Create groups• Create subfolders
• Admin• Update membership• Read membership• View group• Opt-in• Opt-out
Delegation
![Page 6: Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d6d5503460f94a4d410/html5/thumbnails/6.jpg)
6
Beyond groups
October 2011
Attributes
Roles
Permissions
Attribute definition
Permission definition
Role inheritance
Delegation model extends that for Groups
![Page 7: Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d6d5503460f94a4d410/html5/thumbnails/7.jpg)
• Membership start & end times (optional)• Move or copy folders, groups, etc• User audit• Point in time audit• Rules
7 October 2011
Access management lifecycle support
![Page 8: Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d6d5503460f94a4d410/html5/thumbnails/8.jpg)
October 2011
Grouper components
as of v2.0AnApplication
LDAP/ADPersons
Orgs
Identity Management
ShibbolethIdP
SP
ML
SAML
LDAP/AD
SO
AP
RE
ST
Grouper Client
Java API, Rules, Audit, External users,
Changelog Grouper Shell
GrouperDatabase
Web Services UIs: membership,
attributes, roles & permissions, admin,
invitation
Grouper Loader
LDAP Provisioning Connector
XMLscript
gsh%
Real-Time
XMPP
HTTPS
ESB
Grouper DataConnector
Another
XMPPHTTPS
Systems of Record
JNDI Source Adapter
JDBC Source Adapter
Subject API
Kuali Rice
Atlassian
REST
RES
T
Atlassian Connector
Kuali Connector
![Page 9: Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d6d5503460f94a4d410/html5/thumbnails/9.jpg)
9
New and improved in Grouper v2.0
October 2011
Feature Description
Rules Execute built-in actions and expression language to add business logic to Grouper actions
Attribute and Permissions UIs
Ajax-y UIs to define, view, and assign attributes and permissions
Permission Disallow To manage inheritance of permissions via Role, Resource, or Action hierarchies
Permission Limits Built-in Policy Decision Point that combines run-time context with permissions to produce Allow/Deny
Point in Time Audit Query Grouper’s state at a previous time
External Subjects Invitation processes leverage federation to let external Subjects be given group memberships and permissions
Syncing Groupers Federate groups between two Groupers
Member Search & Sort
Selective Subject attribute caching for improved sorting and searching capability and speed
LdappcNG enhancement
Improved performance through caching
![Page 10: Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d6d5503460f94a4d410/html5/thumbnails/10.jpg)
10
Tom Barton’s UChicago group memberships
June 2011
![Page 11: Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d6d5503460f94a4d410/html5/thumbnails/11.jpg)
dn: uid=tbarton,ou=people,dc=uchicago,dc=edu
ucismemberof: uc:org:nsit:integration:techag
ucismemberof: uc:org:nsit:srdirs
ucismemberof: uc:org:nsit:integration:iteco:wr
ucismemberof: uc:applications:confluence:NSIT:esx
ucismemberof: uc:org:nsit:integration:iteco:rd
ucismemberof: uc:applications:confluence:NSIT:Directors
ucismemberof: uc:org:nsit:staff
ucismemberof: uc:applications:confluence:NSIT:Everyone
ucismemberof: uc:org:nsit:integration:shib_group
ucismemberof: uc:applications:bulkmail:users
ucismemberof: uc:org:library:gnet:admins
ucismemberof: uc:applications:gnetid:admins
ucismemberof: uc:applications:wireless:authorized
ucismemberof: uc:applications:cmail:users:authorized
ucismemberof: uc:reference:affiliations:effective:staff
LDAP entry foruid=tbarton,ou=people,dc=uchicago,dc=edu
ucIsMemberOf : uc:org:nsit:srdirsucIsMemberOf :
uc:reference:affiliations:effective:staff
Memberships become LDAP attributes
11
ucIsMemberOf : uc:applications:vpn:authorized
June 2011
![Page 12: Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d6d5503460f94a4d410/html5/thumbnails/12.jpg)
UChicago VPN simple delegation example
Different groups, different authorities.
VPN only uses “vpn:authorized”.
12
eligible denied
student
staff
alum hospital
closure
locked
vpn:authorized
postdoc= ̶M
IRB
June 2011
Core business systems IRB
OfficeIT Security
Team
IdM system
![Page 13: Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d6d5503460f94a4d410/html5/thumbnails/13.jpg)
13
UChicago applications managed by Grouper, so far
aams
Ad Astra
Bulkmail
Business Objects Enterprise
Chalk
CityRyde
Cmail
cnet
Confluence
Directory Administration
dmca
Facilities SIMS
gnetid
grouper
im
isx
IT Ecosystem
Lab School
LDAP
lists
Mail Forwarding
Microsoft Exchange
modem pool
myUChicago
online directory
password expiration
rt
Service Now shibboleth Statements portletSVN tank UC Groups unifiedcomm uPoV Monitor versions voip vpn web hostingwebproxy Webshare webspace wireless
June 2011
![Page 14: Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally](https://reader036.vdocuments.site/reader036/viewer/2022062407/56649d6d5503460f94a4d410/html5/thumbnails/14.jpg)
14 October 2011