using signet and grouper for access management
DESCRIPTION
Using Signet and Grouper for Access Management. Tom Barton, University of Chicago Lynn McRae, Stanford University. Identity & Access Management Reality. Each person’s online activities are shaped by many Sources of Authority (SoAs) Resource managers Program/activity heads - PowerPoint PPT PresentationTRANSCRIPT
Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management
Tom Barton, University of Chicago
Lynn McRae, Stanford University
Tom Barton, University of Chicago
Lynn McRae, Stanford University
2
Identity & Access Management RealityIdentity & Access Management Reality
• Each person’s online activities are shaped by many Sources of Authority (SoAs)• Resource managers• Program/activity heads• Other policy making bodies• Self
• Common middleware infrastructure should be operated centrally • To not oblige departments/programs/activities to build their
own core middleware
• Management of the information it conveys should be distributed• Hook up all of those SoAs to the middleware
3
Connecting SoAs, Integrating with Existing InfrastructureConnecting SoAs, Integrating with Existing Infrastructure
4
Relative Roles of Signet & GrouperRelative Roles of Signet & Grouper
Grouper Signet
RBAC model
• Users are placed into groups
• Privileges are assigned to groups
• Groups can be arranged into hierarchies to effectively bestow privileges
• Signet manages privileges
• Grouper manages, well, groups
5
Nutshell Description of GrouperNutshell Description of Grouper
• Mix of manual and automation processes manage a common Group Registry• Many sources of authority are reflected in group
memberships
• Automation processes provision info from the Group Registry into LDAP, AD, directly into app-specific databases, or …• Wherever the value of the info warrants spending
the resources to place it there
• Group management authority is delegatable
6
Grouper GroupsGrouper Groups
• Attributes of groups• Names: name, displayName, guid• Description• Members• Can extend the set of attributes to support groups
with more specific purposes
• Subgroups, compound groups, and aging• Stored in an RDBMS, the Group Registry
7
Grouper NamespacesGrouper Namespaces
• Groups are created within namespaces• Scopes the authority to create and name groups• Support distinct activities with own authority
• Namespaces can be arranged hierarchically
it all central IT activities
it:labs manage computer labs
bsd all Bio Sci Division activities
bsd:peds Pediatrics resource access
8
Example: Groups for Lab Access Example: Groups for Lab Access
it:labs:eligible (manual)
it:labs:whitelist (manual)
uc:faculty(auto)
uc:staff(auto)
categories of entitled students (auto)
time dependent student categories (auto)
it:labs:blacklist(manual)
categories of barred students (auto)
it:labs:barred (manual)
Allow access if “eligible” but not “barred”Allow access if “eligible” but not “barred”
9
LDAP
Data Flow & Grouper Roles in Computer Lab AccessData Flow & Grouper Roles in Computer Lab Access
uid: jdoeucAffiliation: …isMemberOf: …
SIS
HR
Lab Director
Lab Managers
Loaders
GrouperAPI
PersonRegistry
GroupRegistry
GrouperUI
GrouperAPI
lab
GrouperAPI
On-site staff
10
Grouper’s PrivilegesGrouper’s Privileges
• Access privileges• Who has what access (read, write) to a group’s
attributes• Naming privileges
• Who can create a group in each namespace• Who can create a new namespace subordinate to an
existing one• Privilege interfaces are abstracted
• Can use external privilege management system, like Signet
• Grouper’s built-in privilege management• Subgroups, compound groups, and aging can be
used to manage privileges with built-in capability
11
Four Ways to Delegate Group ManagementFour Ways to Delegate Group Management
• Create a group and assign someone to manage its membership
• Create a group and assign someone to manage who manages the group’s membership and who can see what about the group
• Create a namespace and assign someone to manage who can create groups within it
• Allow Self to opt-in or opt-out of membership
12
Representing Membership in Operational ContextsRepresenting Membership in Operational Contexts
• Standards for the I2MI community• LDAP, SAML/Shibboleth: isMemberOf• LDAP: hasMember
• Preserving privacy/visibility• Representing access privileges in, e.g., LDAP
• Desirable local standards • Naming of groups & namespaces• Privacy classes
• Incremental update and referential integrity
13
Signet OverviewSignet Overview
• Analysts define privileges in Signet in “business terms” and specify associated permissions.
• Signet presents this view in a Web UI where users assign privileges and delegate authority across all areas in which they have authority.
• Signet internally maps assigned privileges into system-specific terms needed by applications.
•
• Privileges are exported, transformed, and provisioned into applications and infrastructure services.
14
Privileges Building BlocksPrivileges Building Blocks
Business view• Subsystems
• Categories
• Functions
• Scope, Limits
• Prerequisites & Conditions
System view• Permissions
• Subject• Action• Resource
• Analysts define privileges in Signet in “business terms” and specify associated permissions.
15
Signet ComponentsSignet Components
• Define domains of ownership and responsibility
• Reflect real world boundaries
• Can be large or small
Financial systemStudent AdministrationHR systemNetwork address plan
managementNetwork access
managementResearch administrationClinical resourcesPerson RegistrySignet (Privilege Registry)Grouper (Group Registry)
Subsystems
16
Business ViewBusiness View
Subsystems contain…
FunctionsThe things a person can do; what they are getting privileges for.
CategoriesProvide useful arrangement of functions within a subsystem; for reporting, ease of use.
LimitsQualifiers, constraints for a privilege.
ScopeOrganizational hierarchy governing distributed delegation.
17
Business ViewBusiness View
Categories FunctionsSubsystems
Clinical Trial Protocol A Patient Records
Materials Control
Manage Grant
Lab AccessAdministration
Student Admin Course Support Add/Drop students
Schedule Classes
Process Applicants
Award Scholarships
Manage Accounts
Financial Aid
Limits
Which term
From Fund…
Read/Write
Hours
For school…
For fund…
Which campus
Qty/day
$ constraints
organizing actions
18
Signet User InterfaceSignet User Interface
• Signet presents this view in a Web UI where users assign and delegate authority across all areas in which they have authority.
19
Systems ViewSystems View
Permissions• Atomic units of control that map to specific access
rules in systems.• Includes limits that must be evaluated when
interpreting permissions.
Resources• The target of a specific privilege; things that have
access rules to control their use.
• Signet internally maps assigned privileges into system specific terms needed by applications.
20
Business View PermissionsBusiness View Permissions
Resources/Permissions
Student Admin
Business View
Course Support Add/Drop students
Schedule Classes
Process Applicants
Award Scholarships
Manage Accounts
Financial Aid
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
21
Systems IntegrationSystems Integration
Privileges document• XML representation of privileges for an individual or
group.• Compatible with SAML and XACML representations
of Subjects and Access Rules.
Integration• Site-specific
• Privileges are exported, transformed, and provisioned into integrated systems and infrastructure services.
22
Privileges DocumentPrivileges Document
Signet Privileges document (not final)
<Privileges xmlns="http://middleware.internet2.edu/signet"> <subj:Subject xmlns:subj="http://middleware.internet2.edu/subject"> <subj:SubjectId>[email protected]</subj:SubjectId> <subj:SubjectName>Poole, Jean M.</subj:SubjectName> </subj:Subjects> <Subsystem <SubsystemId>project-biox</SubsystemId> <Permission> <PermissionId>patient-record-access</ PermissionId > <Resource> <ResourceId>research-records</ResourceId> </Resource> <Limit> <LimitId>protocol</LimitId> <LimitnFunction>urn:oasis:names:tc:xacml:1.0:function:string-equal</LimitFunction> <LimitValue>2005-formula-b</LimitValue> <LimitValueType>http://www.w3.org/2001/XMLSchema#string</LimitValueType> </Limit> </Permission> <Permission> <PermissionId>approve-requisitions</SubsystemId> <Resource>
23
Provisioning Permissions into ApplicationsProvisioning Permissions into Applications
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
Calendar
CourseWare
Financials
Reporting
Space Mgmt
Student
<Privileges><Subject><Permission><Permission><Permission>
24
Provisioning Permissions into InfrastructureProvisioning Permissions into Infrastructure
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
Calendar
CourseWare
Financials
Reporting
Space Mgmt
Student
Directory
eduPersonEntitlement
25
Other featuresOther features
Assignments can be• To an individual• To a Group
With/without ability to further delegate• Distributed delegation using organizational hierarchy
• Records “chain of command”
Proxy assignment• Temporary granting of one’s privilege to another
26
Privileges LifecyclePrivileges Lifecycle
Conditions• Provides automatic revocation of privileges• Date controls -- from date, until date• Based on person’s status and affiliation,
e.g., as long as person is at Stanford
Prerequisites• Pre-conditions that must be met to activate privileges
e.g., training
27
Privilege Elements by ExamplePrivilege Elements by Example
By authority of the Dean grantor
principal investigators grantee (group/role)
who have completed training prerequisite
can approve purchases function
in the School of Medicine scope
for research projects resource
up to $100,000 limit
until January 1, 2006as long as a faculty member at…
conditions
Privilege Lifecycle
28
29
Subject APISubject API
• Common application need to lookup people or other types of subjects• To search for and present them in a UI• To translate between different identifiers for the
same object• Example: username persistentID
• Subject API is a freestanding implementation meeting these needs. Site-configured …• Subject types: people & groups, and maybe
applications, computers, policies, whatever • Sources for each site-specific subject type• Specific query syntax for abstract query types
30
Signet & Grouper DevelopmentSignet & Grouper Development
• Now available• Grouper API v0.5.5. Basic group management by
automation processes• Demo release of Signet v0.3 toolkit and UI
• June 2005• Grouper v0.6 - initial UI release• Subject API - initial release
• September 2005• Signet - initial production-ready release
• Grouper team: U Chicago & U Bristol• Signet team: Stanford University
31
Resources & ParticipationResources & Participation
• Grouper website http://middleware.internet2.edu/dir/groups/grouper/
• Signet website
http://middleware.internet2.edu/signet/
• Internet2 Middleware Initiative
http://middleware.internet2.edu/
• Documents, tarballs, cvs• Details for subscribing to mailing lists
• Conference call agendas & dialing instructions