250 likes | 270 Views
Explore Grouper toolkit for efficient group management, featuring case studies, group modeling, and access control policies. Learn about innovative features and practical examples.
E N D
Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago
Outline • The problem with groups • Case study: U Chicago’s “USITE” computer labs • Tour of Grouper • USITE case study revisited • Grouper project status • Bonus round – personal groups
Groups facilitate … • Customization – application UI tailored to user’s affiliations with the organization • Authorization • “Lightweight” - relationship info feeding access decisions • “Heavyweight” - assignment of structured privileges to groups • Messaging, scheduling, & collaboration • Departments, courses, programs, cmtes, teams, … • Posix naming services
Group management issues • Coordinating many sources of information • Provisioning groups in many locations • Supporting several styles of access to group membership information • Aging of groups and of memberships • Use of subgroups vs. effective membership • Referring to set theoretic combinations of groups (compound groups) • Privacy & visibility requirements
The USITE access problem • Must control access to computers in labs independent of ability to authenticate • U Chicago’s Networking Services & Information Technologies (NSIT) established the Identity Management Working Group to solve this type of problem • You’ll see “nsit” and “usite” in names of things to follow
USITE access policy • Students • 23 categories of current students • Some entitle USITE access, some disenfranchise, others fail to entitle • Time of year dependency for some categories • Current faculty & staff are entitled • Other more loosely affiliated people are not entitled • Exceptional administrative admits and denies across all categories above
Use of group management • Various elemental USITE-related categories of people are modeled as groups • Subgroups are used to roll-up effective admit or deny status • Some groups are automatically managed, others manually • Some roll-up groups are manually managed to deal with time dependency or change in access policy
Groups model for USITE access (ACL is “shaded green but not red”) usite_eligible (manual) usite_barred (manual) admin_admit (manual) admin_deny (manual) uc:faculty (auto) uc:staff (auto) categories of barred students categories of entitled students time dependent student categories
Management related groups • Management privileges for manually managed groups also need to be managed! • So, more groups list who has what authority in managing groups that mediate USITE access • Director of Learning Environments • Lab Managers • Student staff
Loaders Grouper API Grouper UI Grouper API Data flow & Grouper’s role in USITE access lab SIS HR Person registry LDAP Group registry Dir. Learning Environments uid: jdoe ucAffiliation: … isMemberOf: … Grouper API Lab Managers Student staff
Grouper groups • Stored in an RDBMS, the Group Registry • Attributes of groups • Name • Description • Members • Possible to extend the set of attributes to support groups with more specific purposes
Directory of groups • Groups are created within a hierarchy of directories, like files within a computer’s directory system • Directories are also named • Sometimes need to use the full name of a group, like the full pathname of a file • Example: /nsit/usite/admin_admit • The directory delimiter can be configured for different effect • Example: nsit:usite:admin_admit
Grouper privileges • Access privileges - who has what access (read, write) to a group’s attributes • Naming privileges - who can create a group or subdirectory in what part of the directory of groups
Access privileges • VIEW group’s name in lists & can refer to it, e.g., make it a subgroup of another group • READ basic information about a group • UPDATE membership and administer VIEW, READ, & UPDATE privileges • ADMIN can modify everything, including group name, description, & privileges, and can delete the group • OPTIN can add self to the members list • OPTOUT can remove self from the members list
Naming privileges • STEM privilege in a given directory enables creation of subdirectories and administration of CREATE and STEM privileges for the directory and its immediate subdirectories • Motivating idea: a directory is a naming “stem” over which authority is exercised and delegated by those with stem privilege • CREATE a group in a given directory
Built-in privilege implementation • All access & naming privileges can be assigned to individual members or to groups • Subgroups, compound groups, and aging can be used to manage privileges • Abstracted interfaces are presented for privilege management • Sites can hook in their own privilege management and bypass Grouper’s built-in system
USITE revisited – Grouper’s role • Make an “nsit:usite” directory in the group registry • Groups created within it • dir_learning_env, lab_managers, student_staff • usite_eligible, usite_barred • admin_admit, admin_deny • Give stem privilege for “nsit:usite” to the Director of Learning Environments • She can run her groups empire within
USITE group access privileges(unqualified names in nsit:usite namespace) usite_eligible A:dir_learning_env V,R:all usite_barred A:dir_learning_env V,R:all admin_admit U:usite_manage V,R:usite_view admin_deny U:usite_manage V,R:usite_view uc:faculty V,R:all uc:staff V,R:all categories of barred students V:all V:all V:all categories of entitled students V:all V:all time dependent student categories V:all V:all V:all V:all
USITE group management privileges(unqualified names in nsit:usite namespace)
Grouper v1 features • API & UI for basic group management • Create, read, update, delete, import, export • Distributed management • Subgroups & compound groups • Aging of groups and memberships • Abstracted interfaces for • Group and directory privileges • Subject lookup • Last activity
Phases of Grouper v1 development • Phase 1: Basic management and export functions • Phase 2: Compound groups & Signet integration • Phase 3: Aging of groups and memberships • Phase 1 API available before end of year (2004, that is!)
Grouper deliverables • U Chicago - Java API • U Bristol - Java UI • You – contributed loaders & connectors • Subject Lookup implementation • jointly with Signet project • Group Registry creation scripts & sample batch import/export scripts • Documentation
Grouper UI status • Conceptual mock-up completed • Modular design for look and feel • Grouper & Signet UIs will “leave the factory floor” bearing an I2 family resemblence
Personal groups • Any user can create groups named personal:username:groupname • Good or evil? • Yeah! Low overhead to let everyone do groups • Booo! Valuable institutional data squirreled away in unknowable spaces that go away • Configuration: • on/off • Root directory for personal namespace (“personal” above)
Further info & participation • MACE-Dir list • MACE-Dir-groups conference calls • http://middleware.internet2.edu/dir/groups