1 / 25

Grouper: A Toolkit for Managing Groups

Explore Grouper toolkit for efficient group management, featuring case studies, group modeling, and access control policies. Learn about innovative features and practical examples.

aangel
Download Presentation

Grouper: A Toolkit for Managing Groups

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago

  2. Outline • The problem with groups • Case study: U Chicago’s “USITE” computer labs • Tour of Grouper • USITE case study revisited • Grouper project status • Bonus round – personal groups

  3. Groups facilitate … • Customization – application UI tailored to user’s affiliations with the organization • Authorization • “Lightweight” - relationship info feeding access decisions • “Heavyweight” - assignment of structured privileges to groups • Messaging, scheduling, & collaboration • Departments, courses, programs, cmtes, teams, … • Posix naming services

  4. Group management issues • Coordinating many sources of information • Provisioning groups in many locations • Supporting several styles of access to group membership information • Aging of groups and of memberships • Use of subgroups vs. effective membership • Referring to set theoretic combinations of groups (compound groups) • Privacy & visibility requirements

  5. The USITE access problem • Must control access to computers in labs independent of ability to authenticate • U Chicago’s Networking Services & Information Technologies (NSIT) established the Identity Management Working Group to solve this type of problem • You’ll see “nsit” and “usite” in names of things to follow

  6. USITE access policy • Students • 23 categories of current students • Some entitle USITE access, some disenfranchise, others fail to entitle • Time of year dependency for some categories • Current faculty & staff are entitled • Other more loosely affiliated people are not entitled • Exceptional administrative admits and denies across all categories above

  7. Use of group management • Various elemental USITE-related categories of people are modeled as groups • Subgroups are used to roll-up effective admit or deny status • Some groups are automatically managed, others manually • Some roll-up groups are manually managed to deal with time dependency or change in access policy

  8. Groups model for USITE access (ACL is “shaded green but not red”) usite_eligible (manual) usite_barred (manual) admin_admit (manual) admin_deny (manual) uc:faculty (auto) uc:staff (auto) categories of barred students categories of entitled students time dependent student categories

  9. Management related groups • Management privileges for manually managed groups also need to be managed! • So, more groups list who has what authority in managing groups that mediate USITE access • Director of Learning Environments • Lab Managers • Student staff

  10. Loaders Grouper API Grouper UI Grouper API Data flow & Grouper’s role in USITE access lab SIS HR Person registry LDAP Group registry Dir. Learning Environments uid: jdoe ucAffiliation: … isMemberOf: … Grouper API Lab Managers Student staff

  11. Grouper groups • Stored in an RDBMS, the Group Registry • Attributes of groups • Name • Description • Members • Possible to extend the set of attributes to support groups with more specific purposes

  12. Directory of groups • Groups are created within a hierarchy of directories, like files within a computer’s directory system • Directories are also named • Sometimes need to use the full name of a group, like the full pathname of a file • Example: /nsit/usite/admin_admit • The directory delimiter can be configured for different effect • Example: nsit:usite:admin_admit

  13. Grouper privileges • Access privileges - who has what access (read, write) to a group’s attributes • Naming privileges - who can create a group or subdirectory in what part of the directory of groups

  14. Access privileges • VIEW group’s name in lists & can refer to it, e.g., make it a subgroup of another group • READ basic information about a group • UPDATE membership and administer VIEW, READ, & UPDATE privileges • ADMIN can modify everything, including group name, description, & privileges, and can delete the group • OPTIN can add self to the members list • OPTOUT can remove self from the members list

  15. Naming privileges • STEM privilege in a given directory enables creation of subdirectories and administration of CREATE and STEM privileges for the directory and its immediate subdirectories • Motivating idea: a directory is a naming “stem” over which authority is exercised and delegated by those with stem privilege • CREATE a group in a given directory

  16. Built-in privilege implementation • All access & naming privileges can be assigned to individual members or to groups • Subgroups, compound groups, and aging can be used to manage privileges • Abstracted interfaces are presented for privilege management • Sites can hook in their own privilege management and bypass Grouper’s built-in system

  17. USITE revisited – Grouper’s role • Make an “nsit:usite” directory in the group registry • Groups created within it • dir_learning_env, lab_managers, student_staff • usite_eligible, usite_barred • admin_admit, admin_deny • Give stem privilege for “nsit:usite” to the Director of Learning Environments • She can run her groups empire within

  18. USITE group access privileges(unqualified names in nsit:usite namespace) usite_eligible A:dir_learning_env V,R:all usite_barred A:dir_learning_env V,R:all admin_admit U:usite_manage V,R:usite_view admin_deny U:usite_manage V,R:usite_view uc:faculty V,R:all uc:staff V,R:all categories of barred students V:all V:all V:all categories of entitled students V:all V:all time dependent student categories V:all V:all V:all V:all

  19. USITE group management privileges(unqualified names in nsit:usite namespace)

  20. Grouper v1 features • API & UI for basic group management • Create, read, update, delete, import, export • Distributed management • Subgroups & compound groups • Aging of groups and memberships • Abstracted interfaces for • Group and directory privileges • Subject lookup • Last activity

  21. Phases of Grouper v1 development • Phase 1: Basic management and export functions • Phase 2: Compound groups & Signet integration • Phase 3: Aging of groups and memberships • Phase 1 API available before end of year (2004, that is!)

  22. Grouper deliverables • U Chicago - Java API • U Bristol - Java UI • You – contributed loaders & connectors • Subject Lookup implementation • jointly with Signet project • Group Registry creation scripts & sample batch import/export scripts • Documentation

  23. Grouper UI status • Conceptual mock-up completed • Modular design for look and feel • Grouper & Signet UIs will “leave the factory floor” bearing an I2 family resemblence

  24. Personal groups • Any user can create groups named personal:username:groupname • Good or evil? • Yeah! Low overhead to let everyone do groups • Booo! Valuable institutional data squirreled away in unknowable spaces that go away • Configuration: • on/off • Root directory for personal namespace (“personal” above)

  25. Further info & participation • MACE-Dir list • MACE-Dir-groups conference calls • http://middleware.internet2.edu/dir/groups

More Related