240 likes | 255 Views
Learn about early adopters' patterns and criteria for distinguishing roles and groups-based access control vs. privilege management. Explore why both are essential, with updated documentation. Use cases from universities help illustrate practical applications.
E N D
Early Adopters / Deployers • Patterns and criteria for distinguishing roles and groups-based access control vs. privilege management. Why use one or the other, or more importantly, why do we need both? Updated documentation and presentation material will be offered for discussion and review. • Software to move data in and out of Signet and Grouper is not part of the core of either product, but is vital to connect them to your infrastructure. We'll have a technical design discussion on our basic JDBC and JNDI SourceAdaptor and emerging Subject API specification, and will explore how to make these configurable to a variety of specific needs.
Use Case: “Groups are good” • What • People create groups that have real-world meaning and can be used in many ways -- my staff, project team, board members, etc. • Grouper • Distributed model of managing such groups through delegated name stems • Personal groups? • Signet • Ability to assign privs to such groups • Apps • Those interested in using shared groups in general
Use Case: Stanford: WebAuth • What • Allow access to web pages based on group membership • Grouper (Stanford workgroup) • User managed groups • System managed groups (course and department affiliations) • WebAuth • Data provisioned to LDAP directory • Extends Apache “require group” directive in .htaccess file to refer to group references in Person LDAP entries
Use Case: Duke: Mailing Lists • What • “basic authorization and mailing list functionality” • Grouper • Subscribers • Roles, e.g., owner, maintainer? • Signet • ? • Application?
Use Case: Duke: Calendar groups • What • “basic authorization and mailing list functionality” • Grouper • Simple membership • How? • Signet • ???
Use Case: USC: Additional groups • What • Augment existing, beloved group management system to support delegated administration of groups • Grouper • Define basic inclusion/exclusion groups • Provisioned into LDAP • Nightly processor • Integrate Grouper groups with LDAP groups, apply group math
Use Case: U. Chicago: Instant Messaging • What • Instant messaging platform. The rosters would be automatically populated based on work group. • Grouper • Information that we keep on our users is not detailed enough to be used to group people into their individual work groups. Grouper would be used by the managers of the individual work groups to define who is in their group. • This data would then be read from the grouper db by a program which would provision the rosters of the relevant people in the IM server (directly to Jabber server? Via LDAP?)
Use Case: Others? • What • Wiki groups • Files (e.g., AFS pts groups) • Portal groups • Document sharing (e.g., Docushare) • CVS Groups • Ticket tracking (Wash)
Use Case: Cornell: GuestIDs • What • Guestids for people in a weekend course at the hotel school, or a class that uses the blackboard system, or someone that needs wireless access for some period of time, etc. • Grouper • All guests placed in a group (provisioned via LDAP) to which privs are assigned • Admins placed in a group (provisioned from PeopleSoft/HR, augmented by Admin adding people to same group) • Self-signup guest discussion list group (opt-in)
Use Case: Cornell: GuestIDs (cont) • Signet • Manage Admin access rights -- assignments to groups • Assign guest privileges to full guest group (campus bus) • … to individuals (weight room, blackboard, printing) (only to those with guestIDs / in guest group?) • With effective and expiration dates (managed by Signet) • Other stuff • GuestId expiration based on last service
Use Case: Cornell: WebFinacials • What • Manage access privileges for account, or for all accounts in department or unit • Grouper • Each department defined as group, using hierarchy naming and nesting • Capture account “membership” in departments or as subgroups in department stem • Signet • Assign level of priv (unit/dept) by scope • Qualify privilege by type (Labor,Gift,etc) & year (limits)
Use Case: Cornell: WebFinacials (cont) • Signet Prerequisite • Policy agreement (how recorded?)(rule condition) • Signet Exported permissions • Subject (person with privilege) • Resource (specific acct, groups of accts) • Action (view) is implicit • WebFinancials application • Can read account-level permission directly • Can map account request to a dept/uinit permission via “isMemberOf” • Would like direct query to a web services auth service
Use Case: Stanford: Financial Approver • What • Designate financial approvers for several electronic financial transactions • Signet (Stanford Authority) • Similar to WebFinancials • Uses administrative departmental hierarchy • All/some accounts for a department - or- all accounts for projects managed by a PI • Direct provisioning to Oracle Financials • “is an approver” is a testable fact (a role?)
Use Case: Brown: Course videos • What • Steve Carmody: I'd like to be able to say to Signet "give this course [members?] permission to view this video", and have Signet's ldap connector add an entitlement value to the group object [?] in our ldap directory that represents the course... • Grouper • ??? • Signet • Central accts office (root) delegates to [courseware that delegates to] TA for Course X the auth to manage video permissions for students in course X • The TA grants students authority to view specific videos - starting on … for 2 weeks
Use Case: USC: Portal Access Control • What • Investigate replacing internal Portal groups with Grouper/Signet management • Grouper • ??? • Signet • ???
Use Case: Chicago: Licensed software • What • Centrally managed software with variety of licensed software -- site-licensed, departmental/project/individaul usage. Eliminate physical distribution. • Grouper • Group per software package • Signet • Function with software as limit
Use Case:Chicago: Blackboard Collaboration • What • Setup tools to support collaboration for “organizations” or groups (in addition to classes) • Grouper • Registration. Organization liaison given group in which to maintain organization membership • Signet • Manage which tools are enabled for which organizations • Coordinates services across systems
Use Case: MyVocs • What • Could Grouper and Signet in myVocs expand the flexibity of group and role assignments across a large collection of distributed applications. If Grouper/Signet are integrated into myVocs they will be available to UABgrid. • NCSA and UAB are collaborating to integrate GridShib with myVocs. We are considering using Grouper as a source of attributes in myVocs, in particular, and VOs, in general. • Grouper • Signet • Shibboleth
Use Case: U. Missouri: Great Plains Network • What • Manage authorization for individuals or groups of users in a Virtual Organization that could span multiple institutions and identity management systems. The Great Plains Network (GPN) is developing a multi-institutional collaboration environment whose members comprise institutions/organizations that: • Utilize autonomous Identity Management systems operated by each institution from which GPN collaborators are employed (identified) • Each institution can provide resources (e.g., processing or storage) that can be shared among the participating parties using web based and grid computing technologies. • Participants (each person) must be provided with authorizations (e.g., edu entitlements) to use various GPN VO resources through their home organization, but managed in some fashion from the GPN VO. This would require pushing entitlement data into multiple IdM systems from an external entity, such as the GPN VO. The management overhead of authorizations must be kept at a minimum, yet provide institutional controls at several levels. • Participants authenticate themselves through their home institution and obtain "credentials" to access resources distributed throughout the VO community. There is not a single application or resource involved, but multiple applications and resources distributed among the participating institutions. Individuals may be granted collaborative access to none, some or all of the applications/resources offered by the VO.
Use Case: U. Missouri: Great Plains Network • Grouper • Each institution records V.O. membership locally; resulting “is member” attribute is released to cooperating insitutions (big issue is who has authority to make assertions) • Each institution records member role information locally (scientist? admin? where such exists), also as a shared attribute • All necessary roles are articulated as groups at each institution, whether they have local members or not. • Signet • Each institution assigned permissions to its own resources, either to individuals (known locally) or to groups • Signet could “learn” about people outside the local identity management software via login -- a useful concept?
Use Case: Wisconsin: Authorization Workflow • What • Replace paper-based authorization workflow • Grouper • ??? • Signet • Delegation of authority, distribution down an organization hierarchy
Use Case: UCDavis: Travel Expense • What • Manage expense approvals for Travel reimbursements • The new T&E system is a commercial product (Concur) being readied by the Accounting division. • Grouper • Define groups below departmental level for delegation • Signet • Seed/maintain expense-approval delegations, starting with small set of policy-based expense approvers (high-level administrators) who are readily identified. These top-level approvers delegate expense approval privileges for their organizational branch (or sub-branches) to various subordinates. • Delegations may be done down to a sub-departmental level, i.e., to +/- arbitrary groups of departmental employees. • Grantees may have limits on approval amounts different (lower) than that provided to grantors. • Operationally, export privileges to the T&E system. I've been told that this system has a web services interface. Details TBD. If Accounting thinks the Signet UI is not far along enough to meet their needs, we may need an interim application. At the moment I've mapped T&E concepts to a Signet subsystem, and am readying prototype data (orgs and people).
Use Case: U.Chicago: Computer Cluster Access • What • Express complex access policy in LDAP attributes that condition workstation login • Grouper function • Group hierarchy based on fine-grained affiliations classifies all UChicago people according to eligibility policy • Whitelist & blacklist policy exception capability given to cluster administrators • Cluster admins tweak classifying hierarchy as needed • Signet function • None at present. Would be used if, for example, departments were to authorize access to their own computer labs