1 / 46

Managing Authorization with Signet and Grouper

Explore the use of Signet and Grouper for managing groups, privileges, and permissions in an enterprise context. Learn how to connect different sources of authority and integrate with existing infrastructure.

evelynadams
Download Presentation

Managing Authorization with Signet and Grouper

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University

  2. Groups and Privilege management • Groups • Who someone is (identity) • Populations sharing a common characteristic • Institutional role, departmental, personal • Privileges • What someone can do (permissions) • Involved person, action, resource, context • Exploring Grouper and Signet… • Groups for eligibility & authorization • Privileges, policy & permissions

  3. Stone Age Clark Leo George Lois Peter Nick Ed Admin ACL ACL Input ACL ACL ACL Reporting ACL ACL

  4. Middle Ages George Nick Admin George Nick Clark Lois Input George Nick Clark Lois Peter Leo Ed Reporting Functional Groups

  5. Renaissance Owner George Nick Admin Staff Clark Lois Input Clients Peter Leo Ed Reporting “Role” Groups

  6. 20th century Staff Faculty Identity Management! Owner Admin Staff Input Client Reporting Enterprise roles, affiliations

  7. Groups Management Admins Staff Clients Faculty Admin Admin Staff Input Client Reporting adds user-maintained groups

  8. Something still missing Admin Maint Staff Input Admin View Client Reporting Staff Update Client Delete Staff Check out Client Submit Each system … interprets policy … and sets access rules ... separately.

  9. Privilege Management Admins Staff Clients Faculty Policy Maint Access Manager Input Permissions Reporting Manage Read View Update PEP ReadWrite Delete Reader Check out Author Submit Individuals

  10. Identity & Access Management Reality • Each person’s online activities are shaped by many Sources of Authority (SoAs) • Institutional policy making bodies • Resource managers • Program/activity/project heads • Self • Management of the information it conveys should be distributed • Hook up all of those SoAs to the middleware • Common middleware infrastructure should be operated centrally • To not oblige departments/programs/activities to build their own core middleware

  11. Connecting SoAs, Integrating with Existing Infrastructure

  12. Relative Roles of Signet & Grouper • RBAC model • Users are placed into groups (aka “roles”) • Privileges are assigned to groups • Groups can be arranged into hierarchies to effectively bestow privileges • Grouper manages, well, groups • Signet manages privileges • Separates responsibilities for groups & privileges Grouper Signet

  13. Grouper Binary info – you’re either in some list or not Identity- or affiliation-based access control or distribution Identification layer of an encompassing access management scheme Locally tweak or combine other groups Signet Structured, qualified info – limits, conditions, scope, … Oriented to individuals rather than roles Human judgment and chain of authority essential for access decisions Enable functional, not just technical, people to manage privileges Supports policy control closer to source of authority Audit requirements The duck test…

  14. Illustrative Use Cases:Blackboard Collaboration Support • What • Setup tools to support collaboration for “organizations” or groups (in addition to classes) • Grouper function • Registration. Organization liaison given group in which to maintain organization membership • Signet function • Manage which tools are enabled for which organizations • Coordinates services across systems

  15. Illustrative Use Cases:Computer Cluster Access • What • Express complex access policy in LDAP attributes that condition workstation login • Grouper function • Group hierarchy based on fine-grained affiliations classifies all UChicago people according to eligibility policy • Whitelist & blacklist policy exception capability given to cluster administrators • Cluster admins tweak classifying hierarchy as needed • Signet function • None at present. Would be used if, for example, departments were to authorize access to their own computer labs

  16. Illustrative Use Cases:Expense Management System • What • Import user profile data into an EMS • Grouper function • Maintain EMS-specific organizational hierarchy • Signet function • Assign who gets approval priv for which parts of the EMS Org Hierarchy

  17. Nutshell Description of Grouper • Mix of manual and automation processes manage a common Group Registry • Stored in an RDBMS • Automation processes provision info from the Group Registry into LDAP, AD, directly into app-specific databases, wherever the value of the info warrants spending the resources to place it there • Two types of managed objects: groups and namespaces (or “naming stems”) • Groups are created/named within a namespace • Group management authority is delegatable • By group or by namespace

  18. Grouper Architecture

  19. Group Attributes

  20. Grouper Groups • Any “subject” can be a group member or privilegee • Persons, groups, site-defined subject types • Uses Subject API developed by Grouper+Signet teams • Subgroups (now), compound groups (v1.0), and aging (v1.1) of groups and memberships • Privileges • ADMIN, UPDATE, READ, VIEW, OPTIN, OPTOUT • Group attribute set can be site-extended

  21. Namespaces or Stems

  22. Grouper Namespaces • Groups are created within namespaces • Limits the authority to create and name groups • Support distinct activities with own authority • Namespaces can be arranged hierarchically • Privileges • STEM • Create subordinate namespaces • Assign privs for this namespace • CREATE – create groups in this namespace

  23. Example: Computer Cluster Access categories of barred students (auto) time dependent student categories (auto) Allow access if “eligible” but not “barred” it:labs:barred (manual) it:labs:eligible (manual) it:labs:whitelist (manual) it:labs:blacklist (manual) uc:faculty (auto) uc:staff (auto) categories of entitled students (auto)

  24. Data Flow & Grouper Roles in Computer Cluster Access Loaders Grouper API Grouper UI Grouper API SIS HR Person Registry LDAP Groups Registry Lab Director ADMIN uid: jdoe ucAffiliation: … isMemberOf: … Grouper API On-site staff READ Lab Managers UPDATE

  25. Five Ways to Delegate Group Management • Create a group and assign someone to manage its membership (UPDATE) • Create a group and assign someone to manage who manages the group’s membership and who can see what about the group (ADMIN) • Create a namespace and assign someone to create groups within it (CREATE) • Create a namespace and assign someone to manage who can create groups within it (STEM) • Allow Self to OPTIN or OPTOUT of membership

  26. Signet Privilege Management • Brings privilege information together in one place -- a “Privilege Registry” • Provides user access through a common UI, programmatic access through a common API • Defined independent of specific vendors, systems, releases or technologies • Provides central reporting, auditing, review • But distributed management, control

  27. Signet Overview • Analysts define privileges in Signet in “business terms” and specify associated permissions. • Signet presents this view in a Web UI where users assign privileges and delegate authority across all areas in which they have authority. • Signet internally maps assigned privileges into system-specific terms needed by applications. • Privileges are exported, transformed, & provisioned into applications and infrastructure services. • Signet provides automated lifecycle controls

  28. Business view Subsystems Categories Functions Scope, Limits Prerequisites & Conditions System view Permissions Subject Action Resource Privileges Building Blocks • Analysts define privileges in Signet in “business terms” and specify associated permissions.

  29. Define domains of ownership and responsibility Reflect real world boundaries Can be large or small Signet Components Financial system Student Administration HR system Network access management Research administration Clinical resources Subscription services Signet (Privilege Registry) Grouper (Group Registry) Subsystems

  30. Business View Subsystems contain… Limits • Qualifiers, constraints for a privilege. • Scope • Organizational hierarchy governing distributed delegation, • Functions The things a person can do; what they are getting privileges for. Categories • Provide useful arrangement of functions within a subsystem; for reporting, ease of use.

  31. Business View Add/Drop students Course Support Student Admin Which term Schedule Classes Which campus Process Applicants For school… Financial Aid Award Scholarships From Fund… Manage Accounts For fund… Patient Records Protocol A Clinical Trial Read/Write Materials Control Qty/day Manage Grant Admin $ constraints Lab Access Hours Categories Subsystems Functions Limits organizing actions

  32. Signet User Interface • Signet presents this view in a Web UI where users assign and delegate authority across all areas in which they have authority.

  33. Systems View • Signet internally maps assigned privileges into system specific terms needed by applications. • Permissions • Atomic units of control that map to specific access rules in systems. • Includes limits that must be evaluated when interpreting permissions. Resources • The target of a specific privilege; things that have access rules to control their use.

  34. Business View  Permissions Calendar Student Admin reserve_time view_schedules Add/Drop students Course Support Course Schedule Classes update_course_data Facilities reserve_room Process Applicants Financial Aid Financial Award Scholarships view_fund_data update_fund_data Manage Accounts Student student_records categories functions applicant_data Business View Resources/Permissions

  35. Systems Integration • Privileges are exported, transformed, and provisioned into integrated systems and infrastructure services. • Toolkit interface • Privileges document • XML representation of privileges for an individual or group. • Compatible with SAML and XACML representations of Subjects and Access Rules. • Integration • Site-specific • Provisioning connectors • LDAP access

  36. Privileges Document <Privileges xmlns="http://middleware.internet2.edu/signet"> <subj:Subject id="jpoole@kitn.edu" xmlns:subj="http://middleware.internet2.edu/subject"> <subj:SubjectType>person</subj:SubjectType> <subj:SubjectName>Poole, Jean M.</subj:SubjectName> </subj:Subject> <Permission subsystem="biomed" id="patient-record-access"> <Limit id="protocol"> <LimitValue>2005-formula-a</LimitValue> <LimitValue>2005-formula-b</LimitValue> </Limit> </Permission> <Permission subsystem="biomed" id="approve-requisitions"> <Limit id="spending-limit"> <LimitValue>none</LimitValue> </Limit> </Permission> </Privileges>

  37. Provisioning Permissions into Applications (connectors) Calendar reserve_time <Privileges> <Subject> <Permission> <Permission> <Permission> view_schedules Course update_course_data Facilities reserve_room Financial view_fund_data update_fund_data Student student_records applicant_data Calendar CourseWare Financials Reporting or API Space Mgmt Student

  38. Provisioning Permissions into Infrastructure (LDAP) Calendar reserve_time view_schedules Course update_course_data Facilities reserve_room Financial view_fund_data update_fund_data Student student_records applicant_data Calendar eduPersonEntitlement CourseWare Directory Financials Reporting Space Mgmt Student

  39. Privileges Lifecycle • Signet provides automated lifecycle controls Conditions • Provides automatic revocation of privileges • Date controls -- from date, until date • Based on person’s status, affiliation, etc. e.g., as long as person is at Stanford Prerequisites • Pre-conditions that must be met to activate privileges e.g., training

  40. Assignments can be To an individual To a Group With/without ability to further delegate Distributed delegation using organizational hierarchy Records “chain of command” Proxy assignment Temporary granting of one’s privilege to another Other features

  41. Privilege Elements by Example Lifecycle Privilege

  42. Subject API:Site IAM Integration Requirements • Subject- a person, group, application, or other type of object whose identity is managed by your IAM system • Abstract the underlying technology and data model from a relying application • Enable alternate identifier namespaces to be selected to match application needs • Username vs. opaque registryID vs. … • Scenarios • Map authenticated user to internal security principal • Reference/search objects within application

  43. Subject API:Integration with Site’s IAM

  44. Subject API: More Info • Subject and Source interface specs are at v0.1 – they may yet change • Searching • Some per-subjectType methods? • JDBC source adapter is included now, JNDI source adapter will be provided in a subsequent release • Grouper includes a GroupSourceAdapter that is a provider of ‘group’ subjectTypes from the Groups Registry • Subject API will not support the Join function

  45. Signet & Grouper Roadmaps • Now available • Grouper v0.6. Basic group management, full GUI • Demo release of Signet v0.5 toolkit and UI • Signet Roadmap • v0.6, early October 2005 – designated drivers, history • v1.0, late November 2005 – lifecycle conditions, XML • v1.x Toolkit / API release • Grouper Roadmap • v0.9, mid-November 2005 - internal refactoring, some enhancement • v1.0, mid-January 2006 – compound groups • v1.1, mid-March 2006 – group & membership aging

  46. Resources & Participation • Grouper • team: University of Chicago & University of Bristol • http://middleware.internet2.edu/dir/groups/grouper/ • Signet • team: Stanford University • http://middleware.internet2.edu/signet/ • Internet2 Middleware Initiative • http://middleware.internet2.edu/ • Documents, tarballs, cvs • Details for subscribing to mailing lists • Conference call agendas & dialing instructions

More Related