Introduction to Grouper Part 2: Grouper’s Core Access Management Capabilities

1. Introduction to GrouperPart 2: Grouper’s Core Access Management Capabilities Tom Barton University of Chicago and Internet2 Manager – Grouper Project

2. Grouper: core concepts Folders in hierarchies Group Direct members Subgroup Indirect members = Composite groups U

3. Security & delegation • Create groups • Create subfolders • Admin • Update membership • Read membership • View group • Opt-in • Opt-out Delegation

4. Beyond groups Attributes Role inheritance Roles Permissions Delegation model extends that for Groups Attribute definition Permission definition

5. Access management lifecycle support • Membership start & end times • Move or copy folders, groups, etc • Rules • User audit • Point in time audit

6. Tom Barton’s UChicago group memberships

7. Memberships become LDAP attributes dn: uid=tbarton,ou=people,dc=uchicago,dc=edu ucismemberof: uc:org:nsit:integration:techag ucismemberof: uc:org:nsit:srdirs ucismemberof: uc:org:nsit:integration:iteco:wr ucismemberof: uc:applications:confluence:NSIT:esx ucismemberof: uc:org:nsit:integration:iteco:rd ucismemberof: uc:org:nsit:staff ucismemberof: uc:org:nsit:integration:shib_group ucismemberof: uc:applications:bulkmail:users LDAP entry for uid=tbarton,ou=people,dc=uchicago,dc=edu ucIsMemberOf : uc:org:nsit:srdirs ucIsMemberOf : uc:reference:affiliations:effective:staff ucIsMemberOf : uc:applications:vpn:authorized

8. UChicago VPN simple delegation example IdM system Core business systems IRB IT Security Team IRB Office eligible denied staff ̶ = closure vpn:authorized student postdoc locked Different groups, different authorities VPN only uses “vpn:authorized”

9. Thanks! Further information: Infosheets, mail lists, wiki, downloads, etc: www.internet2.edu/grouper Grouper demo server: https://grouperdemo.internet2.edu/

10. Next Video in Grouper Online Training is: Introduction to GrouperPart 3: Grouper Toolkit Components Click on title above, or go to Grouper Online Training Home at <URL>