310 likes | 325 Views
This article discusses the use of Signet and Grouper for access management in online activities, highlighting their role in connecting various sources of authority and managing privileges and groups.
E N D
Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University
Identity & Access Management Reality • Each person’s online activities are shaped by many Sources of Authority (SoAs) • Resource managers • Program/activity heads • Other policy making bodies • Self • Common middleware infrastructure should be operated centrally • To not oblige departments/programs/activities to build their own core middleware • Management of the information it conveys should be distributed • Hook up all of those SoAs to the middleware
Relative Roles of Signet & Grouper • RBAC model • Users are placed into groups • Privileges are assigned to groups • Groups can be arranged into hierarchies to effectively bestow privileges • Signet manages privileges • Grouper manages, well, groups Grouper Signet
Nutshell Description of Grouper • Mix of manual and automation processes manage a common Group Registry • Many sources of authority are reflected in group memberships • Automation processes provision info from the Group Registry into LDAP, AD, or directly into app-specific databases, or … • Wherever the value of the info warrants spending the resources to place it there • Group management authority is delegatable
Grouper Groups • Attributes of groups • Names: name, displayName, guid • Description • Members • Can extend the set of attributes to support groups with more specific purposes • Subgroups, compound groups, and aging • Stored in an RDBMS, the Group Registry
Grouper Namespaces • Groups are created within namespaces • Scopes the authority to create and name groups • Support distinct activities with own authority • Namespaces can be arranged hierarchically it all central IT activities it:labs manage computer labs bsd all Bio Sci Division activities bsd:peds Pediatrics resource access
Example: Groups for Lab Access categories of barred students (auto) time dependent student categories (auto) Allow access if “eligible” but not “barred” it:labs:barred (manual) it:labs:eligible (manual) it:labs:whitelist (manual) it:labs:blacklist (manual) uc:faculty (auto) uc:staff (auto) categories of entitled students (auto)
Data Flow & Grouper Roles in Computer Lab Access Loaders Grouper API Grouper UI Grouper API SIS lab HR Person Registry LDAP Group Registry Lab Director uid: jdoe ucAffiliation: … isMemberOf: … Grouper API Lab Managers On-site staff
Grouper’s Privileges • Access privileges • Who has what access (read, write) to a group’s attributes • Naming privileges • Who can create a group in each namespace • Who can create a new namespace subordinate to an existing one • Privilege interfaces are abstracted • Can use external privilege management system, like Signet • Grouper’s built-in privilege management • Subgroups, compound groups, and aging can be used to manage privileges with built-in capability
Four Ways to Delegate Group Management • Create a group and assign someone to manage its membership • Create a group and assign someone to manage who manages the group’s membership and who can see what about the group • Create a namespace and assign someone to manage who can create groups within it • Allow Self to opt-in or opt-out of membership
Representing Membership in Operational Contexts • Standards for the I2MI community • LDAP, SAML/Shibboleth: isMemberOf • LDAP: hasMember • Preserving privacy/visibility • Representing access privileges in, e.g., LDAP • Desirable local standards • Naming of groups & namespaces • Privacy classes • Incremental update and referential integrity
Signet Overview • Analysts define privileges in Signet in “business terms” and specify associated permissions. • Signet presents this view in a Web UI where users assign privileges and delegate authority across all areas in which they have authority. • Signet internally maps assigned privileges into system-specific terms needed by applications. • Privileges are exported, transformed, and provisioned into applications and infrastructure services.
Business view Subsystems Categories Functions Scope, Limits Prerequisites & Conditions System view Permissions Subject Action Resource Privileges Building Blocks • Analysts define privileges in Signet in “business terms” and specify associated permissions.
Define domains of ownership and responsibility Reflect real world boundaries Can be large or small Signet Components Subsystems Financial system Student Administration HR system Network address plan management Network access management Research administration Clinical resources Person Registry Signet (Privilege Registry) Grouper (Group Registry)
Business View • Subsystems contain… Functions The things a person can do; what they are getting privileges for. Categories • Provide useful arrangement of functions within a subsystem; for reporting, ease of use. Limits • Qualifiers, constraints for a privilege. • Scope • Organizational hierarchy governing distributed delegation.
Business View Course Support Add/Drop students Student Admin Which term Schedule Classes Which campus Process Applicants Financial Aid For school… Award Scholarships From Fund… Manage Accounts For fund… Patient Records Protocol A Clinical Trial Read/Write Materials Control Qty/day Manage Grant Administration $ constraints Lab Access Hours Categories Subsystems Functions Limits organizing actions
Signet User Interface • Signet presents this view in a Web UI where users assign and delegate authority across all areas in which they have authority.
Systems View • Signet internally maps assigned privileges into system specific terms needed by applications. • Permissions • Atomic units of control that map to specific access rules in systems. • Includes limits that must be evaluated when interpreting permissions. Resources • The target of a specific privilege; things that have access rules to control their use.
Business View Permissions Calendar Student Admin reserve_time view_schedules Add/Drop students Course Support Course Schedule Classes update_course_data Facilities reserve_room Process Applicants Financial Aid Financial Award Scholarships view_fund_data Manage Accounts update_fund_data Student student_records applicant_data Business View Resources/Permissions
Systems Integration • Privileges are exported, transformed, and provisioned into integrated systems and infrastructure services. • Privileges document • XML representation of privileges for an individual or group. • Compatible with SAML and XACML representations of Subjects and Access Rules. Integration • Site-specific
Privileges Document Signet Privileges document (not final) <Privileges xmlns="http://middleware.internet2.edu/signet"> <subj:Subject xmlns:subj="http://middleware.internet2.edu/subject"> <subj:SubjectId>jpoole@kitn.edu</subj:SubjectId> <subj:SubjectName>Poole, Jean M.</subj:SubjectName> </subj:Subjects> <Subsystem <SubsystemId>project-biox</SubsystemId> <Permission> <PermissionId>patient-record-access</ PermissionId > <Resource> <ResourceId>research-records</ResourceId> </Resource> <Limit> <LimitId>protocol</LimitId> <LimitnFunction>urn:oasis:names:tc:xacml:1.0:function:string-equal</LimitFunction> <LimitValue>2005-formula-b</LimitValue> <LimitValueType>http://www.w3.org/2001/XMLSchema#string</LimitValueType> </Limit> </Permission> <Permission> <PermissionId>approve-requisitions</SubsystemId> <Resource>
Provisioning Permissions into Applications Calendar Calendar reserve_time view_schedules CourseWare Course update_course_data <Privileges> <Subject> <Permission> <Permission> <Permission> Financials Facilities reserve_room Financial Reporting view_fund_data update_fund_data Space Mgmt Student student_records Student applicant_data
Provisioning Permissions into Infrastructure eduPersonEntitlement Calendar Calendar reserve_time view_schedules CourseWare Course Directory update_course_data Financials Facilities reserve_room Financial Reporting view_fund_data update_fund_data Space Mgmt Student student_records Student applicant_data
Assignments can be To an individual To a Group With/without ability to further delegate Distributed delegation using organizational hierarchy Records “chain of command” Proxy assignment Temporary granting of one’s privilege to another Other features
Privileges Lifecycle Conditions • Provides automatic revocation of privileges • Date controls -- from date, until date • Based on person’s status and affiliation, e.g., as long as person is at Stanford Prerequisites • Pre-conditions that must be met to activate privileges e.g., training
Privilege Elements by Example Lifecycle Privilege
Subject API • Common application need to lookup people or other types of subjects • To search for and present them in a UI • To translate between different identifiers for the same object • Example: username persistentID • Subject API is a freestanding implementation meeting these needs. Site-configured … • Subject types: people & groups, and maybe applications, computers, policies, whatever • Sources for each site-specific subject type • Specific query syntax for abstract query types
Signet & Grouper Development • Now available • Grouper API v0.5.5. Basic group management by automation processes • Demo release of Signet v0.3 toolkit and UI • June 2005 • Grouper v0.6 - initial UI release • Subject API - initial release • September 2005 • Signet - initial production-ready release • Grouper team: U Chicago & U Bristol • Signet team: Stanford University
Resources & Participation • Grouper website http://middleware.internet2.edu/dir/groups/grouper/ • Signet website http://middleware.internet2.edu/signet/ • Internet2 Middleware Initiative http://middleware.internet2.edu/ • Documents, tarballs, cvs • Details for subscribing to mailing lists • Conference call agendas & dialing instructions