390 likes | 571 Views
Access Management with Grouper. Tom Barton University of Chicago. Outline. Why build an access management tool? Grouper basics Implementation examples New features Grouper Roadmap. Why?. Lower cost by factoring access management out
E N D
Access Management with Grouper Tom BartonUniversity of Chicago
Outline • Why build an access management tool? • Grouper basics • Implementation examples • New features • Grouper Roadmap
Why? • Lower cost by factoring access management out • Simplify & make consistent by using one group in many places • Let the right people manage access, directly • See who can access what, in one place
Grouper: core concepts Folders in hierarchies Group Direct members Subgroup Indirect members • Composite groups • Custom attributes
Security & delegation • Create groups • Create subfolders • Admin • Update membership • Read membership • View group • Opt-in • Opt-out Delegation
What’s in a Grouper group? • Folder name • Names – one short, one display • GUID • Description • Members – opaque Subject references • Privilegees – opaque Subject references • Operational attributes
Grouper integration: Subject API • Uses: • Grab Subject’s attributes • Search for Subjects • Identifier crosswalk • JNDI & JDBC adapters provided • Plug-in interface for custom adapters
Grouper integration: LDAP provisioning connector • Push groups and/or memberships to LDAP • Variety of selection criteria • Configurable appearance of LDAP entries • Full & incremental provisioning modes now • Asynchronous updating planned
Grouper integration: Web Services • (SOAP, REST) x (Lite, Heavy) • Large fraction of java API is exposed • Authentication by container or Rampart • Basic, kerberos, X.509, SAML • actAs • .NET and PHP dev guides by U Newcastle
Grouper integration: Loader • Dynamically create and maintain memberships and systems of groups by SQL queries • Quartz-based service/daemon
Grouper Integration: Grouper Shell • Command line interface to java API & tools • XML import/export • Batch scripts • Low-level grouper system administration
Grouper integration:Hooks • 3rd party extension of key API events • Veto & notify • Group, Stem, Member, Membership, Composite, Field, GrouperSession, GroupType, GroupTypeTuple • preInsert, postInsert, postCommitInsert, preUpdate, postUpdate, postCommitUpdate, preDelete, postDelete, postCommitDelete • addMember, removeMember • LifecycleHooks
Memberships become LDAP attributes dn: uid=tbarton,ou=people,dc=uchicago,dc=edu ucismemberof: uc:org:nsit:integration:techag ucismemberof: uc:org:nsit:srdirs ucismemberof: uc:org:nsit:integration:iteco:wr ucismemberof: uc:applications:confluence:NSIT:esx ucismemberof: uc:org:nsit:integration:iteco:rd ucismemberof: uc:applications:confluence:NSIT:Directors ucismemberof: uc:org:nsit:staff ucismemberof: uc:applications:confluence:NSIT:Everyone ucismemberof: uc:org:nsit:integration:shib_group ucismemberof: uc:applications:bulkmail:users ucismemberof: uc:org:library:gnet:admins ucismemberof: uc:applications:gnetid:admins ucismemberof: uc:applications:wireless:authorized ucismemberof: uc:applications:cmail:users:authorized ucismemberof: uc:reference:affiliations:effective:staff LDAP entry for uid=tbarton,ou=people,dc=uchicago,dc=edu ucIsMemberOf : uc:org:nsit:srdirs ucIsMemberOf : uc:reference:affiliations:effective:staff ucIsMemberOf : uc:applications:vpn:authorized
UChicago: simple delegation examples • Wireless & VPN • Guest network ID management • Business Objects access • Different groups, different authorities eligible unauthorized ̶ staff = closure authorized student locked postdoc alum hospital
Brown University’s Course Group Schema • Course : [ Subject ] : [ Number ] : [ Term ] : [ Section ] • All • Administrator • Instructor (Provisioned) • TeachingAssistant • Manager • Contributor • ContentDeveloper • Mentor • Learner • Student (Provisioned) • Auditor • Vagabond • Schema is flattened to provision LDAP • 12 groups per course provision hasMember attribute in Groups OU • Person objects get isMemberOf pointers to groups
Just released … some capabilities are partial or “experimental” New in v1.5
Lite UI • AJAX components for simple end-user tasks • URL links directly to a group • Integrated within Grouper UI webapp • Two entry points: Admin UI & Lite UI • Admin UI uses new components too • More Lite UIs may be contributed by deployers
Audit • Who did what when … • Add/delete/update membership, group, folder, and Grouper privileges • Attribute definition & assignment • XML import • Move/copy group or folder • Audit reporting via Grouper Admin UI & Grouper Shell
Move & copy • Copy/move groups/folders to another folder • Why? • Template groups & template folders • Update organizational hierarchies • Old group name optionally continues to refer to moved group • Supported by Grouper Admin UI & Grouper Shell (Grouper-WS soon)
Notification • Near real time provisioning of group info • Group, membership, folder, and privilege changes • Serialized • Provided to registered consumers • SQL & API access to transactions • LDAP provisioning connector will use in v1.6
Attribute framework • Assign custom attributes to principal Grouper objects • Groups • Folders • Memberships • Attributes • Value types, multi-values, etc • Attributes are objects in folders, like groups, and their security model is similar to that of groups
Roles & permissions • Role extends Group, links Subjects with Permissions • Permission is a type of attribute assigned to a role or to a membership in a role • Has an Action qualifier, eg, Read or Write • Permission sets. Eg, organizational hierarchies • Superior roles inherit subordinate permissions
Grouper & Identity Services • Grouper’s roles & permissions are only low level capabilitiesin v1.5 • No high level interfaces have been implemented or even defined yet • Looking for help with that from MACE-Paccman and from partner sites • More later in this conference about Grouper and identity service interfaces in Kuali and in uPortal
Grouper roadmap • Current version is 1.5.1 • v1.6 • Flattened memberships optimize notifications • More attribute types • Ldappc-NG = shibboleth AA + SPMLv2 • Grouper-KIM connector • Subject Web Service • v2.0 • Point-in-time audit • Role management interface • uPortalintegration
MACE/Internet2 IAM work • Shibboleth • InCommon Federation • Grouper • Comanage • Identity services & application domestication • Privilege & access management • MACE-paccman working group • !Signet • Grouper to add some privilege management capability • MACE-directories working group • edu* schema, white papers, etc
Identity services activities & Higher Ed • MACE-paccman working group • Kuali Rice • OSS projects, some JA-SIG affiliated • Liberty, Identity Gang, etc • International efforts akin to MACE’s • Advanced CAMP June 2009 in Philly