1 / 23

Access Management with Grouper

Access Management with Grouper. Tom Barton University of Chicago. Why?. Lower cost by factoring access management out Simplify & make consistent by using one group in many places Let the right people manage access, directly See who can access what, in one place. Grouper: core concepts.

vashon
Download Presentation

Access Management with Grouper

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Management with Grouper Tom BartonUniversity of Chicago

  2. Why? • Lower cost by factoring access management out • Simplify & make consistent by using one group in many places • Let the right people manage access, directly • See who can access what, in one place

  3. Grouper: core concepts Folders in hierarchies Group Direct members Subgroup Indirect members • Composite groups • Custom attributes

  4. Security & delegation • Create groups • Create subfolders • Admin • Update membership • Read membership • View group • Opt-in • Opt-out Delegation

  5. Grouper integration

  6. Examples

  7. Memberships become LDAP attributes dn: uid=tbarton,ou=people,dc=uchicago,dc=edu ucismemberof: uc:org:nsit:integration:techag ucismemberof: uc:org:nsit:srdirs ucismemberof: uc:org:nsit:integration:iteco:wr ucismemberof: uc:applications:confluence:NSIT:esx ucismemberof: uc:org:nsit:integration:iteco:rd ucismemberof: uc:applications:confluence:NSIT:Directors ucismemberof: uc:org:nsit:staff ucismemberof: uc:applications:confluence:NSIT:Everyone ucismemberof: uc:org:nsit:integration:shib_group ucismemberof: uc:applications:bulkmail:users ucismemberof: uc:org:library:gnet:admins ucismemberof: uc:applications:gnetid:admins ucismemberof: uc:applications:wireless:authorized ucismemberof: uc:applications:cmail:users:authorized ucismemberof: uc:reference:affiliations:effective:staff LDAP entry for uid=tbarton,ou=people,dc=uchicago,dc=edu ucIsMemberOf : uc:org:nsit:srdirs ucIsMemberOf : uc:reference:affiliations:effective:staff ucIsMemberOf : uc:applications:vpn:authorized

  8. U Chicago: simple delegation • Wireless & VPN • Guest network ID management • Business Objects access • Different groups, different authorities eligible unauthorized ̶ staff = closure authorized student locked postdoc alum hospital

  9. Brown: Managing Access to Course Resources

  10. NIH’s Cancer BioInformatics Grid

  11. Just released … some capabilities are partial or “experimental” New in v1.5.0

  12. Lite UI • AJAX components for simple end-user tasks • URL links directly to a group • Integrated within Grouper UI webapp • Two entry points: Admin UI & Lite UI • Admin UI uses new components too • More Lite UIs may be contributed by deployers

  13. Performance

  14. Audit • Who did what when … • Add/delete/update membership, group, folder, and Grouper privileges • Attribute definition & assignment • XML import • Move/copy group or folder • Audit reporting via Grouper Admin UI & Grouper Shell

  15. Move & copy • Copy/move groups/folders to another folder • Why? • Template groups & template folders • Update organizational hierarchies • Old group name optionally continues to refer to moved group • Supported by Grouper Admin UI & Grouper Shell (Grouper-WS soon)

  16. Notification • Near real time provisioning of group info • Group, membership, folder, and privilege changes • Serialized • Provided to registered consumers • SQL & API access to transactions • LDAP provisioning connector will use in v1.5.1

  17. Attribute framework • Assign custom attributes to principal Grouper objects • Groups • Folders • Memberships • Attributes • Will have several value types, multi-values, etc • Only an enumerated type in 1.5.0 • Attributes are objects in folders, like groups, and their security model is similar to that of groups

  18. Roles & permissions • Role extends Group, links Subjects with Permissions • Permission is a type of attribute assigned to a role or to a membership in a role • Has an Action qualifier, eg, Read or Write • Permission sets. Eg, organizational hierarchies • Superior roles inherit subordinate permissions

  19. Grouper & Identity Services • Grouper’s roles & permissions are only low level capabilities, initially • No high level interfaces have been implemented or even defined yet • Looking for help with that from MACE-Paccman and from partner sites • More later in this conference about Grouper and identity service interfaces in Kuali and in uPortal

  20. Grouper roadmap • Current version is 1.5.0 • v1.5+ • Notification enhancements • Attribute & permission enhancements • New LDAPPC = shibboleth AA + SPMLv2 • v1.6 • Point-in-time audit • Role management interface • uPortal integration • Kuali Rice integration

  21. www.internet2.edu/grouper

More Related