1 / 31

Using Signet and Grouper for Access Management

Using Signet and Grouper for Access Management. Tom Barton, University of Chicago Lynn McRae, Stanford University. Identity & Access Management Reality. Each person’s online activities are shaped by many Sources of Authority (SoAs) Resource managers Program/activity heads

winola
Download Presentation

Using Signet and Grouper for Access Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University

  2. Identity & Access Management Reality • Each person’s online activities are shaped by many Sources of Authority (SoAs) • Resource managers • Program/activity heads • Other policy making bodies • Self • Common middleware infrastructure should be operated centrally • To not oblige departments/programs/activities to build their own core middleware • Management of the information it conveys should be distributed • Hook up all of those SoAs to the middleware

  3. Connecting SoAs, Integrating with Existing Infrastructure

  4. Relative Roles of Signet & Grouper • RBAC model • Users are placed into groups • Privileges are assigned to groups • Groups can be arranged into hierarchies to effectively bestow privileges • Signet manages privileges • Grouper manages, well, groups Grouper Signet

  5. Nutshell Description of Grouper • Mix of manual and automation processes manage a common Group Registry • Many sources of authority are reflected in group memberships • Automation processes provision info from the Group Registry into LDAP, AD, directly into app-specific databases, or … • Wherever the value of the info warrants spending the resources to place it there • Group management authority is delegatable

  6. Grouper Groups • Attributes of groups • Names: name, displayName, guid • Description • Members • Can extend the set of attributes to support groups with more specific purposes • Subgroups, compound groups, and aging • Stored in an RDBMS, the Group Registry

  7. Grouper Namespaces • Groups are created within namespaces • Scopes the authority to create and name groups • Support distinct activities with own authority • Namespaces can be arranged hierarchically it all central IT activities it:labs manage computer labs bsd all Bio Sci Division activities bsd:peds Pediatrics resource access

  8. Example: Groups for Lab Access categories of barred students (auto) time dependent student categories (auto) Allow access if “eligible” but not “barred” it:labs:barred (manual) it:labs:eligible (manual) it:labs:whitelist (manual) it:labs:blacklist (manual) uc:faculty (auto) uc:staff (auto) categories of entitled students (auto)

  9. Data Flow & Grouper Roles in Computer Lab Access Loaders Grouper API Grouper UI Grouper API SIS lab HR Person Registry LDAP Group Registry Lab Director uid: jdoe ucAffiliation: … isMemberOf: … Grouper API Lab Managers On-site staff

  10. Grouper’s Privileges • Access privileges • Who has what access (read, write) to a group’s attributes • Naming privileges • Who can create a group in each namespace • Who can create a new namespace subordinate to an existing one • Privilege interfaces are abstracted • Can use external privilege management system, like Signet • Grouper’s built-in privilege management • Subgroups, compound groups, and aging can be used to manage privileges with built-in capability

  11. Four Ways to Delegate Group Management • Create a group and assign someone to manage its membership • Create a group and assign someone to manage who manages the group’s membership and who can see what about the group • Create a namespace and assign someone to manage who can create groups within it • Allow Self to opt-in or opt-out of membership

  12. Representing Membership in Operational Contexts • Standards for the I2MI community • LDAP, SAML/Shibboleth: isMemberOf • LDAP: hasMember • Preserving privacy/visibility • Representing access privileges in, e.g., LDAP • Desirable local standards • Naming of groups & namespaces • Privacy classes • Incremental update and referential integrity

  13. Signet Overview • Analysts define privileges in Signet in “business terms” and specify associated permissions. • Signet presents this view in a Web UI where users assign privileges and delegate authority across all areas in which they have authority. • Signet internally maps assigned privileges into system-specific terms needed by applications. • Privileges are exported, transformed, and provisioned into applications and infrastructure services.

  14. Business view Subsystems Categories Functions Scope, Limits Prerequisites & Conditions System view Permissions Subject Action Resource Privileges Building Blocks • Analysts define privileges in Signet in “business terms” and specify associated permissions.

  15. Define domains of ownership and responsibility Reflect real world boundaries Can be large or small Signet Components Subsystems Financial system Student Administration HR system Network address plan management Network access management Research administration Clinical resources Person Registry Signet (Privilege Registry) Grouper (Group Registry)

  16. Business View • Subsystems contain… Functions The things a person can do; what they are getting privileges for. Categories • Provide useful arrangement of functions within a subsystem; for reporting, ease of use. Limits • Qualifiers, constraints for a privilege. • Scope • Organizational hierarchy governing distributed delegation.

  17. Business View Course Support Add/Drop students Student Admin Which term Schedule Classes Which campus Process Applicants Financial Aid For school… Award Scholarships From Fund… Manage Accounts For fund… Patient Records Protocol A Clinical Trial Read/Write Materials Control Qty/day Manage Grant Administration $ constraints Lab Access Hours Categories Subsystems Functions Limits organizing actions

  18. Signet User Interface • Signet presents this view in a Web UI where users assign and delegate authority across all areas in which they have authority.

  19. Systems View • Signet internally maps assigned privileges into system specific terms needed by applications. • Permissions • Atomic units of control that map to specific access rules in systems. • Includes limits that must be evaluated when interpreting permissions. Resources • The target of a specific privilege; things that have access rules to control their use.

  20. Business View  Permissions Calendar Student Admin reserve_time view_schedules Add/Drop students Course Support Course Schedule Classes update_course_data Facilities reserve_room Process Applicants Financial Aid Financial Award Scholarships view_fund_data Manage Accounts update_fund_data Student student_records applicant_data Business View Resources/Permissions

  21. Systems Integration • Privileges are exported, transformed, and provisioned into integrated systems and infrastructure services. • Privileges document • XML representation of privileges for an individual or group. • Compatible with SAML and XACML representations of Subjects and Access Rules. Integration • Site-specific

  22. Privileges Document Signet Privileges document (not final) <Privileges xmlns="http://middleware.internet2.edu/signet"> <subj:Subject xmlns:subj="http://middleware.internet2.edu/subject"> <subj:SubjectId>jpoole@kitn.edu</subj:SubjectId> <subj:SubjectName>Poole, Jean M.</subj:SubjectName> </subj:Subjects> <Subsystem <SubsystemId>project-biox</SubsystemId> <Permission> <PermissionId>patient-record-access</ PermissionId > <Resource> <ResourceId>research-records</ResourceId> </Resource> <Limit> <LimitId>protocol</LimitId> <LimitnFunction>urn:oasis:names:tc:xacml:1.0:function:string-equal</LimitFunction> <LimitValue>2005-formula-b</LimitValue> <LimitValueType>http://www.w3.org/2001/XMLSchema#string</LimitValueType> </Limit> </Permission> <Permission> <PermissionId>approve-requisitions</SubsystemId> <Resource>

  23. Provisioning Permissions into Applications Calendar Calendar reserve_time view_schedules CourseWare Course update_course_data <Privileges> <Subject> <Permission> <Permission> <Permission> Financials Facilities reserve_room Financial Reporting view_fund_data update_fund_data Space Mgmt Student student_records Student applicant_data

  24. Provisioning Permissions into Infrastructure eduPersonEntitlement Calendar Calendar reserve_time view_schedules CourseWare Course Directory update_course_data Financials Facilities reserve_room Financial Reporting view_fund_data update_fund_data Space Mgmt Student student_records Student applicant_data

  25. Assignments can be To an individual To a Group With/without ability to further delegate Distributed delegation using organizational hierarchy Records “chain of command” Proxy assignment Temporary granting of one’s privilege to another Other features

  26. Privileges Lifecycle Conditions • Provides automatic revocation of privileges • Date controls -- from date, until date • Based on person’s status and affiliation, e.g., as long as person is at Stanford Prerequisites • Pre-conditions that must be met to activate privileges e.g., training

  27. Privilege Elements by Example Lifecycle Privilege

  28. Subject API • Common application need to lookup people or other types of subjects • To search for and present them in a UI • To translate between different identifiers for the same object • Example: username  persistentID • Subject API is a freestanding implementation meeting these needs. Site-configured … • Subject types: people & groups, and maybe applications, computers, policies, whatever • Sources for each site-specific subject type • Specific query syntax for abstract query types

  29. Signet & Grouper Development • Now available • Grouper API v0.5.5. Basic group management by automation processes • Demo release of Signet v0.3 toolkit and UI • June 2005 • Grouper v0.6 - initial UI release • Subject API - initial release • September 2005 • Signet - initial production-ready release • Grouper team: U Chicago & U Bristol • Signet team: Stanford University

  30. Resources & Participation • Grouper website http://middleware.internet2.edu/dir/groups/grouper/ • Signet website http://middleware.internet2.edu/signet/ • Internet2 Middleware Initiative http://middleware.internet2.edu/ • Documents, tarballs, cvs • Details for subscribing to mailing lists • Conference call agendas & dialing instructions

More Related