access management with grouper
DESCRIPTION
Access Management with Grouper. Tom Barton University of Chicago. Outline. Why build an access management tool? Grouper basics Implementation examples New features Grouper Roadmap. Why?. Lower cost by factoring access management out - PowerPoint PPT PresentationTRANSCRIPT
Access Management with Grouper
Tom BartonUniversity of Chicago
2
Outline
• Why build an access management tool?• Grouper basics• Implementation examples• New features• Grouper Roadmap
3
Why?
• Lower cost by factoring access management out
• Simplify & make consistent by using one group in many places
• Let the right people manage access, directly
• See who can access what, in one place
4
Grouper: core concepts
Folders in hierarchies
Group
Direct members
Subgroup
Indirect members
• Composite groups• Custom attributes
5
Security & delegation
• Create groups• Create subfolders
• Admin• Update membership• Read membership• View group• Opt-in• Opt-out
Delegation
6
What’s in a Grouper group?
• Folder name• Names – one short, one display• GUID• Description• Members – opaque Subject references• Privilegees – opaque Subject references• Operational attributes
7
Grouper integrationApplication
LDAP/ADPersonsOrgs
Identity Management
ShibbolethIdP
SAMLLDAP/AD
SO
AP
RE
ST
Grouper Client
Grouper Shell
GrouperDatabase
Web Services
JavaAPI
UIJNDI Source Adapter
JDBC Source Adapter
Subject API
Grouper Loader
LDAP Provisioning Connector
Systems of Record
XMLscript
gsh%
Grouper integration:Subject API
• Uses:• Grab Subject’s attributes• Search for Subjects• Identifier crosswalk
• JNDI & JDBC adapters provided• Plug-in interface for custom adapters
9
Grouper integration:LDAP provisioning connector
• Push groups and/or memberships to LDAP• Variety of selection criteria• Configurable appearance of LDAP entries• Full & incremental provisioning modes now• Asynchronous updating planned
JavaAPI
LDAP Provisioning Connector
LDAP/AD
10
Grouper integration:Web Services
• (SOAP, REST) x (Lite, Heavy)• Large fraction of java API is exposed• Authentication by container or Rampart
• Basic, kerberos, X.509, SAML• actAs
• .NET and PHP dev guides by U Newcastle
11
Grouper integration:Loader
• Dynamically create and maintain memberships and systems of groups by SQL queries
• Quartz-based service/daemon
12
Grouper Integration:Grouper Shell
• Command line interface to java API & tools• XML import/export• Batch scripts• Low-level grouper system administration
Grouper integration:Hooks
• 3rd party extension of key API events• Veto & notify• Group, Stem, Member, Membership, Composite,
Field, GrouperSession, GroupType, GroupTypeTuple• preInsert, postInsert, postCommitInsert, preUpdate,
postUpdate, postCommitUpdate, preDelete, postDelete, postCommitDelete
• addMember, removeMember• LifecycleHooks
14
EXAMPLES
15
16
dn: uid=tbarton,ou=people,dc=uchicago,dc=eduucismemberof: uc:org:nsit:integration:techagucismemberof: uc:org:nsit:srdirsucismemberof: uc:org:nsit:integration:iteco:wrucismemberof: uc:applications:confluence:NSIT:esxucismemberof: uc:org:nsit:integration:iteco:rducismemberof: uc:applications:confluence:NSIT:Directorsucismemberof: uc:org:nsit:staffucismemberof: uc:applications:confluence:NSIT:Everyoneucismemberof: uc:org:nsit:integration:shib_groupucismemberof: uc:applications:bulkmail:usersucismemberof: uc:org:library:gnet:adminsucismemberof: uc:applications:gnetid:adminsucismemberof: uc:applications:wireless:authorizeducismemberof: uc:applications:cmail:users:authorizeducismemberof: uc:reference:affiliations:effective:staff
LDAP entry foruid=tbarton,ou=people,dc=uchicago,dc=edu
ucIsMemberOf : uc:org:nsit:srdirsucIsMemberOf :
uc:reference:affiliations:effective:staff
Memberships become LDAP attributes
ucIsMemberOf : uc:applications:vpn:authorized
17
UChicago: simple delegation examples
• Wireless & VPN• Guest network ID management • Business Objects access• Different groups, different authorities
eligible unauthorized
studentstaff
alum hospital
closure
lockedauthorized
postdoc
= ̶L
Brown University’s Course Group Schema• Course : [ Subject ] : [ Number ] : [ Term ] : [ Section ]
• All• Administrator
• Instructor (Provisioned)• TeachingAssistant• Manager
• Contributor• ContentDeveloper• Mentor
• Learner• Student (Provisioned)• Auditor• Vagabond
• Schema is flattened to provision LDAP• 12 groups per course provision hasMember attribute in Groups OU• Person objects get isMemberOf pointers to groups
Brown’s Application Role MappingMACE Grouper Course
GroupsiTunes Majordomo Confluence WebCT
All Recipient list, Discussion Sender Can Use
Administrator Instructor Broadcast Sender Space Admin
Instructors (provisioned) Instructor
Managers
TAs TA and Designer
Contributor Instructor Space Admin
Content Developers Designer
Mentors
Learner Student
Auditors Auditor
Students (provisioned, read only) Student
Vagabonds Auditor
Other, outside MACE Grouper Super Admin Super Admin(s)
20
21
22
23 NIH’s Cancer BioInformatics Grid
24
NEW IN V1.5Just released … some capabilities are partial or “experimental”
25
Lite UI
• AJAX components for simple end-user tasks
• URL links directly to a group• Integrated within Grouper UI webapp
• Two entry points: Admin UI & Lite UI• Admin UI uses new components too
• More Lite UIs may be contributed by deployers
26
Performance
1 10 10010
100
1000
10000
100000
71
440
16955
48 48
111Grouper 1.4.2Grouper 1.5
number of indirect memberships due to single direct membership
mill
isec
onds
27
Audit
• Who did what when …• Add/delete/update membership, group,
folder, and Grouper privileges• Attribute definition & assignment• XML import•Move/copy group or folder
• Audit reporting via Grouper Admin UI & Grouper Shell
28
Move & copy
• Copy/move groups/folders to another folder• Why?
• Template groups & template folders• Update organizational hierarchies
• Old group name optionally continues to refer to moved group
• Supported by Grouper Admin UI & Grouper Shell (Grouper-WS soon)
29
Notification
• Near real time provisioning of group info• Group, membership, folder, and privilege
changes• Serialized• Provided to registered consumers• SQL & API access to transactions
• LDAP provisioning connector will use in v1.6
30
Attribute framework
• Assign custom attributes to principal Grouper objects• Groups• Folders• Memberships• Attributes
• Value types, multi-values, etc• Attributes are objects in folders, like groups, and
their security model is similar to that of groups
31
Roles & permissions
• Role extends Group, links Subjects with Permissions
• Permission is a type of attribute assigned to a role or to a membership in a role• Has an Action qualifier, eg, Read or Write• Permission sets. Eg, organizational hierarchies
• Superior roles inherit subordinate permissions
32
Grouper & Identity Services
• Grouper’s roles & permissions are only low level capabilities in v1.5
• No high level interfaces have been implemented or even defined yet
• Looking for help with that from MACE-Paccman and from partner sites
• More later in this conference about Grouper and identity service interfaces in Kuali and in uPortal
33
Grouper roadmap
• Current version is 1.5.1• v1.6
• Flattened memberships optimize notifications• More attribute types• Ldappc-NG = shibboleth AA + SPMLv2• Grouper-KIM connector
• Subject Web Service• v2.0
• Point-in-time audit• Role management interface• uPortal integration
34
www.internet2.edu/grouper
35
36
MACE/Internet2 IAM work
• Shibboleth• InCommon Federation• Grouper• Comanage
• Identity services & application domestication• Privilege & access management
• MACE-paccman working group• !Signet• Grouper to add some privilege management capability
• MACE-directories working group• edu* schema, white papers, etc
37
Identity services activities & Higher Ed
• MACE-paccman working group• Kuali Rice• OSS projects, some JA-SIG affiliated• Liberty, Identity Gang, etc• International efforts akin to MACE’s• Advanced CAMP June 2009 in Philly