grouper: a toolkit for managing groups
DESCRIPTION
Grouper: A Toolkit for Managing Groups. Tom Barton blair christensen University of Chicago. Outline. The problem with groups Case study: U Chicago’s “USITE” computer labs Tour of Grouper USITE case study revisited Grouper project status Bonus round – personal groups. Groups facilitate …. - PowerPoint PPT PresentationTRANSCRIPT
Grouper: A Toolkit for Managing Groups
Tom Bartonblair christensenUniversity of Chicago
Fall 2004 I2MM
Outline
The problem with groups
Case study: U Chicago’s “USITE” computer labs
Tour of Grouper
USITE case study revisited
Grouper project status
Bonus round – personal groups
Fall 2004 I2MM
Groups facilitate …
Customization – application UI tailored to user’s affiliations with the organization
Authorization• “Lightweight” - relationship info feeding access decisions
• “Heavyweight” - assignment of structured privileges to groups
Messaging, scheduling, & collaboration• Departments, courses, programs, cmtes, teams, …
Posix naming services
Fall 2004 I2MM
Group management issues
Coordinating many sources of informationProvisioning groups in many locationsSupporting several styles of access to group membership information
Aging of groups and of membershipsUse of subgroups vs. effective membership Referring to set theoretic combinations of groups (compound groups)
Privacy & visibility requirements
Fall 2004 I2MM
The USITE access problem
Must control access to computers in labs independent of ability to authenticate
U Chicago’s Networking Services & Information Technologies (NSIT) established the Identity Management Working Group to solve this type of problem
• You’ll see “nsit” and “usite” in names of things to follow
Fall 2004 I2MM
USITE access policy
Students• 23 categories of current students• Some entitle USITE access, some disenfranchise, others fail to entitle
• Time of year dependency for some categories
Current faculty & staff are entitledOther more loosely affiliated people are not entitled
Exceptional administrative admits and denies across all categories above
Fall 2004 I2MM
Use of group management
Various elemental USITE-related categories of people are modeled as groups
Subgroups are used to roll-up effective admit or deny status
Some groups are automatically managed, others manually
Some roll-up groups are manually managed to deal with time dependency or change in access policy
Fall 2004 I2MM
Groups model for USITE access (ACL is “shaded green but not red”)
usite_eligible(manual)
admin_admit(manual)
uc:faculty(auto)
uc:staff(auto)
categories of entitled students
time dependent student categories
categories of barred students
admin_deny(manual)
usite_barred(manual)
Fall 2004 I2MM
Management related groups
Management privileges for manually managed groups also need to be managed!
So, more groups list who has what authority in managing groups that mediate USITE access
• Director of Learning Environments• Lab Managers• Student staff
Fall 2004 I2MM
LDAP
Data flow & Grouper’s role in USITE access
uid: jdoeucAffiliation: …isMemberOf: …
SIS
HR
Dir. Learning Environments
Lab Managers
Loaders
GrouperAPI
Personregistry
Groupregistry
GrouperUI
GrouperAPI
lab
GrouperAPI
Student staff
Fall 2004 I2MM
Grouper groups
Stored in an RDBMS, the Group Registry
Attributes of groups• Name • Description• Members
Possible to extend the set of attributes to support groups with more specific purposes
Fall 2004 I2MM
Directory of groups
Groups are created within a hierarchy of directories, like files within a computer’s directory system
• Directories are also named• Sometimes need to use the full name of a group, like the full pathname of a file
• Example: /nsit/usite/admin_admit
The directory delimiter can be configured for different effect
• Example: nsit:usite:admin_admit
Fall 2004 I2MM
Grouper privileges
Access privileges - who has what access (read, write) to a group’s attributes
Naming privileges - who can create a group or subdirectory in what part of the directory of groups
Fall 2004 I2MM
Access privileges
VIEW group’s name in lists & can refer to it, e.g., make it a subgroup of another group
READ basic information about a groupUPDATE membership and administer VIEW, READ, & UPDATE privileges
ADMIN can modify everything, including group name, description, & privileges, and can delete the group
OPTIN can add self to the members listOPTOUT can remove self from the members list
Fall 2004 I2MM
Naming privileges
STEM privilege in a given directory enables creation of subdirectories and administration of CREATE and STEM privileges for the directory and its immediate subdirectories
• Motivating idea: a directory is a naming “stem” over which authority is exercised and delegated by those with stem privilege
CREATE a group in a given directory
Fall 2004 I2MM
Built-in privilege implementation
All access & naming privileges can be assigned to individual members or to groups
• Subgroups, compound groups, and aging can be used to manage privileges
Abstracted interfaces are presented for privilege management
• Sites can hook in their own privilege management and bypass Grouper’s built-in system
Fall 2004 I2MM
USITE revisited – Grouper’s role
Make an “nsit:usite” directory in the group registry
Groups created within it• dir_learning_env, lab_managers, student_staff• usite_eligible, usite_barred• admin_admit, admin_deny
Give stem privilege for “nsit:usite” to the Director of Learning Environments
• She can run her groups empire within
Fall 2004 I2MM
USITE group access privileges(unqualified names in nsit:usite namespace)
usite_eligibleA:dir_learning_env
V,R:all
admin_admitU:usite_manageV,R:usite_view
uc:facultyV,R:all
uc:staffV,R:all
categories of entitled students
time dependent student categories
categories of barred students
admin_denyU:usite_manageV,R:usite_view
usite_barredA:dir_learning_env
V,R:all
V:all V:all
V:allV:all V:all
V:all V:all V:all
V:all
Fall 2004 I2MM
USITE group management privileges(unqualified names in nsit:usite namespace)
Fall 2004 I2MM
Grouper v1 features
API & UI for basic group management• Create, read, update, delete, import, export• Distributed management• Subgroups & compound groups• Aging of groups and memberships
Abstracted interfaces for • Group and directory privileges• Subject lookup• Last activity
Fall 2004 I2MM
Phases of Grouper v1 development
Phase 1: Basic management and export functions
Phase 2: Compound groups & Signet integration
Phase 3: Aging of groups and memberships
Phase 1 API available before end of year (2004, that is!)
Fall 2004 I2MM
Grouper deliverables
U Chicago - Java APIU Bristol - Java UIYou – contributed loaders & connectorsSubject Lookup implementation
• jointly with Signet project
Group Registry creation scripts & sample batch import/export scripts
Documentation
Fall 2004 I2MM
Grouper UI status
Conceptual mock-up completed
Modular design for look and feel
Grouper & Signet UIs will “leave the factory floor” bearing an I2 family resemblence
Fall 2004 I2MM
Personal groups
Any user can create groups named personal:username:groupname
Good or evil?• Yeah! Low overhead to let everyone do groups• Booo! Valuable institutional data squirreled away in unknowable spaces that go away
Configuration: • on/off• Root directory for personal namespace (“personal” above)
Fall 2004 I2MM
Further info & participation
MACE-Dir list
MACE-Dir-groups conference calls
http://middleware.internet2.edu/dir/groups