grouper attributes and privileges future features in internet2 mace grouper june 2009 chris hyzer...
DESCRIPTION
Grouper attributes and privileges 3/4/2016 Internet2 MACE Grouper3 Penn’s Grouper architectureTRANSCRIPT
![Page 1: Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2](https://reader036.vdocuments.mx/reader036/viewer/2022090103/5a4d1bbb7f8b9ab0599d0d02/html5/thumbnails/1.jpg)
Grouper attributes
and privileges
Grouper attributes and privilegesGrouper attributes and privileges
FUTURE features in Internet2 MACE GrouperFUTURE features in Internet2 MACE GrouperJune 2009June 2009
Chris HyzerChris HyzerUniversity of PennsylvaniaUniversity of Pennsylvania
Internet2Internet2
![Page 2: Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2](https://reader036.vdocuments.mx/reader036/viewer/2022090103/5a4d1bbb7f8b9ab0599d0d02/html5/thumbnails/2.jpg)
Grouper attributes and privilegesGrouper attributes and privileges
Grouper is an Internet2 open-source funded product– 5+ years old– Java, multi-platform, database vendor agnostic
The UPCOMING (fall 2009) 1.5 release will have more access management features– Many features discussed in this presentation are not implemented, the
design is not final, and the timeline for the features is not decided!!!!!!!– If you have a use case that needs features, let the grouper-dev list
know– Implementation has started
Attribute framework including privileges and roles This talk will outline some potential features of this
enhancement
05/08/23 Internet2 MACE Grouper 2
IntroductionIntroduction
![Page 3: Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2](https://reader036.vdocuments.mx/reader036/viewer/2022090103/5a4d1bbb7f8b9ab0599d0d02/html5/thumbnails/3.jpg)
Grouper attributes and privilegesGrouper attributes and privileges
05/08/23 Internet2 MACE Grouper 3
Penn’s Grouper architecturePenn’s Grouper architecture
![Page 4: Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2](https://reader036.vdocuments.mx/reader036/viewer/2022090103/5a4d1bbb7f8b9ab0599d0d02/html5/thumbnails/4.jpg)
Grouper attributes and privilegesGrouper attributes and privileges
Define attributes in namespace (organize and delegate)– E.g. penn:apps:payroll:schools:engineeringSchool– Attributes have: uuid, system name, display name, description
Assign attributes to groups, memberships, subjects, stems, or other attributes– E.g. user John Smith, while in the payrollUsers role can read
engineering school data (in the payroll system ) Allow fields/actions/verbs
– In the above example, there might be “read” or “write” Attribute could have a value (text, numeric, timestamp)
– E.g. user Jim in the ptoUsers role has the attribute proxyFor 12345678 Attributes could be multivalued
– E.g. proxyFor 12345678 and 12345679
05/08/23 Internet2 MACE Grouper 4
Attribute frameworkAttribute framework
![Page 5: Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2](https://reader036.vdocuments.mx/reader036/viewer/2022090103/5a4d1bbb7f8b9ab0599d0d02/html5/thumbnails/5.jpg)
Grouper attributes and privilegesGrouper attributes and privileges
Inherit from object (e.g. can read attribute if can read Group) Custom (similar to how Grouper secures memberships): only
certain subjects (people, systems, groups) can:– Create new attributes– Admin (edit / delete) attributes– View that attributes exist– Read attribute assignments– Update (add/edit/delete) attribute assignments/values– Optin to an attribute assignment– Optout of an attribute assignment
05/08/23 Internet2 MACE Grouper 5
Two attribute security strategies availableTwo attribute security strategies available
![Page 6: Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2](https://reader036.vdocuments.mx/reader036/viewer/2022090103/5a4d1bbb7f8b9ab0599d0d02/html5/thumbnails/6.jpg)
Grouper attributes and privilegesGrouper attributes and privileges
Attributes could be in an attribute set, where an assignment to the parent, implies assignment to the descendents– E.g. if I can read English data, I can read English201 data
Role hierarchies– E.g. if I am a senior loan administrator, I can do everything a normal
loan administrator can do, and more Effective group memberships
– If a privilege is assigned to the IT department role, and Steven Jones is in the org123 group, which is in the org12 group, which is in the IT department role, then Steven Jones effectively has the privilege
05/08/23 Internet2 MACE Grouper 6
Effective attributes (indirect)Effective attributes (indirect)
![Page 7: Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2](https://reader036.vdocuments.mx/reader036/viewer/2022090103/5a4d1bbb7f8b9ab0599d0d02/html5/thumbnails/7.jpg)
Grouper attributes and privilegesGrouper attributes and privileges
Limit permission use– E.g. permissions in penn:apps:payroll:orgs:% can only be assigned to
memberships in roles: penn:apps:payroll:roles:% Formatting and validation on attribute values
– E.g. timestamps are stored as ints, but displayed with this mask: dd-Mon-yyyy, and must be between now and 10 years from now
Enabled or disabled dates on memberships and attributes Meta attributes could be used as limits for privileges
– E.g. approve if amount is less than $50,000
05/08/23 Internet2 MACE Grouper 7
Metadata for organizing and user interfacesMetadata for organizing and user interfaces
![Page 8: Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2](https://reader036.vdocuments.mx/reader036/viewer/2022090103/5a4d1bbb7f8b9ab0599d0d02/html5/thumbnails/8.jpg)
Grouper attributes and privilegesGrouper attributes and privileges
Web based J2ee user interface SOAP / Rest web services (lite or batched)
– Including a decision point: does A have read on payroll data for org123? Command line administrator tool: GSH Command line client tool / library: Grouper client Auditing (user auditing and point in time) Change log / notifications: incremental provisioning out of Grouper LDAP provisioning Hooks infrastructure for customizations Subject API Composite groups
– E.g. if not active employee anymore, remove privs– Whitelist / blacklist
Dynamic groups: maintained by grouperLoader
05/08/23 Internet2 MACE Grouper 8
Leverage existing (Leverage existing (and futureand future) Grouper features) Grouper features