Managing Authorization with Signet and GrouperManaging Authorization with Signet and Grouper

Tom Barton, University of Chicago

Lynn McRae, Stanford University

Tom Barton, University of Chicago

Lynn McRae, Stanford University

2

Groups and Privilege managementGroups and Privilege management

• Groups• Who someone is (identity)• Populations sharing a common characteristic• Institutional role, departmental, personal

• Privileges• What someone can do (permissions)• Involved person, action, resource, context

• Exploring Grouper and Signet…• Groups for eligibility & authorization• Privileges, policy & permissions

3

Stone AgeStone Age

Clark

Leo

George

Lois

Peter

Nick

Ed

AdminAdmin

InputInput

ReportingReporting

ACL

ACL

ACL

ACL

ACL

ACL

ACL

4

Middle AgesMiddle Ages

AdminAdminGeorgeNick

InputInput

ReportingReporting

GeorgeNickClarkLois

GeorgeNickClarkLoisPeterLeoEd

Functional Groups

5

RenaissanceRenaissance

AdminAdminOwnerGeorgeNick

InputInput

ReportingReporting

StaffClarkLois

ClientsPeterLeoEd

“Role” Groups

6

20th century20th century

AdminAdminOwner

InputInput

ReportingReporting

Staff

Client

Staff

Faculty

Enterprise roles, affiliations

Identity Management!

7

Groups ManagementGroups Management

AdminAdminAdmin

InputInput

ReportingReporting

Staff

Client

Admins

Staff

Faculty

Clients

adds user-maintained groups

8

Something still missingSomething still missing

MaintMaintAdmin

InputInput

ReportingReporting

Staff

Client

ViewViewAdmin

UpdateUpdate

DeleteDelete

Staff

Client

Check outCheck out

SubmitSubmit

Staff

Client

Each system …

interprets policy …

separately.

and sets access rules ...

9

Privilege ManagementPrivilege Management

MaintMaint

InputInput

ReportingReporting

AccessManager

ViewView

UpdateUpdate

DeleteDelete

PEP

Check outCheck out

SubmitSubmitAuthor

Admins

Staff

Faculty

Clients

Manage

Read

ReadWrite

Permissions

Individuals

Policy

Reader

10

Identity & Access Management RealityIdentity & Access Management Reality

• Each person’s online activities are shaped by many Sources of Authority (SoAs)• Institutional policy making bodies• Resource managers• Program/activity/project heads• Self

• Management of the information it conveys should be distributed• Hook up all of those SoAs to the middleware

• Common middleware infrastructure should be operated centrally • To not oblige departments/programs/activities to build their own

core middleware

11

Connecting SoAs, Integrating with Existing InfrastructureConnecting SoAs, Integrating with Existing Infrastructure

12

Relative Roles of Signet & GrouperRelative Roles of Signet & Grouper

Grouper Signet

RBAC model• Users are placed into

groups (aka “roles”)

• Privileges are assigned to groups

• Groups can be arranged into hierarchies to effectively bestow privileges

• Grouper manages, well, groups

• Signet manages privileges

• Separates responsibilities for groups & privileges

13

The duck test…The duck test…

Grouper• Binary info – you’re

either in some list or not• Identity- or affiliation-

based access control or distribution

• Identification layer of an encompassing access management scheme

• Locally tweak or combine other groups

Signet• Structured, qualified info –

limits, conditions, scope, …• Oriented to individuals rather

than roles• Human judgment and chain of

authority essential for access decisions

• Enable functional, not just technical, people to manage privileges

• Supports policy control closer to source of authority

• Audit requirements

14

Illustrative Use Cases:Blackboard Collaboration SupportIllustrative Use Cases:Blackboard Collaboration Support

• What• Setup tools to support collaboration for

“organizations” or groups (in addition to classes)

• Grouper function• Registration. Organization liaison given group in

which to maintain organization membership

• Signet function• Manage which tools are enabled for which

organizations• Coordinates services across systems

15

Illustrative Use Cases:Computer Cluster AccessIllustrative Use Cases:Computer Cluster Access

• What• Express complex access policy in LDAP attributes that

condition workstation login

• Grouper function• Group hierarchy based on fine-grained affiliations classifies all

UChicago people according to eligibility policy• Whitelist & blacklist policy exception capability given to cluster

administrators• Cluster admins tweak classifying hierarchy as needed

• Signet function• None at present. Would be used if, for example, departments

were to authorize access to their own computer labs

16

Illustrative Use Cases:Expense Management SystemIllustrative Use Cases:Expense Management System

• What• Import user profile data into an EMS

• Grouper function• Maintain EMS-specific organizational

hierarchy

• Signet function• Assign who gets approval priv for which

parts of the EMS Org Hierarchy

17

Nutshell Description of GrouperNutshell Description of Grouper

• Mix of manual and automation processes manage a common Group Registry• Stored in an RDBMS• Automation processes provision info from the

Group Registry into LDAP, AD, directly into app-specific databases, wherever the value of the info warrants spending the resources to place it there

• Two types of managed objects: groups and namespaces (or “naming stems”)• Groups are created/named within a namespace

• Group management authority is delegatable• By group or by namespace

18

Grouper ArchitectureGrouper Architecture

19

Group AttributesGroup Attributes

20

Grouper GroupsGrouper Groups

• Any “subject” can be a group member or privilegee• Persons, groups, site-defined subject types• Uses Subject API developed by Grouper+Signet

teams

• Subgroups (now), compound groups (v1.0), and aging (v1.1) of groups and memberships

• Privileges• ADMIN, UPDATE, READ, VIEW, OPTIN, OPTOUT

• Group attribute set can be site-extended

21

Namespaces or StemsNamespaces or Stems

22

Grouper NamespacesGrouper Namespaces

• Groups are created within namespaces• Limits the authority to create and name groups• Support distinct activities with own authority

• Namespaces can be arranged hierarchically• Privileges

• STEM• Create subordinate namespaces• Assign privs for this namespace

• CREATE – create groups in this namespace

23

Example: Computer Cluster Access Example: Computer Cluster Access

it:labs:eligible (manual)

it:labs:whitelist (manual)

uc:faculty(auto)

uc:staff(auto)

categories of entitled students (auto)

time dependent student categories (auto)

it:labs:blacklist(manual)

categories of barred students (auto)

it:labs:barred (manual)

Allow access if “eligible” but not “barred”Allow access if “eligible” but not “barred”

24

LDAP

Data Flow & Grouper Roles in Computer Cluster AccessData Flow & Grouper Roles in Computer Cluster Access

uid: jdoeucAffiliation: …isMemberOf: …

SIS

HR

Lab DirectorADMIN

Lab ManagersUPDATE

Loaders

GrouperAPI

PersonRegistry

GroupsRegistry

GrouperUI

GrouperAPI

GrouperAPI

On-site staffREAD

25

Five Ways to Delegate Group ManagementFive Ways to Delegate Group Management

1. Create a group and assign someone to manage its membership (UPDATE)

2. Create a group and assign someone to manage who manages the group’s membership and who can see what about the group (ADMIN)

3. Create a namespace and assign someone to create groups within it (CREATE)

4. Create a namespace and assign someone to manage who can create groups within it (STEM)

5. Allow Self to OPTIN or OPTOUT of membership

26

Signet Privilege Management Signet Privilege Management

• Brings privilege information together in one place -- a “Privilege Registry”

• Provides user access through a common UI, programmatic access through a common API

• Defined independent of specific vendors, systems, releases or technologies

• Provides central reporting, auditing, review

• But distributed management, control

28

Signet OverviewSignet Overview

• Analysts define privileges in Signet in “business terms” and specify associated permissions.

• Signet presents this view in a Web UI where users assign privileges and delegate authority across all areas in which they have authority.

• Signet internally maps assigned privileges into system-specific terms needed by applications.

•

• Privileges are exported, transformed, & provisioned into applications and infrastructure services.

• Signet provides automated lifecycle controls

29

Privileges Building BlocksPrivileges Building Blocks

Business view• Subsystems

• Categories

• Functions

• Scope, Limits

• Prerequisites & Conditions

System view• Permissions

• Subject• Action• Resource

• Analysts define privileges in Signet in “business terms” and specify associated permissions.

30

Signet ComponentsSignet Components

• Define domains of ownership and responsibility

• Reflect real world boundaries

• Can be large or small

Financial systemStudent AdministrationHR systemNetwork access

managementResearch administrationClinical resourcesSubscription servicesSignet (Privilege

Registry)Grouper (Group Registry)

Subsystems

31

Business ViewBusiness View

Subsystems contain…

LimitsQualifiers, constraints for a privilege.

ScopeOrganizational hierarchy governing distributed delegation,

FunctionsThe things a person can do; what they are getting privileges for.

CategoriesProvide useful arrangement of functions within a subsystem; for reporting, ease of use.

32

Business ViewBusiness View

Categories FunctionsSubsystems

Clinical Trial Protocol A Patient Records

Materials Control

Manage Grant

Lab AccessAdmin

Student Admin Course Support

Add/Drop students

Schedule Classes

Process Applicants

Award Scholarships

Manage Accounts

FinancialAid

Limits

Which term

From Fund…

Read/Write

Hours

For school…

For fund…

Which campus

Qty/day

$ constraints

organizing actions

33

Signet User InterfaceSignet User Interface

• Signet presents this view in a Web UI where users assign and delegate authority across all areas in which they have authority.

34

Systems ViewSystems View

Permissions• Atomic units of control that map to specific

access rules in systems.• Includes limits that must be evaluated when

interpreting permissions.

Resources• The target of a specific privilege; things that

have access rules to control their use.

• Signet internally maps assigned privileges into system specific terms needed by applications.

35

Business View PermissionsBusiness View Permissions

Resources/Permissions

Student Admin

Business View

Course Support Add/Drop students

Schedule Classes

Process Applicants

Award Scholarships

Manage Accounts

Financial Aid

reserve_time

view_schedules

student_records

applicant_data

view_fund_data

update_fund_data

update_course_data

reserve_room

Calendar

Course

Facilities

Financial

Student

categories functions

36

Systems IntegrationSystems Integration

• Toolkit interface• Privileges document

• XML representation of privileges for an individual or group.

• Compatible with SAML and XACML representations of Subjects and Access Rules.

• Integration• Site-specific• Provisioning connectors• LDAP access

• Privileges are exported, transformed, and provisioned into integrated systems and infrastructure services.

37

Privileges DocumentPrivileges Document

<Privileges xmlns="http://middleware.internet2.edu/signet">

<subj:Subject id="jpoole@kitn.edu" xmlns:subj="http://middleware.internet2.edu/subject"> <subj:SubjectType>person</subj:SubjectType> <subj:SubjectName>Poole, Jean M.</subj:SubjectName> </subj:Subject>

<Permission subsystem="biomed" id="patient-record-access"> <Limit id="protocol"> <LimitValue>2005-formula-a</LimitValue> <LimitValue>2005-formula-b</LimitValue> </Limit> </Permission>

<Permission subsystem="biomed" id="approve-requisitions"> <Limit id="spending-limit"> <LimitValue>none</LimitValue> </Limit> </Permission>

</Privileges>

38

Provisioning Permissions into Applications (connectors)Provisioning Permissions into Applications (connectors)

<Privileges><Subject><Permission><Permission><Permission>

or

API

reserve_time

view_schedules

student_records

applicant_data

view_fund_data

update_fund_data

update_course_data

reserve_room

Calendar

Course

Facilities

Financial

Student

Calendar

CourseWare

Financials

Reporting

Space Mgmt

Student

39

Provisioning Permissions into Infrastructure (LDAP)Provisioning Permissions into Infrastructure (LDAP)

reserve_time

view_schedules

student_records

applicant_data

view_fund_data

update_fund_data

update_course_data

reserve_room

Calendar

Course

Facilities

Financial

Student

Directory

eduPersonEntitlement Calendar

CourseWare

Financials

Reporting

Space Mgmt

Student

40

Privileges LifecyclePrivileges Lifecycle

Conditions• Provides automatic revocation of privileges• Date controls -- from date, until date• Based on person’s status, affiliation, etc.

e.g., as long as person is at Stanford

Prerequisites• Pre-conditions that must be met to activate

privilegese.g., training

• Signet provides automated lifecycle controls

41

Other featuresOther features

Assignments can be• To an individual• To a Group

With/without ability to further delegate• Distributed delegation using organizational hierarchy• Records “chain of command”

Proxy assignment• Temporary granting of one’s privilege to another

42

Privilege Elements by ExamplePrivilege Elements by Example

By authority of the Dean grantor

principal investigators grantee (group/role)

who have completed training prerequisite

can approve purchases function

in the School of Medicine scope

for research projects resource

up to $100,000 limit

until January 1, 2006as long as a faculty member at…

conditions

Privilege Lifecycle

43

Subject API:Site IAM Integration RequirementsSubject API:Site IAM Integration Requirements

• Subject - a person, group, application, or other type of object whose identity is managed by your IAM system

• Abstract the underlying technology and data model from a relying application

• Enable alternate identifier namespaces to be selected to match application needs• Username vs. opaque registryID vs. …

• Scenarios• Map authenticated user to internal security principal• Reference/search objects within application

44

Subject API:Integration with Site’s IAM Subject API:Integration with Site’s IAM

45

Subject API: More InfoSubject API: More Info

• Subject and Source interface specs are at v0.1 – they may yet change• Searching• Some per-subjectType methods?

• JDBC source adapter is included now, JNDI source adapter will be provided in a subsequent release

• Grouper includes a GroupSourceAdapter that is a provider of ‘group’ subjectTypes from the Groups Registry

• Subject API will not support the Join function

46

Signet & Grouper RoadmapsSignet & Grouper Roadmaps

• Now available• Grouper v0.6. Basic group management, full GUI • Demo release of Signet v0.5 toolkit and UI

• Signet Roadmap• v0.6, early October 2005 – designated drivers, history• v1.0, late November 2005 – lifecycle conditions, XML• v1.x Toolkit / API release

• Grouper Roadmap• v0.9, mid-November 2005 - internal refactoring, some

enhancement• v1.0, mid-January 2006 – compound groups• v1.1, mid-March 2006 – group & membership aging

47

Resources & ParticipationResources & Participation

• Grouper• team: University of Chicago & University of Bristol• http://middleware.internet2.edu/dir/groups/grouper/

• Signet• team: Stanford University • http://middleware.internet2.edu/signet/

• Internet2 Middleware Initiative• http://middleware.internet2.edu/

• Documents, tarballs, cvs• Details for subscribing to mailing lists

• Conference call agendas & dialing instructions