Title: Handling Groups and Permissions: Grouper and Signet and uPortal
1Handling Groups and Permissions Grouper and
Signet and uPortal
JA-SIG, Vancouver, BC, 06/06/06
- Lynn McRae, Stanford University
- Keith Hazelton, University of Wisconsin
- With thanks to Tom Barton, University of Chicago
2Identity Access Management
- A persons privileges are shaped by many Sources
of Authority - Institutional policy making bodies
- Resource managers
- Program/activity heads
- Individuals -- friends and self
- Management of privileges should be distributed
- Hook up all of Sources of Authority to the
middleware - Common middleware infrastructure should be
operated centrally - Departments/programs/activities/applications
should not have to build their own core
middleware - Resources should be shared through the
infrastructure
3Access Control Decision
- Q Subject Resource Action Context
- Subject who or what wants to take an action
- Resource what is the action against, e.g.,
file, building, data, service, etc. - Action what they want to do, e.g., view,
modify, enter, approve, run, etc. - Context time of day, academic term, weather,
etc. - A Policy interpretation and decision, e.g.
- Resource and action are available to a group,
e.g., Faculty at MIT, Students in a class - Available to anyone with entitlement for the
service
4by any other name
- Signet and XACML
- Subject
- Action
- Resource
- Context
- uPortal Permission
- Principal
- Activity
- Target
5Policy based authorization
Resource
Subject
Action
Identity Provider
Service Provider
Subject tries to access resource
authd
Context
Provider evaluates required identity attributes
against rules for resource
Rules
Provider grants or denies access
Policy
6Policy interpretation
- Policy can be very simple
- In group uportal-sysadmins
- In role faculty
- or more and more complicated
- Faculty in Law School
- or designated TAs
- or other faculty teaching a Law school course
- for courses offered this term
- can or cannot submit grades
7Groups and Privileges
- Two kinds of Subject information are used in
making access control decisions - Who you are
- aka groups or roles
- cf RBAC
- What you can do
- aka privileges
- cf value-based authority or row-based
authority - Both types of information are conveyed through
attributes about a person - Grouper and Signet are tools that let you enrich
descriptive attributes about people in both ways
8Big picture, without Grouper/Signet
9Filling the gap
HR
Identity Management
Affiliation faculty Instructor CS-313
SIS Courses
Shib
10Extending Course infrastructure
HR
Identity Management
Affiliation faculty Instructor CS-313
SIS Courses
U
ClassCS-313TA
isMemberOf CS-313
Shib
The Professor
11Privilege management
Identity Management
James Billington
Affiliations
special_collections (manuscripts,view)
(king_papers,copy) printing (max100)
Marc Crawford
athletic (golf_course) facilities (pool,after5)
Sib
blackboard (music103) music (practice_room)
Marin Alsop
12uPortal specific permissions
Identity Management
Affiliation temp
uportal_access(level1)
expiration date
Dept Admin
Sib
tab_admin(module3)
tab_admin(module8)
a long as staff
Portal Admin
13Big picture, without Grouper/Signet
14Big picture
15Signet Grouper Overview
16Grouper
- Grouper
- Middleware software/toolkit
- User access through a common UI
- Program access through a common API
- Defines a Groups Registry
- Brings scattered duplicative groups together for
re-use - Allows useful actions on these groups -- group
math, group nesting, exclusion criteria - Hierarchical name-space (name stems substems)
- Can leverage existing group information
- Supports the creation of new groups
- By schools, departments, and individuals!
- Distributed/delegated model of control
17Signet
- Signet
- Middleware software/toolkit
- User access through a common UI
- Program access through a common API
- Brings privilege information together in one
place -- a Privilege Registry - Central granting, can apply across multiple
systems - Central reporting, history, auditing, review
- Accessible to managers AND holders of privileges
- Independent of specific vendors, systems,
releases or technologies - Distributed/delegated model of control
18Shared Subject API
- Subject - a person, group, application, or other
type of object whose identity is managed by your
IAM system - Abstract the underlying technology and data model
from a relying application - Source Adapters
- Identify attributes/columns distinguished as
subjectID, name and description - Specify back-end-specific searches for each type
and each search method - Select
- Search by identifier
- Search
19Grouper Overview
- Mix of manual and automation processes manage a
common Groups Registry - Stored in an RDBMS
- Automation processes provision info from the
Groups Registry into LDAP, AD, directly into
application-specific databases, wherever the
value of the info warrants spending the resources
to place it there - Two types of managed objects groups and naming
stems - Groups are created named with a naming stem
- Group management authority is delegatable
- By group or by naming stem
20Grouper Groups
- Any subject can be a group member or privilegee
- Persons, groups, site-defined subject types
- Uses Subject API developed by GrouperSignet
teams - Subgroups (now), composite groups (v1.0), and
aging (v1.1) of groups and memberships - Privileges
- ADMIN, UPDATE, READ, VIEW, OPTIN, OPTOUT
- Group attribute set can be site-extended
21Naming Stems
- Groups are created with naming stems
- Limits the authority to create and name groups
- Support distinct activities with own authority
- Naming stems can be arranged hierarchically
- eg, uc, ucnsit, ucnsitlabs
- Privileges
- STEM
- Create subordinate naming stems
- Assign privs for this naming stem
- CREATE create groups with this naming stem
22Composite Groups
- Membership is defined by composing the
memberships of 2 other groups - A B U C union
- A B ? C intersection
- A B C relative complement
- Common use tweak existing groups
- Whitelist or blacklist factored in to another
group
23Example Computer Cluster Access
Allow access if in (nsitlabseligible
nsitlabsbarred)
nsitlabseligible (manual)
nsitlabsbarred (manual)
nsitlabswhitelist (manual)
nsitlabsblacklist (manual)
ucfaculty (auto)
ucstaff (auto)
categories of entitled students (auto)
24Systems Integration
- API
- XML Import/Export Tool
- Snapshots Groups Registry, including naming stems
and privileges - A single group
- All subordinate to a specified naming stem
- All matching a search condition
- Entire Registry
25uPortal - Grouper Example Managing e-Reserves
- Task Some library staff can manage e-Reserves (a
group of some 100 members) - Library knows who they are
- So lets delegate management of group to them
- Well
26Example Managing e-Reserves
- With uPortal today, privilege to manage groups is
on or off for given person - Delegating group management to library staff
gives authority over all groups - So instead, a central IT staff person manages
e-Reserve group membership
27Example Managing e-Reserves
- If uPortal used Grouper
- Create a library stem
- One assignment by central IT staff to a library
staff member giving them stem privilege over
the library stem - They in turn create an e-Reserve group under that
stem and manage its membership - And the Grouper UI gives them a good way to do
that
28uPortal - Grouper ExampleInstitutional
Affiliations
- Tabs in UW-Madisons uPortal install are specific
to broad institutional affiliations (read groups) - Student, Faculty, Staff, Advisor,
- But its not only the portal that cares about
membership in these affiliations - Best to manage them as part of shared
infrastructure via Grouper - Loaders from Systems of Record populate the
groups (single integration point for them) - uPortal and other apps consume as needed
29Reuse of subject info maintained by Grouper
Signet
Signet
Grouper
LMS
Library
uPortal
30Reuse of subject info maintained by Grouper
Signet
Signet
Grouper
LMS
Library
uPortal
31Signet Overview
- Analysts define privileges in functional terms
and specify associated system-level permissions - Signet presents this functional view in a Web UI
where users assign privileges delegate
authority across all areas in which they have
authority - Signet internally maps assigned privileges into
system-specific terms needed by applications - Privileges are exported, transformed,
provisioned into applications and infrastructure
services - Signet provides automated lifecycle controls
32Privileges Building Blocks
- Functional view
- Subsystems
- Categories
- Functions
- Scope, Limits
- Prerequisites Conditions
- System view
- Permissions
- Subject
- Action
- Resource
33Functional View
Subsystems contain
- Limits
- Qualifiers, constraints for a privilege
- Scope
- Organizational hierarchy governing distributed
delegation
- Functions
- The things a person can do what they are
getting privileges for - Categories
- Provide useful arrangement of functions within a
subsystem for reporting, ease of use
34Functional View
Add/Drop students
Course Support
Student Admin
Which term
Schedule Classes
Which campus
Process Applicants
Financial Aid
For school
Award Scholarships
From Fund
Manage Accounts
For fund
Patient Records
Clinical Trial
Protocol A
Read/Write
Materials Control
Qty/day
Manage Grant
Admin
constraints
Lab Access
Hours
Categories
Subsystems
Functions
Limits
organizing
actions
35Systems View
- Permissions
- Atomic units of control that map to specific
access rules in systems - Includes limits that must be evaluated when
interpreting permissions - Resources
- The target of a specific privilege things that
have access rules to control their use
36Functional View ? Permissions
Calendar
Student Admin
reserve_time
view_schedules
Add/Drop students
Course Support
Course
Schedule Classes
update_course_data
Facilities
reserve_room
Process Applicants
Financial Aid
Financial
Award Scholarships
view_fund_data
Manage Accounts
update_fund_data
Student
student_records
categories
functions
applicant_data
Functional View
Resources/Permissions
37Systems Integration
- Privilege Management Java API
- Permissions document
- XML representation of privileges for an
individual or group - Will be compatible with XACML
- For provisioning of privilege data into
applications
38Privileges Lifecycle
- Conditions
- Provides automatic revocation of privileges
- Date controls -- from date, until date
- Will be based on persons status, affiliation,
etc. - e.g., as long as person is at Stanford
- Prerequisites
- Pre-conditions that must be met to activate
privileges - e.g., training
39Other features
- Assignments can be
- To an individual
- To a Group
- With/without ability to further delegate
- Distributed delegation using organizational
hierarchy - Records chain of command
- Proxy assignment
- Temporary granting of ones privilege to another
40Privilege Elements by Example
Lifecycle
Privilege
41(No Transcript)
42(No Transcript)
43Signet Grouper Roadmaps
- Now available
- Grouper v0.9. UI API source release
- Signet 1.0. UI, binary release
- Subject API v0.1b
- Signet Roadmap
- v1.1, Summer 2006 full API source release,
rules processor - Grouper Roadmap
- v1.0, July 2006 group math
- v1.1, September 2006 group membership aging
- Subject API
- v1.0, ? 2006 minor changes, updates to
reference implementations
44Resources Participation
- Grouper
- team University of Chicago University of
Bristol - http//grouper.internet2.edu
- Signet
- team Stanford University
- http//signet.internet2.edu
- Internet2 Middleware Initiative
- http//middleware.internet2.edu/
- Documents, software, cvs
- Details for subscribing to mailing lists
- Conference call agendas dialing instructions