Handling Groups and Permissions: Grouper and Signet and uPortal

1
Handling Groups and Permissions Grouper and
Signet and uPortal
JA-SIG, Vancouver, BC, 06/06/06

• Lynn McRae, Stanford University
• Keith Hazelton, University of Wisconsin
• With thanks to Tom Barton, University of Chicago

2
Identity Access Management

• A persons privileges are shaped by many Sources
  of Authority
• Institutional policy making bodies
• Resource managers
• Program/activity heads
• Individuals -- friends and self
• Management of privileges should be distributed
• Hook up all of Sources of Authority to the
  middleware
• Common middleware infrastructure should be
  operated centrally
• Departments/programs/activities/applications
  should not have to build their own core
  middleware
• Resources should be shared through the
  infrastructure

3
Access Control Decision

• Q Subject Resource Action Context
• Subject who or what wants to take an action
• Resource what is the action against, e.g.,
  file, building, data, service, etc.
• Action what they want to do, e.g., view,
  modify, enter, approve, run, etc.
• Context time of day, academic term, weather,
  etc.
• A Policy interpretation and decision, e.g.
• Resource and action are available to a group,
  e.g., Faculty at MIT, Students in a class
• Available to anyone with entitlement for the
  service

4
by any other name

• Signet and XACML
• Subject
• Action
• Resource
• Context
• uPortal Permission
• Principal
• Activity
• Target

5
Policy based authorization
Resource
Subject
Action
Identity Provider
Service Provider
Subject tries to access resource
authd
Context
Provider evaluates required identity attributes
against rules for resource
Rules
Provider grants or denies access
Policy
6
Policy interpretation

• Policy can be very simple
• In group uportal-sysadmins
• In role faculty
• or more and more complicated
• Faculty in Law School
• or designated TAs
• or other faculty teaching a Law school course
• for courses offered this term
• can or cannot submit grades

7
Groups and Privileges

• Two kinds of Subject information are used in
  making access control decisions
• Who you are
• aka groups or roles
• cf RBAC
• What you can do
• aka privileges
• cf value-based authority or row-based
  authority
• Both types of information are conveyed through
  attributes about a person
• Grouper and Signet are tools that let you enrich
  descriptive attributes about people in both ways

8
Big picture, without Grouper/Signet
9
Filling the gap
HR
Identity Management
Affiliation faculty Instructor CS-313
SIS Courses
Shib
10
Extending Course infrastructure
HR
Identity Management
Affiliation faculty Instructor CS-313
SIS Courses
U
ClassCS-313TA

isMemberOf CS-313
Shib
The Professor
11
Privilege management
Identity Management
James Billington
Affiliations
special_collections (manuscripts,view)
(king_papers,copy) printing (max100)
Marc Crawford
athletic (golf_course) facilities (pool,after5)
Sib
blackboard (music103) music (practice_room)
Marin Alsop
12
uPortal specific permissions
Identity Management
Affiliation temp
uportal_access(level1)
expiration date
Dept Admin
Sib
tab_admin(module3)
tab_admin(module8)
a long as staff
Portal Admin
13
Big picture, without Grouper/Signet
14
Big picture
15
Signet Grouper Overview
16
Grouper

• Grouper
• Middleware software/toolkit
• User access through a common UI
• Program access through a common API
• Defines a Groups Registry
• Brings scattered duplicative groups together for
  re-use
• Allows useful actions on these groups -- group
  math, group nesting, exclusion criteria
• Hierarchical name-space (name stems substems)
• Can leverage existing group information
• Supports the creation of new groups
• By schools, departments, and individuals!
• Distributed/delegated model of control

17
Signet

• Signet
• Middleware software/toolkit
• User access through a common UI
• Program access through a common API
• Brings privilege information together in one
  place -- a Privilege Registry
• Central granting, can apply across multiple
  systems
• Central reporting, history, auditing, review
• Accessible to managers AND holders of privileges
• Independent of specific vendors, systems,
  releases or technologies
• Distributed/delegated model of control

18
Shared Subject API

• Subject - a person, group, application, or other
  type of object whose identity is managed by your
  IAM system
• Abstract the underlying technology and data model
  from a relying application
• Source Adapters
• Identify attributes/columns distinguished as
  subjectID, name and description
• Specify back-end-specific searches for each type
  and each search method
• Select
• Search by identifier
• Search

19
Grouper Overview

• Mix of manual and automation processes manage a
  common Groups Registry
• Stored in an RDBMS
• Automation processes provision info from the
  Groups Registry into LDAP, AD, directly into
  application-specific databases, wherever the
  value of the info warrants spending the resources
  to place it there
• Two types of managed objects groups and naming
  stems
• Groups are created named with a naming stem
• Group management authority is delegatable
• By group or by naming stem

20
Grouper Groups

• Any subject can be a group member or privilegee
• Persons, groups, site-defined subject types
• Uses Subject API developed by GrouperSignet
  teams
• Subgroups (now), composite groups (v1.0), and
  aging (v1.1) of groups and memberships
• Privileges
• ADMIN, UPDATE, READ, VIEW, OPTIN, OPTOUT
• Group attribute set can be site-extended

21
Naming Stems

• Groups are created with naming stems
• Limits the authority to create and name groups
• Support distinct activities with own authority
• Naming stems can be arranged hierarchically
• eg, uc, ucnsit, ucnsitlabs
• Privileges
• STEM
• Create subordinate naming stems
• Assign privs for this naming stem
• CREATE create groups with this naming stem

22
Composite Groups

• Membership is defined by composing the
  memberships of 2 other groups
• A B U C union
• A B ? C intersection
• A B C relative complement
• Common use tweak existing groups
• Whitelist or blacklist factored in to another
  group

23
Example Computer Cluster Access
Allow access if in (nsitlabseligible
nsitlabsbarred)
nsitlabseligible (manual)
nsitlabsbarred (manual)
nsitlabswhitelist (manual)
nsitlabsblacklist (manual)
ucfaculty (auto)
ucstaff (auto)
categories of entitled students (auto)
24
Systems Integration

• API
• XML Import/Export Tool
• Snapshots Groups Registry, including naming stems
  and privileges
• A single group
• All subordinate to a specified naming stem
• All matching a search condition
• Entire Registry

25
uPortal - Grouper Example Managing e-Reserves

• Task Some library staff can manage e-Reserves (a
  group of some 100 members)
• Library knows who they are
• So lets delegate management of group to them
• Well

26
Example Managing e-Reserves

• With uPortal today, privilege to manage groups is
  on or off for given person
• Delegating group management to library staff
  gives authority over all groups
• So instead, a central IT staff person manages
  e-Reserve group membership

27
Example Managing e-Reserves

• If uPortal used Grouper
• Create a library stem
• One assignment by central IT staff to a library
  staff member giving them stem privilege over
  the library stem
• They in turn create an e-Reserve group under that
  stem and manage its membership
• And the Grouper UI gives them a good way to do
  that

28
uPortal - Grouper ExampleInstitutional
Affiliations

• Tabs in UW-Madisons uPortal install are specific
  to broad institutional affiliations (read groups)
• Student, Faculty, Staff, Advisor,
• But its not only the portal that cares about
  membership in these affiliations
• Best to manage them as part of shared
  infrastructure via Grouper
• Loaders from Systems of Record populate the
  groups (single integration point for them)
• uPortal and other apps consume as needed

29
Reuse of subject info maintained by Grouper
Signet
Signet
Grouper
LMS
Library
uPortal
30
Reuse of subject info maintained by Grouper
Signet
Signet
Grouper
LMS
Library
uPortal
31
Signet Overview

• Analysts define privileges in functional terms
  and specify associated system-level permissions
• Signet presents this functional view in a Web UI
  where users assign privileges delegate
  authority across all areas in which they have
  authority
• Signet internally maps assigned privileges into
  system-specific terms needed by applications
• Privileges are exported, transformed,
  provisioned into applications and infrastructure
  services
• Signet provides automated lifecycle controls

32
Privileges Building Blocks

• Functional view
• Subsystems
• Categories
• Functions
• Scope, Limits
• Prerequisites Conditions

• System view
• Permissions
• Subject
• Action
• Resource

33
Functional View
Subsystems contain

• Limits
• Qualifiers, constraints for a privilege
• Scope
• Organizational hierarchy governing distributed
  delegation

• Functions
• The things a person can do what they are
  getting privileges for
• Categories
• Provide useful arrangement of functions within a
  subsystem for reporting, ease of use

34
Functional View
Add/Drop students
Course Support
Student Admin
Which term
Schedule Classes
Which campus
Process Applicants
Financial Aid
For school
Award Scholarships
From Fund
Manage Accounts
For fund
Patient Records
Clinical Trial
Protocol A
Read/Write
Materials Control
Qty/day
Manage Grant
Admin
constraints
Lab Access
Hours
Categories
Subsystems
Functions
Limits
organizing
actions
35
Systems View

• Permissions
• Atomic units of control that map to specific
  access rules in systems
• Includes limits that must be evaluated when
  interpreting permissions
• Resources
• The target of a specific privilege things that
  have access rules to control their use

36
Functional View ? Permissions
Calendar
Student Admin
reserve_time
view_schedules
Add/Drop students
Course Support
Course
Schedule Classes
update_course_data
Facilities
reserve_room
Process Applicants
Financial Aid
Financial
Award Scholarships
view_fund_data
Manage Accounts
update_fund_data
Student
student_records
categories
functions
applicant_data
Functional View
Resources/Permissions
37
Systems Integration

• Privilege Management Java API
• Permissions document
• XML representation of privileges for an
  individual or group
• Will be compatible with XACML
• For provisioning of privilege data into
  applications

38
Privileges Lifecycle

• Conditions
• Provides automatic revocation of privileges
• Date controls -- from date, until date
• Will be based on persons status, affiliation,
  etc.
• e.g., as long as person is at Stanford
• Prerequisites
• Pre-conditions that must be met to activate
  privileges
• e.g., training

39
Other features

• Assignments can be
• To an individual
• To a Group
• With/without ability to further delegate
• Distributed delegation using organizational
  hierarchy
• Records chain of command
• Proxy assignment
• Temporary granting of ones privilege to another

40
Privilege Elements by Example
Lifecycle
Privilege
41
(No Transcript)
42
(No Transcript)
43
Signet Grouper Roadmaps

• Now available
• Grouper v0.9. UI API source release
• Signet 1.0. UI, binary release
• Subject API v0.1b
• Signet Roadmap
• v1.1, Summer 2006 full API source release,
  rules processor
• Grouper Roadmap
• v1.0, July 2006 group math
• v1.1, September 2006 group membership aging
• Subject API
• v1.0, ? 2006 minor changes, updates to
  reference implementations

44
Resources Participation

• Grouper
• team University of Chicago University of
  Bristol
• http//grouper.internet2.edu
• Signet
• team Stanford University
• http//signet.internet2.edu
• Internet2 Middleware Initiative
• http//middleware.internet2.edu/
• Documents, software, cvs
• Details for subscribing to mailing lists
• Conference call agendas dialing instructions