Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Early Adopters / Deployers Patterns and criteria for distinguishing roles and groups-based access control vs. privilege management. Why use one or the.

Published byHenry Snow Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Early Adopters / Deployers Patterns and criteria for distinguishing roles and groups-based access control vs. privilege management. Why use one or the."— Presentation transcript:

1 1 Early Adopters / Deployers Patterns and criteria for distinguishing roles and groups-based access control vs. privilege management. Why use one or the other, or more importantly, why do we need both? Updated documentation and presentation material will be offered for discussion and review. Software to move data in and out of Signet and Grouper is not part of the core of either product, but is vital to connect them to your infrastructure. We'll have a technical design discussion on our basic JDBC and JNDI SourceAdaptor and emerging Subject API specification, and will explore how to make these configurable to a variety of specific needs.

2 2 Use Case: “Groups are good” What People create groups that have real-world meaning and can be used in many ways -- my staff, project team, board members, etc. Grouper Distributed model of managing such groups through delegated name stems Personal groups? Signet Ability to assign privs to such groups Apps Those interested in using shared groups in general

3 3 Use Case: Stanford: WebAuth What Allow access to web pages based on group membership Grouper (Stanford workgroup) User managed groups System managed groups (course and department affiliations) WebAuth Data provisioned to LDAP directory Extends Apache “require group” directive in.htaccess file to refer to group references in Person LDAP entries

4 4 Use Case: Duke: Mailing Lists What “basic authorization and mailing list functionality” Grouper Subscribers Roles, e.g., owner, maintainer? Signet ? Application?

5 5 Use Case: Duke: Calendar groups What “basic authorization and mailing list functionality” Grouper Simple membership How? Signet ???

6 6 Use Case: USC: Additional groups What Augment existing, beloved group management system to support delegated administration of groups Grouper Define basic inclusion/exclusion groups Provisioned into LDAP Nightly processor Integrate Grouper groups with LDAP groups, apply group math

7 7 Use Case: U. Chicago: Instant Messaging What Instant messaging platform. The rosters would be automatically populated based on work group. Grouper Information that we keep on our users is not detailed enough to be used to group people into their individual work groups. Grouper would be used by the managers of the individual work groups to define who is in their group. This data would then be read from the grouper db by a program which would provision the rosters of the relevant people in the IM server (directly to Jabber server? Via LDAP?)

8 8 Use Case: Others? What Wiki groups Files (e.g., AFS pts groups) Portal groups Document sharing (e.g., Docushare) CVS Groups Ticket tracking (Wash)

9 9 Use Case: Cornell: GuestIDs What Guestids for people in a weekend course at the hotel school, or a class that uses the blackboard system, or someone that needs wireless access for some period of time, etc. Grouper All guests placed in a group (provisioned via LDAP) to which privs are assigned Admins placed in a group (provisioned from PeopleSoft/HR, augmented by Admin adding people to same group) Self-signup guest discussion list group (opt-in)

10 10 Use Case: Cornell: GuestIDs (cont) Signet Manage Admin access rights -- assignments to groups Assign guest privileges to full guest group (campus bus) … to individuals (weight room, blackboard, printing) (only to those with guestIDs / in guest group?) With effective and expiration dates (managed by Signet) Other stuff GuestId expiration based on last service

11 11 Use Case: Cornell: WebFinacials What Manage access privileges for account, or for all accounts in department or unit Grouper Each department defined as group, using hierarchy naming and nesting Capture account “membership” in departments or as subgroups in department stem Signet Assign level of priv (unit/dept) by scope Qualify privilege by type (Labor, Gift, etc) & year (limits)

12 12 Use Case: Cornell: WebFinacials (cont) Signet Prerequisite Policy agreement (how recorded?)(rule condition) Signet Exported permissions Subject (person with privilege) Resource (specific acct, groups of accts) Action (view) is implicit WebFinancials application Can read account-level permission directly Can map account request to a dept/uinit permission via “isMemberOf” Would like direct query to a web services auth service

13 13 Use Case: Stanford: Financial Approver What Designate financial approvers for several electronic financial transactions Signet (Stanford Authority) Similar to WebFinancials Uses administrative departmental hierarchy All/some accounts for a department - or- all accounts for projects managed by a PI Direct provisioning to Oracle Financials “is an approver” is a testable fact (a role?)

14 14 Use Case: Brown: Course videos What Steve Carmody: I'd like to be able to say to Signet "give this course [members?] permission to view this video", and have Signet's ldap connector add an entitlement value to the group object [?] in our ldap directory that represents the course... Grouper ??? Signet Central accts office (root) delegates to [courseware that delegates to] TA for Course X the auth to manage video permissions for students in course X The TA grants students authority to view specific videos - starting on … for 2 weeks

15 15 Use Case: USC: Portal Access Control What Investigate replacing internal Portal groups with Grouper/Signet management Grouper ??? Signet ???

16 16 Use Case: Chicago: Licensed software What Centrally managed software with variety of licensed software -- site-licensed, departmental/project/individaul usage. Eliminate physical distribution. Grouper Group per software package Signet Function with software as limit

17 17 Use Case: Chicago: Blackboard Collaboration What Setup tools to support collaboration for “organizations” or groups (in addition to classes) Grouper Registration. Organization liaison given group in which to maintain organization membership Signet Manage which tools are enabled for which organizations Coordinates services across systems

18 18 Use Case: MyVocs What Could Grouper and Signet in myVocs expand the flexibity of group and role assignments across a large collection of distributed applications. If Grouper/Signet are integrated into myVocs they will be available to UABgrid. NCSA and UAB are collaborating to integrate GridShib with myVocs. We are considering using Grouper as a source of attributes in myVocs, in particular, and VOs, in general. Grouper Signet Shibboleth

19 19 Use Case: U. Missouri: Great Plains Network What Manage authorization for individuals or groups of users in a Virtual Organization that could span multiple institutions and identity management systems. The Great Plains Network (GPN) is developing a multi-institutional collaboration environment whose members comprise institutions/organizations that: Utilize autonomous Identity Management systems operated by each institution from which GPN collaborators are employed (identified) Each institution can provide resources (e.g., processing or storage) that can be shared among the participating parties using web based and grid computing technologies. Participants (each person) must be provided with authorizations (e.g., edu entitlements) to use various GPN VO resources through their home organization, but managed in some fashion from the GPN VO. This would require pushing entitlement data into multiple IdM systems from an external entity, such as the GPN VO. The management overhead of authorizations must be kept at a minimum, yet provide institutional controls at several levels. Participants authenticate themselves through their home institution and obtain "credentials" to access resources distributed throughout the VO community. There is not a single application or resource involved, but multiple applications and resources distributed among the participating institutions. Individuals may be granted collaborative access to none, some or all of the applications/resources offered by the VO.

20 20 Use Case: U. Missouri: Great Plains Network Grouper Each institution records V.O. membership locally; resulting “is member” attribute is released to cooperating insitutions (big issue is who has authority to make assertions) Each institution records member role information locally (scientist? admin? where such exists), also as a shared attribute All necessary roles are articulated as groups at each institution, whether they have local members or not. Signet Each institution assigned permissions to its own resources, either to individuals (known locally) or to groups Signet could “learn” about people outside the local identity management software via login -- a useful concept?

21 21 Use Case: Wisconsin: Authorization Workflow What Replace paper-based authorization workflow Grouper ??? Signet Delegation of authority, distribution down an organization hierarchy

22 22 Use Case: UCDavis: Travel Expense What Manage expense approvals for Travel reimbursements The new T&E system is a commercial product (Concur) being readied by the Accounting division. Grouper Define groups below departmental level for delegation Signet Seed/maintain expense-approval delegations, starting with small set of policy- based expense approvers (high-level administrators) who are readily identified. These top-level approvers delegate expense approval privileges for their organizational branch (or sub-branches) to various subordinates. Delegations may be done down to a sub-departmental level, i.e., to +/- arbitrary groups of departmental employees. Grantees may have limits on approval amounts different (lower) than that provided to grantors. Operationally, export privileges to the T&E system. I've been told that this system has a web services interface. Details TBD. If Accounting thinks the Signet UI is not far along enough to meet their needs, we may need an interim application. At the moment I've mapped T&E concepts to a Signet subsystem, and am readying prototype data (orgs and people).

23 23 Use Case: U.Chicago: Computer Cluster Access What Express complex access policy in LDAP attributes that condition workstation login Grouper function Group hierarchy based on fine-grained affiliations classifies all UChicago people according to eligibility policy Whitelist & blacklist policy exception capability given to cluster administrators Cluster admins tweak classifying hierarchy as needed Signet function None at present. Would be used if, for example, departments were to authorize access to their own computer labs

24 24 Use Case: U.Chicago: Computer Cluster Access

Download ppt "1 Early Adopters / Deployers Patterns and criteria for distinguishing roles and groups-based access control vs. privilege management. Why use one or the."

Similar presentations

PantherSoft Financials Smart Internal Billing. Agenda  Benefits  Security and User Roles  Definitions  Workflow  Defining/Modifying Items  Creating.

PantherSoft Financials Smart Internal Billing. Agenda  Benefits  Security and User Roles  Definitions  Workflow  Defining/Modifying Items  Creating.
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
1 Collaborators at the Gates of Troy: Extending eServices at USC.

1 Collaborators at the Gates of Troy: Extending eServices at USC.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.

Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.

Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.

Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.
Manifest – the Service Application Manifest is our new service, with Grouper as its logic engine, to manage populations which are known to us and those.

Manifest – the Service Application Manifest is our new service, with Grouper as its logic engine, to manage populations which are known to us and those.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
Data Sources & Using VIVO Data Visualizing Scholarship VIVO provides network analysis and visualization tools to maximize the benefits afforded by the.

Data Sources & Using VIVO Data Visualizing Scholarship VIVO provides network analysis and visualization tools to maximize the benefits afforded by the.
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Signet and Grouper for Distributed Attribute Administration

Signet and Grouper for Distributed Attribute Administration
University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy

University of Michigan MCommunity Project Liz Salley Product Manager, Michigan Administrative Information Services Luke Tracy
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
1 Kuali Identity Management Advanced CAMP: Identity Services Summit for Higher Ed Open / Community-Source Projects.

1 Kuali Identity Management Advanced CAMP: Identity Services Summit for Higher Ed Open / Community-Source Projects.
SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.

SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.

Similar presentations

Ads by Google