Presentation is loading. Please wait.

Presentation is loading. Please wait.

IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, 2011 9/14/20151.

Published byFelix Harrell Modified over 8 years ago

Similar presentations

Presentation on theme: "IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, 2011 9/14/20151."— Presentation transcript:

1 IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, 2011 9/14/20151

2 IAM Online - Grouper Permissions IAM Online Grouper Permissions Use case description Architecture Permissions setup Oracle Fine Grained Access Control Demo Real-time provisioning Workflow Note: all code in slide notes and SVN (viewVC)SVNviewVC Note: youtube demo (part 1) (part 2)part 1part 2 Note: presentation and notes here (google “grouper documents”, though not OLD one)presentation and notes here 9/14/20152

3 IAM Online - Grouper Permissions Use case description From Penn State, also needed at University of PA Personal user data stored in SQL DB Applications across the University need to access the data Principle of least privilege at a row and column level User information (test data set): –PersonID –NetID –First and last name –Email address –Phone numbers SQL access will take place with different schemas per application This service is called SecureUserData (SUD) 9/14/20153

4 IAM Online - Grouper Permissions Use case description (continued) PSU and UP only need read-only access managed, but for this example, let’s manage READ/WRITE 9/14/20154 Oracle Student billing web app Fac/staff file sharing app Schema: FASTDEV2 IDs (read-only) Name (read/write) Student rows IDs (read-only) Name (read-only) Contact info (read/write) Faculty/staff rows Schema: FASTDEV3

5 IAM Online - Grouper Permissions Sample data 9/14/20155 IDPersonIDNetIDFirstLastEmailWork#Home# A312345jsJohnSmithjs@a.edu3-1234123-4567 B498765sdSaraDavissd@a.edu5-2345234-5678 C554321rjRyanJonesrj@a.edu7-4567345-6789 T756789jcJuliaClarkjc@a.edu9-6789456-7890 Students Faculty

6 IAM Online - Grouper Permissions Architecture One table in Oracle with personal user information Secure the table with Oracle FGAC (Fine grained access control) / VPD (Virtual private database) Security data needs to be replicated from Grouper to Oracle for performance reasons Store memberships for rows and permissions for schemas in Grouper Access request workflow with Kuali Rice edoclite / Grouper Note: a schema in Oracle is the connecting DB user 9/14/20156

7 IAM Online - Grouper Permissions Grouper demo server Publicly accessible server that runs various versions of Grouper for demo purposes Grouper demo server: https://grouperdemo.internet2.edu/https://grouperdemo.internet2.edu/ Grouper demo wiki You can register an InCommon login IDregister an InCommon login ID 9/14/20157

8 IAM Online - Grouper Permissions Setup on Grouper demo server: affiliations Normally these would be available in Grouper as loader jobs They are not on the Grouper demo server, so add 9/14/20158

9 IAM Online - Grouper Permissions Setup: row level groups Create the application folder, and organize subfolders Add the community groups as members 9/14/20159

10 IAM Online - Grouper Permissions Setup: row/column level permission definition Permission definition has configuration and security 9/14/201510

11 IAM Online - Grouper Permissions Setup read/write action for this permission def Include an “all” which implies read and write Note: this is specific to this one permission definition, and does not affect other permissions in Grouper 9/14/201511

12 IAM Online - Grouper Permissions Setup permission name for each set of columns 9/14/201512

13 IAM Online - Grouper Permissions Setup column permission name inheritance 9/14/201513

14 IAM Online - Grouper Permissions Setup permission name for each group of rows 9/14/201514

15 IAM Online - Grouper Permissions Setup row permission name inheritance 9/14/201515

16 IAM Online - Grouper Permissions Assign the permissions 9/14/201516

17 IAM Online - Grouper Permissions Setup: insert sample data Table: SECUREUSERDATA_USER 9/14/201517

18 IAM Online - Grouper Permissions Setup: enable client subject for WS 9/14/201518

19 IAM Online - Grouper Permissions Setup: privileges for grouperClientSubject (e.g.) 9/14/201519

20 IAM Online - Grouper Permissions Setup: groups without members represent schemas 9/14/201520

21 IAM Online - Grouper Permissions 9/14/201521 Full sync Grouper to Oracle security tables Grouper SUD sync logic WS select 1 Oracle SQL select 2 SQL insert/delete 3

22 IAM Online - Grouper Permissions Run the full sync Java program Code in SVN: http://anonsvn.internet2.edu/svn/i2mi/trunk/grouper-misc/poc_secureUserData/ 9/14/201522

23 IAM Online - Grouper Permissions Local cache of security tables and memberships SECUREUSERDATA_MEMBERSHIPS SECUREUSERDATA_ROW_PERMISS SECUREUSERDATA_COL_PERMISS 9/14/201523

24 IAM Online - Grouper Permissions Oracle FGAC/VPD/RLS Oracle Fine Grained Access Control (FGAC) aka: Virtual Private Database (VPD) –A way to apply a virtual (hidden to the user) “where clause” to limit rows (Row Level Security (RLS)) –A way to null-out columns in a way that is hidden to the user –Based on schema, or if trusted schema, data in the context Note: this part does not have to be FGAC, you could use a view with functions, or something else… –With Oracle, FGAC is supposed to perform better than a view with functions 9/14/201524

25 IAM Online - Grouper Permissions 9/14/201525 Application schemas accessing FGAC’ed data SchemaY FGAC SchemaX accesses data Run a PL/SQL function that appends a predicate to the query based on the schema or data in context. Can restrict insert/update/deletes. Predicate joins to SUD security tables from Grouper 1 Oracle Filtered results 2 3 Query on FGAC’ed table/view

26 IAM Online - Grouper Permissions Oracle FGAC (continued) For performance, cache security in the connection context (similar to ThreadLocal) –Only cache for a certain amount of time (5 minutes?) –Can cache on connect trigger, or on demand “on demand” might be better if users connect to the DB for things unrelated to the FGAC –Cache who the user is, when cache was created, if can read/write all rows, which column sets can read/write 9/14/201526

27 IAM Online - Grouper Permissions Oracle FGAC (continued) Designate an Oracle package to hold the FGAC code –Full code in slide notes 9/14/201527

28 IAM Online - Grouper Permissions Oracle FGAC row predicate Two functions are where clause predicates relating to the query: one for select, one for update Six functions are “where clause” predicates relating to the columns in query: 3 different colsets, for insert/update 9/14/201528

29 IAM Online - Grouper Permissions Oracle FGAC (continued) Assign the policies to table Here is an example of 1 of the 8 policies (full code in slide notes) 9/14/201529

30 IAM Online - Grouper Permissions Oracle FGAC queries from owner schema: all data Note: there is a short circuit, if owner schema, allow access 9/14/201530

31 IAM Online - Grouper Permissions Oracle FGAC queries from student billing application: sees students and no contact info 9/14/201531

32 IAM Online - Grouper Permissions Oracle FGAC queries from student billing application: can update name, not ids 9/14/201532

33 IAM Online - Grouper Permissions Oracle FGAC queries from faculty/staff file sharing application: sees fac/staff and all columns 9/14/201533

34 IAM Online - Grouper Permissions Oracle FGAC queries from faculty/staff file sharing application: can update contact info, not name 9/14/201534

35 IAM Online - Grouper Permissions Add a requirement: read-only access of file sharing application to student rows. Assign in Grouper Kick off the sync’ing app, or wait for cron 9/14/201535

36 IAM Online - Grouper Permissions Add a requirement (continued). See rows in Oracle The new student row is read-only 9/14/201536

37 IAM Online - Grouper Permissions 9/14/201537 Real-time row membership notification Grouper SUD real- time logic Student or staff group membership changes 1 Oracle XMPP XML message with group and subjectId 2 Check Grouper and Oracle for membership 3 WS SQL 4 Insert or delete membership in cached table (if needed)

38 IAM Online - Grouper Permissions Real-time row membership notification demo Add Ryan Jones as a student Note: in reality the student system and loader will do this 9/14/201538

39 IAM Online - Grouper Permissions Real-time row membership notification demo Start the real time XMPP listener: Less than 1 minute after Grouper change, XMPP message goes from Grouper to SUD real time logic Note, it is configured to only send/receive relevant messages See the listener process the message 9/14/201539

40 IAM Online - Grouper Permissions Real-time row membership notification demo See that Ryan is now a student, select users from fastdev2 (student application) 9/14/201540

41 IAM Online - Grouper Permissions 9/14/201541 Real-time permission notification Grouper SUD real- time logic Relevant permission or role assignment 1 Oracle XMPP XML message to refresh all permissions 2 Check Grouper and Oracle for permissions 3 WS SQL 4 Insert or delete permission diffs in cached table

42 IAM Online - Grouper Permissions Real-time permission notification demo Allow file sharing app to read student data 9/14/201542

43 IAM Online - Grouper Permissions Real-time permission notification demo The listener was already started Less than 1 minute after Grouper change, XMPP message goes from Grouper to SUD real time logic Note, it is configured to only send/receive relevant messages See the listener process the message 9/14/201543

44 IAM Online - Grouper Permissions Access request workflow Penn will use its Kuali Rice eDocLite with a template like this Can auto-provision, though needs some work for allow/disallow and schema entity creation 9/14/201544

45 IAM Online - Grouper Permissions Access request workflow mockup (continued) 9/14/201545

46 IAM Online - Grouper Permissions 9/14/201546 Access request workflow Requestor SUD real- time logic Fills out eForm 1 Oracle SQL Supervisor Approves 2 Senior BA Approves 3 Central IT Approves, creates schema 4 EDocLite Grants/revokes permissions 5 Grouper XMPP WS FGAC 6 7 8

47 IAM Online - Grouper Permissions Questions? 9/14/201547

Download ppt "IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, 2011 9/14/20151."

Similar presentations

Grouper Training End Users Lite UI – External Users

Grouper Training End Users Lite UI – External Users
New Release Announcements and Product Roadmap Chris DiPierro, Director of Software Development April 9-11, 2014

New Release Announcements and Product Roadmap Chris DiPierro, Director of Software Development April 9-11, 2014
GP2013 (R2) New features in GP2013 (R2). New Ribbon for windows Edit List is the Print button on the right without the paper background Action pane can.

GP2013 (R2) New features in GP2013 (R2). New Ribbon for windows Edit List is the Print button on the right without the paper background Action pane can.
PennGroups Intro / HA / UI May 2014. 2 Agenda Introduction to PennGroups (Grouper) Recent use cases Recent improvements in availability –Architecture.

PennGroups Intro / HA / UI May Agenda Introduction to PennGroups (Grouper) Recent use cases Recent improvements in availability –Architecture.
Grouper Training - Admin Loader - Part 1 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.

Grouper Training - Admin Loader - Part 1 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Implementing enterprise governance can sometimes feel like trying to corral an exuberant crowd.

Implementing enterprise governance can sometimes feel like trying to corral an exuberant crowd.
Where the sidewalk used to end, privilege management Chris Hyzer University of Pennsylvania.

Where the sidewalk used to end, privilege management Chris Hyzer University of Pennsylvania.
Manifest – the Service Application Manifest is our new service, with Grouper as its logic engine, to manage populations which are known to us and those.

Manifest – the Service Application Manifest is our new service, with Grouper as its logic engine, to manage populations which are known to us and those.
User Management DigiTool Version 3.0. User Management 2 User Architecture PatronsStaff Users DepositorsApprovers Meditor User Management Management Module.

User Management DigiTool Version 3.0. User Management 2 User Architecture PatronsStaff Users DepositorsApprovers Meditor User Management Management Module.
Computer Monitoring System for EE Faculty By Yaroslav Ross And Denis Zakrevsky Supervisor: Viktor Kulikov.

Computer Monitoring System for EE Faculty By Yaroslav Ross And Denis Zakrevsky Supervisor: Viktor Kulikov.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.

یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.
MI807: Database Systems for Managers Introduction –Course Goals & Schedule –Logistics –Syllabus Review Relational DBMS Basics –RDBMS Role in Applications.

MI807: Database Systems for Managers Introduction –Course Goals & Schedule –Logistics –Syllabus Review Relational DBMS Basics –RDBMS Role in Applications.
Cross-curricular Assignment Using your case study…

Cross-curricular Assignment Using your case study…
Fundamentals, Design, and Implementation, 9/e Chapter 7 Using SQL in Applications.

Fundamentals, Design, and Implementation, 9/e Chapter 7 Using SQL in Applications.
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
Confidential ODBC May 7, 20071 2.0.0 Features What is ODBC? Why Create an ODBC Driver for Rochade? How do we Expose Rochade as Relational Transformation.

Confidential ODBC May 7, Features What is ODBC? Why Create an ODBC Driver for Rochade? How do we Expose Rochade as Relational Transformation.
DB Audit Expert v1.1 for Oracle Copyright © 1999-2002 SoftTree Technologies, Inc. This presentation is for DB Audit Expert for Oracle version 1.1 which.

DB Audit Expert v1.1 for Oracle Copyright © SoftTree Technologies, Inc. This presentation is for DB Audit Expert for Oracle version 1.1 which.
Database Application Security Models

Database Application Security Models
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Similar presentations

Ads by Google