Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grouper after Groups Enabling Net+ Services with PAP, PEP, and PDP...Oh My! October 3rd, 2012 Bill Thompson IAM Architect, Unicon Chris Hyzer Grouper Developer,

Published byBasil Potter Modified over 8 years ago

Similar presentations

Presentation on theme: "Grouper after Groups Enabling Net+ Services with PAP, PEP, and PDP...Oh My! October 3rd, 2012 Bill Thompson IAM Architect, Unicon Chris Hyzer Grouper Developer,"— Presentation transcript:

1 Grouper after Groups Enabling Net+ Services with PAP, PEP, and PDP...Oh My! October 3rd, 2012 Bill Thompson IAM Architect, Unicon Chris Hyzer Grouper Developer, University of Pennsylvania

2 Grouper after Groups XACML – Policy, Rules, and the P*P Grouper as PAP, PDP, PEP Access Management Strategies Penn Example Grouper PEP POCs (Shiro, Spring,.NET) NET+ Services and Grouper Contents 2 – © 2012 Internet2

3 XML + Request/Response – subject allowed action on resource? Policy Administration Point (PAP) is used to write policies. Policy Decision Point (PDP) evaluates policies in the context of an access request Policy Enforcement Point (PEP) intercepts access requests and carries out the decisions of the PDP XACML and P*P 2 – © 2012 Internet2

4 XACML and P*P 2 – © 2012 Internet2 PAP PDP Policy Context handler PIP Attributes Subjects Request Response PEP Request Response Access Requestor Request Response 2 1

5 XACML and P*P 2 – © 2012 Internet2 PAP PDP Policy Context handler Request Response PEP Request Response Access Requestor Request Response 2 1 Grouper UI Grouper WS Plugin or Grouper Client Grouper WS Application

6 7 – © 2012 Internet2

7 Grouper Loader Include/Exclude Groups / Composites Grouper Inheritance Groups Roles Actions Resources Grouper as “Policy” Administration Point 2 – © 2012 Internet2

8 Active faculty members can login to the grading application System XYZ can view ad hoc attributes / people in the institution community database Active IT support staff can manage applications that they work on Example policies 2 – © 2012 Internet2

9 Active faculty members can login to the grading application Example policy in Grouper #1 2 – © 2012 Internet2 Institution community groups Faculty SOR Payroll System Loader Excludes Includes Faculty Grading Faculty Role Includes Excludes Login permission Application groups and permissions WS has permission Action: assign

10 System XYZ can view ad hoc attributes / people in the institution community database Example policy in Grouper #2 2 – © 2012 Internet2 Institution community groups Faculty Payroll system Loader System entity Col permission App groups / permissions WS get permissions Action: select Students Student system Col permission ColSet permission Col permission Col permission RowGroup permission WS get members

11 Active IT support staff can manage applications that they work on Example policy in Grouper #3 2 – © 2012 Internet2 Institution community groups IT org Payroll system Loader App Support Role Col permission App groups / permissions WS get permissions Action(s): restartTomcat restartApache deploy viewLogs all Col permission App1 permission IT org Composite Intersection userA

12 Is in Group/Role? Has permissions? –Determined via loader, grouper config, inheritance,... –Effective membership –Effective permissions –Available for caching Has permission based on context? –Grouper Limits –Only available at time of request –Access through Web Service API –XACML-like yes/no response to PDP request Grouper as “Policy” Decision Point 5 – © 2012 Internet2

13 Grouper connectors for Kuali Rice, uPortal, Atlassian Proof-of-concept connectors for Shiro, Spring, and.NET –Application developers can focus language/platform specific authorization API Grouper as “Policy” Enforcement Point 5 – © 2012 Internet2

14 Apache Shiro – Grouper group membership to Shiro hasRole – Grouper permissions to Shiro hasPermission Spring Security – Grouper group to GrantedAuthority.NET – Grouper group to.NET hasRole Jasig CAS – Course-grained access control via PersonDirectory Grouper plugin https://github.com/Unicon/iam-labs Grouper POC Connectors for Authorization APIs 5 – © 2012 Internet2

15 Config: Code: You are a supervisor! You can therefore see the extremely secure page. Annotations: @PreAuthorize("hasRole('ROLE_USER')") public void create(Contact contact); Grouper Connectors for Spring Security 5 – © 2012 Internet2

16 Config: [urls] /shiro-cas = casFilter /user/** = user /** = anon Code: Grouper Connector for Apache Shrio 5 – © 2012 Internet2

17 Config: Code: if (User.IsInRole("Administrator"))... Annotations: [Authorize(Roles = "Administrator")] public ActionResult Index() Grouper Connectors for.NET 5 – © 2012 Internet2

18 Caching Scoping for applications Permission name transformation Invalidating cache (change log listener + call back to app via https) Permissions could also be put in to Spring granted authorities Grouper POC Connectors...need more work. 5 – © 2012 Internet2

19 ChangeLog/PSP –propagate memberOf/eduPersonEntitlement via LDAP (consumed directly or via SAML) ChangeLog –propagate change notification, then sync (pull into) application specific authorization data store Grouper Connectors for Authorization APIs –read/cache group/permissions from Grouper upon initial access Grouper as PDP for permission with Limits –Web Services call for each access decision Access Management Strategies 5 – © 2012 Internet2

20 PAP at Grouper PDP via Grouper effective membership/permissions PEP via Connectors, propagation via LDAP/SAML, or notify and pull via Grouper WS, PSP propagate via service specific APIs or SCIM? Standard APIs for groups, people, and permissions provisioning Net+ Services Authorization Models 5 – © 2012 Internet2

21 Is it useful to describe Grouper in terms of P*P in the way it has been presented? or does it confuse the matter? Should Grouper project support/sponsor the connectors in the respective frameworks? Enterprise Access Management strategy for Net+ enablement? Questions/Discussion 5 – © 2012 Internet2

22 https://github.com/Unicon/iam-labs http://www.internet2.edu/grouper/ https://spaces.internet2.edu/disphttps://spaces.internet2.edu/display/groupertrain/Grouper+Training Grouper after Groups Enabling Net+ Services with PAP, PEP, and PDP...Oh My! Chris Hyzer Grouper Developer, University of Pennsylvania mchyzer@isc.upenn.edu Bill Thompson IAM Architect, Unicon wgthom@unicon.net

Download ppt "Grouper after Groups Enabling Net+ Services with PAP, PEP, and PDP...Oh My! October 3rd, 2012 Bill Thompson IAM Architect, Unicon Chris Hyzer Grouper Developer,"

Similar presentations

Towards Common Identity Services Tom Barton University of Chicago.

Towards Common Identity Services Tom Barton University of Chicago.
Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
Grouper Training - Admin Loader - Part 1 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.

Grouper Training - Admin Loader - Part 1 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Where the sidewalk used to end, privilege management Chris Hyzer University of Pennsylvania.

Where the sidewalk used to end, privilege management Chris Hyzer University of Pennsylvania.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.

XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
GFIPM Web Services Implementation Status Update GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Implementation Status Update GFIPM Delivery Team Meeting November 2011.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.

XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.

XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML in real-world applications Doron Grinstein, CEO BiTKOO +1-818-985-4700 888-4-BiTKOO

XACML in real-world applications Doron Grinstein, CEO BiTKOO BiTKOO
Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.

Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Similar presentations

Ads by Google