I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago

IdMS reality Each person’s online activities is shaped by many Sources of Authority (SoAs) Resource managers Program/activity heads Other policy making bodies Self Common middleware infrastructure should be operated centrally To not oblige departments/programs/activities to build their own core middleware Management of the information it conveys should be highly distributed Hook up all of those SoAs to the middleware TF-EMC2 Feb 2005

Relative roles of Signet & Grouper RBAC model Users are placed into groups Privileges are assigned to groups Groups can be arranged into static hierarchies to effectively bestow privileges Signet manages privileges Grouper manages, well, groups Grouper Signet TF-EMC2 Feb 2005

Signet TF-EMC2 Feb 2005

Nutshell description of Signet Analysts write XML descriptions of “business views” of privileges and store them in the Authority Registry Signet UI presents business views found in the Authority Registry Authoritative persons use the Signet UI to assign privileges and delegate authority across all “subsystems” in which they have any authority Signet UI stores assignments in the Authority Registry XML “permissions documents” are exported from the Authority Registry, transformed, and provisioned into integrated systems and infrastructure services TF-EMC2 Feb 2005

Privileges building blocks Business view Subsystems Categories Functions Scope Limits Prerequisites Conditions System view Permissions Assignment to Individual Group With/without ability to further delegate Proxy assignment TF-EMC2 Feb 2005

Signet subsystems Define domains of ownership and responsibility Reflect real world boundaries Can be large or small Financial system Student system HR system Network address plan management Network access management Research administration Clinical resources IdMS UI (Person Registry) Signet (Authority Registry) Grouper (Group Registry) TF-EMC2 Feb 2005

Authority elements by example By authority of the Dean grantor principal investigators grantee (group) who have completed training prerequisite can approve purchases function in the School of Medicine scope for research projects up to $100,000 limits until January 1, 2006 condition TF-EMC2 Feb 2005

Business view  system permissions TF-EMC2 Feb 2005

Provisioning permissions into systems TF-EMC2 Feb 2005

Provisioning permissions into infrastructure TF-EMC2 Feb 2005

TF-EMC2 Feb 2005

Grouper groups Attributes of groups Names: name, displayName, guid Description Members Can extend the set of attributes to support groups with more specific purposes Subgroups, compound groups, and aging Stored in an RDBMS, the Group Registry TF-EMC2 Feb 2005

Group namespaces Groups are created within namespaces Namespaces scope the authority to create and name groups Namespaces can be arranged hierarchically, if desired faculties namespace faculties:arts namespace faculties:arts:all_staff group TF-EMC2 Feb 2005

Grouper privileges Access privileges Naming privileges Who has what access (read, write) to a group’s attributes Naming privileges Who can create a group in each namespace Who can create a new namespace subordinate to an existing one Privilege interfaces are abstracted Can use external privilege management system, like Signet Grouper’s built-in privilege management Subgroups, compound groups, and aging can be used to manage privileges with built-in capability TF-EMC2 Feb 2005

Access privileges VIEW controls to whom a group is visible or hidden READ information, especially membership, about a group UPDATE membership ADMIN can modify everything, including group name, description, & access privileges, and can delete the group OPTIN can add self to the members list OPTOUT can remove self from the members list TF-EMC2 Feb 2005

Naming privileges CREATE a group in a given namespace The creator is automatically given ADMIN priv STEM privilege in a given namespace enables: Assignment of CREATE and STEM privileges for the namespace Creation of subordinate namespaces The creator is automatically given STEM priv TF-EMC2 Feb 2005

Three ways to distribute group management Create a group and assign someone UPDATE privilege to it Manage the group’s membership Create a group and assign someone ADMIN privilege to it Manage who manages the group’s membership and who can see what about the group Create a namespace and assign someone STEM privilege to it Manage who can create groups with constraint on how they are named TF-EMC2 Feb 2005

Signet & Grouper Subject Interface Now available Component common to both to integrate with external IdMS Now available Grouper API v0.5. Basic group management by automation processes Demo release of Signet By Spring Internet2 meeting Grouper v0.6. First complete release, including the UI Initial production ready release of Signet anticipated middle of 2005 TF-EMC2 Feb 2005

What is GridShib? NSF Middleware Initiative (NMI) Grant: “Policy Controlled Attribute Framework” Allow the use of Shibboleth-transported attributes for authorization in NMI Grids built on the Globus Toolkit v4 2 year project starting December 1, 2004 Participants Von Welch, UIUC/NCSA (PI) Kate Keahey, UChicago/Argonne (PI) Frank Siebenlist, Argonne Tom Barton, UChicago TF-EMC2 Feb 2005

GridShib integration principles No modification to typical grid client applications Leverage high-quality campus IdMS operations Attributes Attribute release policies Leverage high-quality Shib and Grid software TF-EMC2 Feb 2005

Basic use case grid-proxy-init 2 SIA: IdP ID(s) 1 EEC GT4 runtime attribute marshalling pipeline 3 -2 4 -1 online CA 5 shib AA LionShare-like trust plugin TF-EMC2 Feb 2005

Managing the attributes marshalled by GridShib Grid resource, user, and SoAs for user attributes may be in different administrative domains. How to manage attributes marshalled from which AA? Shibbolized Signet & Grouper might help… TF-EMC2 Feb 2005