Introduction to Grouper

Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally focused on robust management of groups, emphasizing: Delegation and distributed management Integration with most any existing IdM infrastructure. See case studies and campus contributions at: y+Contributions y+Contributions Grouper v2.0 provides broader set of access management capabilities, including roles & permissions Released 6 September October 2011 Grouper story

1.Start out using a single user attribute, affiliation, in LDAP or AD to let applications implement access policies 2.Enrich centralized access management using groups determined from systems of record Courses, financial accounts, departments Define service specific access policies in central IAM system 3.Get central IT out of the loop Distributed management Exceptions Departmental apps 4.Increase integration of access management Direct application integration with web services ESB/SOA, REST/SOAP Roles & privileges to support applications more deeply 3 October 2011 Access management is a process: making authZ more than authN

Grouper: core concepts 4 October 2011 Folders in hierarchies Group Direct members Subgroup Indirect members Composite groups = U

Security & delegation in Grouper 5 October 2011 Create groups Create subfolders Admin Update membership Read membership View group Opt-in Opt-out Delegation

Beyond groups 6 October 2011 Attributes Roles Permissions Attribute definition Permission definition Role inheritance Delegation model extends that for Groups

Membership start & end times (optional) Move or copy folders, groups, etc User audit Point in time audit Rules 7 October 2011 Access management lifecycle support

8 October 2011 Grouper components as of v2.0

New and improved in Grouper v2.0 9 October 2011 FeatureDescription RulesExecute built-in actions and expression language to add business logic to Grouper actions Attribute and Permissions UIs Ajax-y UIs to define, view, and assign attributes and permissions Permission Disallow To manage inheritance of permissions via Role, Resource, or Action hierarchies Permission LimitsBuilt-in Policy Decision Point that combines run-time context with permissions to produce Allow/Deny Point in Time AuditQuery Grouper’s state at a previous time External SubjectsInvitation processes leverage federation to let external Subjects be given group memberships and permissions Syncing GroupersFederate groups between two Groupers Member Search & Sort Selective Subject attribute caching for improved sorting and searching capability and speed LdappcNG enhancement Improved performance through caching

Tom Barton’s UChicago group memberships 10 June 2011

dn: uid=tbarton,ou=people,dc=uchicago,dc=edu ucismemberof: uc:org:nsit:integration:techag ucismemberof: uc:org:nsit:srdirs ucismemberof: uc:org:nsit:integration:iteco:wr ucismemberof: uc:applications:confluence:NSIT:esx ucismemberof: uc:org:nsit:integration:iteco:rd ucismemberof: uc:applications:confluence:NSIT:Directors ucismemberof: uc:org:nsit:staff ucismemberof: uc:applications:confluence:NSIT:Everyone ucismemberof: uc:org:nsit:integration:shib_group ucismemberof: uc:applications:bulkmail:users ucismemberof: uc:org:library:gnet:admins ucismemberof: uc:applications:gnetid:admins ucismemberof: uc:applications:wireless:authorized ucismemberof: uc:applications:cmail:users:authorized ucismemberof: uc:reference:affiliations:effective:staff LDAP entry for uid=tbarton,ou=people,dc=uchicago,dc=edu ucIsMemberOf : uc:org:nsit:srdirs ucIsMemberOf : uc:reference:affiliations:effective:staff Memberships become LDAP attributes 11 ucIsMemberOf : uc:applications:vpn:authorized June 2011

UChicago VPN simple delegation example Different groups, different authorities. VPN only uses “vpn:authorized”. 12 eligibledenied student staff alumhospital closure locked vpn:authorized postdoc = ̶ IRB June 2011 Core business systems IRB Office IT Security Team IdM system

UChicago applications managed by Grouper, so far aams Ad Astra Bulkmail Business Objects Enterprise Chalk CityRyde Cmail cnet Confluence Directory Administration dmca Facilities SIMS gnetid grouper im isx IT Ecosystem Lab School LDAP lists Mail Forwarding Microsoft Exchange modem pool myUChicago online directory password expiration rt 13 Service Now shibboleth Statements portlet SVN tank UC Groups unifiedcomm uPoV Monitor versions voip vpn web hosting webproxy Webshare webspace wireless June 2011

14 October 2011