Grouper Training Developers and Architects How to Design Permissions Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial.

Slides:



Advertisements
Similar presentations
Grouper Training End Users Lite UI – External Users
Advertisements

Grouper Training Developers and Architects LDAP Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0.
Grouper API - Part 2 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported.
Grouper UI Part 2 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
Grouper Training - Admin Loader - Part 1 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Grouper Maintenance Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
Grouper Training End Users Lite UI – Permissions – Part 2 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Where the sidewalk used to end, privilege management Chris Hyzer University of Pennsylvania.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
Grouper Training End Users Admin UI – Part 6 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported.
Grouper UI Part 1 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
Learning Management System Overview
Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.
Chris Hyzer University of Pennsylvania
Grouper Training End Users Admin UI – Part 5 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Lorie Stolarchuk Learning Technology Trainer 1 What has changed with the 2.7.X Upgrade to CLEW?
Grouper Training - Admin - WS - Part 2 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Grouper Training - Admin - Client Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Grouper Training Developers and Architects Web Services - Part 5 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Moodle (Course Management Systems). Managing Your class In this Lecture, we’ll cover course management, including understanding and using roles, arranging.
Moodle and ACME. How do they compare? Groups Notes Discussions Tests Grades Web pages TurnItIn Database Glossary Questionare Wiki Calandar Quick mail.
Grouper Training Developers and Architects Client - Part 1 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Grouper Training Developers and Architects Advanced Topics Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Introduction to electronic resources management Unit 1.4: E-resource evaluation tips.
Using Grouper and Signet for Access Management Kathryn Huxtable GPN Annual Meeting 30 May 2008
Grouper Training End Users Admin UI – Part 4 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported.
Grouper Training - Admin Connectors Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Grouper Training Developers and Architects Client - Part 2 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Windows Role-Based Access Control Longhorn Update
Intranet Portal. Intranet Portal to manage all internal activities of a company.
Grouper Training Developers and Architects Integration Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Working with the Persistent Chat Platform in Lync 2013
Grouper Training – Admin – Subject API – Part 4 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0.
Grouper Training Developers and Architects Client - Part 3 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Grouper Training – Admin – Provisioning Service Provider (PSP) – Part 1 Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial.
2004/051 >> Supply Chain Solutions That Deliver Users.
Grouper Multiple Deployments and Upgrading Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported.
Apereo Grouper Seminar Part 3 – Hands on Grouper Chris Hyzer University of Pennsylvania and Internet2.
Grouper Training End Users Lite UI – Memberships – Part 2 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Grouper Training Developers and Architects How to Design Groups Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial.
Configuring and Managing Resource Access Lecture 5.
Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2.
Grouper Training Admin Minor Upgrade Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Grouper Training - Admin - Installer Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Grouper Training Developers and Architects Web Services - Part 4 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Introduction to Wikis! More info:
FEPRE IT Presentation Peter Dolukhanov. Aims & Objectives Give an overview of the current proposed IT infrastructure Discuss and get feedback on the current.
Networks ∙ Services ∙ People Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.
Grouper Training Developers and Architects Web Services - Part 1 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Grouper Training - Admin - WS - Part 1 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Project Management: Messages
UVOS and VOMS differences
I2/NMI Update: Signet, Grouper, & GridShib
Shared Space Admin Demo
Power BI Security Best Practices
elearning script - Teamtreehouse clone | Teamtreehouse script - online training script.
Chris Hyzer, University of Pennsylvania
Grouper Training End Users Lite UI – Permissions – Part 3
Grouper Training Developers and Architects Web Services - Part 2
Academy Hub An eUnomia Factory Solution.
Basics to Know and Best Practices to Do
Grouper Training End Users Lite UI – Permissions – Part 1
Grouper Training End Users Lite UI – Rules
PDI: Intro to Grouper Jeff Ruch Jeff Ruch ACNS Middleware
Links Launch Outlook Launch Skype Place Skype on Do Not Disturb.
Academy Hub An eUnomia Factory Solution.
Assigned Ideal Group Members: Definitions: Democracy: Opportunity: Equality:
Presentation transcript:

Grouper Training Developers and Architects How to Design Permissions Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.

Introduction Permission definitions Permission names Actions Roles Permission assignments Limits Inheritance Application integration 2 Contents

Introduction 3 Attributes Roles Permissions Attribute definition Permission definition Role inheritance Delegation model extends that for Groups

Type of attribute definition where the type of attribute is permission. Typically have one definition for a set of permission names (resources) and actions. Also contain security information. Who can create permission assignments using a given definition? Who can see permission assignments? 4 Permission Definitions

Permission names are the “resource” in the permission triple. Typically have more than one per permission definition. 5 Permission Names

Each permission definition can have a set of actions that can be used to form permissions using that definition. Actions are free form strings (e.g. “read”, “write”, “admin”) 6 Actions

Special type of groups. Unlike regular groups, roles can be associated directly with permission assignments. Roles can also have permission inheritance. 7 Roles

Contain the triple Subject (role or a specific subject within a role) Action Resource (the permission name) Start and end dates Permission will start on a future date. Permission will end on a future date. 8 Permission Assignments

Allowed versus disallowed permissions Permission processor will resolve conflicts when performing permission queries (e.g. PermissionFinder.hasPermission()) Direct assignments trump inherited assignments A lower depth inherited assignment trumps a higher depth inherited assignment (on the directed graph of inheritance) Inherited ALLOW assignments (of equal depth) trump inherited NOT_ALLOW assignments 9 Permission Assignments (continued)

Runtime constraints on permissions assignments. There are many built-in limits (such as Weekday 9 to 5). When querying permissions using the permission processor, you can supply limit values (e.g. current time). Can only apply to permissions that are allowed (not disallowed). 10 Limits

Role inheritance – One role inherits permissions of another role (e.g. senior manager inherits permissions assigned to a manager.) Resource inheritance – Permission on one resource implies permission on another. Useful in hierarchies (e.g. read access on the OIT resource within an application implies read access on OIT:IDM) 11 Inheritance

Action inheritance – One action implies another (e.g. admin implies read). Group membership – Adding a group as a member of a role. 12 Inheritance (continued)

Using the Grouper change log to propagate permissions to an external application. Change log events occur when permissions are added or dropped. Change log will tell you which roles have permission changes. Change log category is “permission” and change log action is “permissionChangeOnRole” 13 Application Integration

Application can look up permissions using Grouper Web Services. Possible approach for custom applications. Need to consider caching especially if permissions are fine-grained. Can also send limit values in permission queries and simply get a boolean response for whether the user has the permission. 14 Application Integration (continued)

Grouper views Useful for read-only queries when the permission processor is not needed. grouper_perms_assigned_role_v – shows all permissions assigned to roles. grouper_perms_role_v – shows all permissions assigned to users due to the users being in a role, and the role being assigned the permission. grouper_perms_role_subject_v - shows all permissions assigned to users directly while in a role. grouper_perms_all_v – Union of grouper_perms_role_v and grouper_perms_role_subject_v. Grouper API 15 Application Integration (continued)

Click on the quiz link in the video description to reinforce your knowledge of this topic. 16 Quiz

Thanks! Further information: Infosheets, mailing lists, wiki, downloads, etc.: Grouper demo server: grouperdemo.internet2.edu/ grouperdemo.internet2.edu/ Grouper Online Training Home: spaces.internet2.edu/x/IIGfAQ This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License. 17

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.