IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, 2011 9/14/20151.

Slides:



Advertisements
Similar presentations
Grouper Training End Users Lite UI – External Users
Advertisements

New Release Announcements and Product Roadmap Chris DiPierro, Director of Software Development April 9-11, 2014
GP2013 (R2) New features in GP2013 (R2). New Ribbon for windows Edit List is the Print button on the right without the paper background Action pane can.
PennGroups Intro / HA / UI May Agenda Introduction to PennGroups (Grouper) Recent use cases Recent improvements in availability –Architecture.
Grouper Training - Admin Loader - Part 1 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Implementing enterprise governance can sometimes feel like trying to corral an exuberant crowd.
Where the sidewalk used to end, privilege management Chris Hyzer University of Pennsylvania.
Manifest – the Service Application Manifest is our new service, with Grouper as its logic engine, to manage populations which are known to us and those.
User Management DigiTool Version 3.0. User Management 2 User Architecture PatronsStaff Users DepositorsApprovers Meditor User Management Management Module.
Computer Monitoring System for EE Faculty By Yaroslav Ross And Denis Zakrevsky Supervisor: Viktor Kulikov.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.
MI807: Database Systems for Managers Introduction –Course Goals & Schedule –Logistics –Syllabus Review Relational DBMS Basics –RDBMS Role in Applications.
Cross-curricular Assignment Using your case study…
Fundamentals, Design, and Implementation, 9/e Chapter 7 Using SQL in Applications.
ORACLE DATABASE SECURITY
Confidential ODBC May 7, Features What is ODBC? Why Create an ODBC Driver for Rochade? How do we Expose Rochade as Relational Transformation.
DB Audit Expert v1.1 for Oracle Copyright © SoftTree Technologies, Inc. This presentation is for DB Audit Expert for Oracle version 1.1 which.
Database Application Security Models
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
“This presentation is for informational purposes only and may not be incorporated into a contract or agreement.”
Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.
Chris Hyzer University of Pennsylvania
Session 5: Working with MySQL iNET Academy Open Source Web Development.
How a little code can help with support.. Chris Barba – Developer at Cimarex Energy Blog:
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
Chapter Oracle Server An Oracle Server consists of an Oracle database (stored data, control and log files.) The Server will support SQL to define.
Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.
Grouper Training - Admin - WS - Part 2 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.
CSIS 4310 – Advanced Databases Virtual Private Databases.
Extending Vista The PowerLinks WebServices SDK John Hallett Senior Product Manager WebCT, Inc
Penn Groups PennGroups Central Authorization System June 2009.
LiveCycle Data Services Introduction Part 2. Part 2? This is the second in our series on LiveCycle Data Services. If you missed our first presentation,
Technology vocabulary slides assignment. Application Definition : A program or group of programs designed for end users. Application software can be divided.
Grouper Training Developers and Architects Web Services - Part 5 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Microsoft SharePoint Server 2010 for the Microsoft ASP.NET Developer Yaroslav Pentsarskyy
Grouper after Groups Enabling Net+ Services with PAP, PEP, and PDP...Oh My! October 3rd, 2012 Bill Thompson IAM Architect, Unicon Chris Hyzer Grouper Developer,
What’s new with Grouper 10/5/9 Internet2 Fall Member Meeting Chris Hyzer, University of Pennsylvania.
PHP and MySQL CS How Web Site Architectures Work  User’s browser sends HTTP request.  The request may be a form where the action is to call PHP.
Grouper Training Developers and Architects Advanced Topics Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
(VPD) Virtual Private Database Technique Hessah Hassan Al_kaoud.
Grouper Training - Admin Connectors Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Grouper Training Developers and Architects Client - Part 2 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Dale Roberts 1 Department of Computer and Information Science, School of Science, IUPUI Dale Roberts, Lecturer Computer Science, IUPUI
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved. Search Overview Search Features: WSS and Office Search Architecture Content Sources and.
DataFlow Diagram – Level 0
Grouper Training Developers and Architects Integration Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Grouper Training Developers and Architects Client - Part 3 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Chapter 6 Virtual Private Databases
8 Copyright © 2004, Oracle. All rights reserved. Making the Model Secure.
What’s new with Grouper 26-April-2010, Spring Member Meeting Chris Hyzer, Grouper developer.
Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2.
SQL SERVER AUDITING. Jean Joseph DBA/Consultant Contact Info: Blog:
Grouper Training Developers and Architects Web Services - Part 4 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Log Shipping, Mirroring, Replication and Clustering Which should I use? That depends on a few questions we must ask the user. We will go over these questions.
 Project Team: Suzana Vaserman David Fleish Moran Zafir Tzvika Stein  Academic adviser: Dr. Mayer Goldberg  Technical adviser: Mr. Guy Wiener.
Grouper Training Developers and Architects Web Services - Part 1 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
SharePoint 101 – An Overview of SharePoint 2010, 2013 and Office 365
Oracle structures on database applications development
CollegeSource Security Application &
COP4710 Database Systems Project Overview.
Swagatika Sarangi (Jazz), MDM Expert
Principles of report writing
PL/SQL Programing : Triggers
Chapter 7 Using SQL in Applications
Grouper Training End Users Lite UI – Rules
CS4433 Database Systems Project.
Links Launch Outlook Launch Skype Place Skype on Do Not Disturb.
Presentation transcript:

IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, /14/20151

IAM Online - Grouper Permissions IAM Online Grouper Permissions Use case description Architecture Permissions setup Oracle Fine Grained Access Control Demo Real-time provisioning Workflow Note: all code in slide notes and SVN (viewVC)SVNviewVC Note: youtube demo (part 1) (part 2)part 1part 2 Note: presentation and notes here (google “grouper documents”, though not OLD one)presentation and notes here 9/14/20152

IAM Online - Grouper Permissions Use case description From Penn State, also needed at University of PA Personal user data stored in SQL DB Applications across the University need to access the data Principle of least privilege at a row and column level User information (test data set): –PersonID –NetID –First and last name – address –Phone numbers SQL access will take place with different schemas per application This service is called SecureUserData (SUD) 9/14/20153

IAM Online - Grouper Permissions Use case description (continued) PSU and UP only need read-only access managed, but for this example, let’s manage READ/WRITE 9/14/20154 Oracle Student billing web app Fac/staff file sharing app Schema: FASTDEV2 IDs (read-only) Name (read/write) Student rows IDs (read-only) Name (read-only) Contact info (read/write) Faculty/staff rows Schema: FASTDEV3

IAM Online - Grouper Permissions Sample data 9/14/20155 IDPersonIDNetIDFirstLast Work#Home# Students Faculty

IAM Online - Grouper Permissions Architecture One table in Oracle with personal user information Secure the table with Oracle FGAC (Fine grained access control) / VPD (Virtual private database) Security data needs to be replicated from Grouper to Oracle for performance reasons Store memberships for rows and permissions for schemas in Grouper Access request workflow with Kuali Rice edoclite / Grouper Note: a schema in Oracle is the connecting DB user 9/14/20156

IAM Online - Grouper Permissions Grouper demo server Publicly accessible server that runs various versions of Grouper for demo purposes Grouper demo server: Grouper demo wiki You can register an InCommon login IDregister an InCommon login ID 9/14/20157

IAM Online - Grouper Permissions Setup on Grouper demo server: affiliations Normally these would be available in Grouper as loader jobs They are not on the Grouper demo server, so add 9/14/20158

IAM Online - Grouper Permissions Setup: row level groups Create the application folder, and organize subfolders Add the community groups as members 9/14/20159

IAM Online - Grouper Permissions Setup: row/column level permission definition Permission definition has configuration and security 9/14/201510

IAM Online - Grouper Permissions Setup read/write action for this permission def Include an “all” which implies read and write Note: this is specific to this one permission definition, and does not affect other permissions in Grouper 9/14/201511

IAM Online - Grouper Permissions Setup permission name for each set of columns 9/14/201512

IAM Online - Grouper Permissions Setup column permission name inheritance 9/14/201513

IAM Online - Grouper Permissions Setup permission name for each group of rows 9/14/201514

IAM Online - Grouper Permissions Setup row permission name inheritance 9/14/201515

IAM Online - Grouper Permissions Assign the permissions 9/14/201516

IAM Online - Grouper Permissions Setup: insert sample data Table: SECUREUSERDATA_USER 9/14/201517

IAM Online - Grouper Permissions Setup: enable client subject for WS 9/14/201518

IAM Online - Grouper Permissions Setup: privileges for grouperClientSubject (e.g.) 9/14/201519

IAM Online - Grouper Permissions Setup: groups without members represent schemas 9/14/201520

IAM Online - Grouper Permissions 9/14/ Full sync Grouper to Oracle security tables Grouper SUD sync logic WS select 1 Oracle SQL select 2 SQL insert/delete 3

IAM Online - Grouper Permissions Run the full sync Java program Code in SVN: 9/14/201522

IAM Online - Grouper Permissions Local cache of security tables and memberships SECUREUSERDATA_MEMBERSHIPS SECUREUSERDATA_ROW_PERMISS SECUREUSERDATA_COL_PERMISS 9/14/201523

IAM Online - Grouper Permissions Oracle FGAC/VPD/RLS Oracle Fine Grained Access Control (FGAC) aka: Virtual Private Database (VPD) –A way to apply a virtual (hidden to the user) “where clause” to limit rows (Row Level Security (RLS)) –A way to null-out columns in a way that is hidden to the user –Based on schema, or if trusted schema, data in the context Note: this part does not have to be FGAC, you could use a view with functions, or something else… –With Oracle, FGAC is supposed to perform better than a view with functions 9/14/201524

IAM Online - Grouper Permissions 9/14/ Application schemas accessing FGAC’ed data SchemaY FGAC SchemaX accesses data Run a PL/SQL function that appends a predicate to the query based on the schema or data in context. Can restrict insert/update/deletes. Predicate joins to SUD security tables from Grouper 1 Oracle Filtered results 2 3 Query on FGAC’ed table/view

IAM Online - Grouper Permissions Oracle FGAC (continued) For performance, cache security in the connection context (similar to ThreadLocal) –Only cache for a certain amount of time (5 minutes?) –Can cache on connect trigger, or on demand “on demand” might be better if users connect to the DB for things unrelated to the FGAC –Cache who the user is, when cache was created, if can read/write all rows, which column sets can read/write 9/14/201526

IAM Online - Grouper Permissions Oracle FGAC (continued) Designate an Oracle package to hold the FGAC code –Full code in slide notes 9/14/201527

IAM Online - Grouper Permissions Oracle FGAC row predicate Two functions are where clause predicates relating to the query: one for select, one for update Six functions are “where clause” predicates relating to the columns in query: 3 different colsets, for insert/update 9/14/201528

IAM Online - Grouper Permissions Oracle FGAC (continued) Assign the policies to table Here is an example of 1 of the 8 policies (full code in slide notes) 9/14/201529

IAM Online - Grouper Permissions Oracle FGAC queries from owner schema: all data Note: there is a short circuit, if owner schema, allow access 9/14/201530

IAM Online - Grouper Permissions Oracle FGAC queries from student billing application: sees students and no contact info 9/14/201531

IAM Online - Grouper Permissions Oracle FGAC queries from student billing application: can update name, not ids 9/14/201532

IAM Online - Grouper Permissions Oracle FGAC queries from faculty/staff file sharing application: sees fac/staff and all columns 9/14/201533

IAM Online - Grouper Permissions Oracle FGAC queries from faculty/staff file sharing application: can update contact info, not name 9/14/201534

IAM Online - Grouper Permissions Add a requirement: read-only access of file sharing application to student rows. Assign in Grouper Kick off the sync’ing app, or wait for cron 9/14/201535

IAM Online - Grouper Permissions Add a requirement (continued). See rows in Oracle The new student row is read-only 9/14/201536

IAM Online - Grouper Permissions 9/14/ Real-time row membership notification Grouper SUD real- time logic Student or staff group membership changes 1 Oracle XMPP XML message with group and subjectId 2 Check Grouper and Oracle for membership 3 WS SQL 4 Insert or delete membership in cached table (if needed)

IAM Online - Grouper Permissions Real-time row membership notification demo Add Ryan Jones as a student Note: in reality the student system and loader will do this 9/14/201538

IAM Online - Grouper Permissions Real-time row membership notification demo Start the real time XMPP listener: Less than 1 minute after Grouper change, XMPP message goes from Grouper to SUD real time logic Note, it is configured to only send/receive relevant messages See the listener process the message 9/14/201539

IAM Online - Grouper Permissions Real-time row membership notification demo See that Ryan is now a student, select users from fastdev2 (student application) 9/14/201540

IAM Online - Grouper Permissions 9/14/ Real-time permission notification Grouper SUD real- time logic Relevant permission or role assignment 1 Oracle XMPP XML message to refresh all permissions 2 Check Grouper and Oracle for permissions 3 WS SQL 4 Insert or delete permission diffs in cached table

IAM Online - Grouper Permissions Real-time permission notification demo Allow file sharing app to read student data 9/14/201542

IAM Online - Grouper Permissions Real-time permission notification demo The listener was already started Less than 1 minute after Grouper change, XMPP message goes from Grouper to SUD real time logic Note, it is configured to only send/receive relevant messages See the listener process the message 9/14/201543

IAM Online - Grouper Permissions Access request workflow Penn will use its Kuali Rice eDocLite with a template like this Can auto-provision, though needs some work for allow/disallow and schema entity creation 9/14/201544

IAM Online - Grouper Permissions Access request workflow mockup (continued) 9/14/201545

IAM Online - Grouper Permissions 9/14/ Access request workflow Requestor SUD real- time logic Fills out eForm 1 Oracle SQL Supervisor Approves 2 Senior BA Approves 3 Central IT Approves, creates schema 4 EDocLite Grants/revokes permissions 5 Grouper XMPP WS FGAC 6 7 8

IAM Online - Grouper Permissions Questions? 9/14/201547

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.