Cornell University Replacing a System that (sorta) Works Tom Parker Joy Veronneau Identity Management Team OIT/CIT Security Office Central Authorization.

Slides:

Advertisements

Similar presentations

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Advertisements

Managing User, Computer and Group Accounts

Cornell University Replacing a System that (sorta) Works Tom Parker Project Manager Identity Management Team Cornell University Central.

Grouper Training Developers and Architects LDAP Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial 3.0.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.

Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.

How to Succeed with Active Directory Robert Williams, PhD CEO Secure Logistix Corporation.

Information Technology Current Work in System Architecture November 2003 Tom Board Director, NUIT Information Systems Architecture.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Administering Active Directory

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Setting up the Grouper and Signet Databases Joy Veronneau Cornell University Identity Management November 7, 2006.

Understanding Active Directory

A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.

Enriching Identity Through Groups EDUCAUSE Distributed Access Management CAMP Joy Veronneau Cornell University, Identity Management November 8, 2006.

Chapter 7 WORKING WITH GROUPS.

Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.

Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.

1 Early Adopters / Deployers Patterns and criteria for distinguishing roles and groups-based access control vs. privilege management. Why use one or the.

Group Management at Brown James Cramton Brown University April 24, 2007.

Chapter 7: WORKING WITH GROUPS

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

Penn Groups PennGroups Central Authorization System June 2009.

Windows 2000 Operating System -- Active Directory Service COSC 516 Yuan YAO 08/29/2000.

University of Michigan Enterprise Directory Services Appendix A Conceptual Architecture.

Signet and Grouper A Use Case Study for Central Authorization at Cornell University March 2006.

Implementing Resource Management within EPM Roy Kayahara Program Manager Microsoft Office Project Microsoft Corporation.

Operational Excellence in Effort Reporting Phase 3 Testing Information Meeting: June , 2012 Vision Statement: Implement a compliant, streamlined,

Session 7 Windows Platform Eng. Dina Alkhoudari. Learning Objectives Active Directory review Managing users and groups Single Master Operations Delegation.

Using Grouper and Signet for Access Management Kathryn Huxtable GPN Annual Meeting 30 May 2008

Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University.

Active Directory Travis Favors Ryan Manuel Robert Rayer.

Module 4: Managing Recipients. Overview Introduction to Exchange Recipients Creating, Deleting, and Modifying Users and Contacts Managing Mailboxes Managing.

Windows Role-Based Access Control Longhorn Update

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Five Managing Addresses.

© 2006 The University of Chicago Grouper Backgrounder for Authorization WG Tom Barton, U Chicago.

Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.

VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.

ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009.

Introduction to Active Directory

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. BI Publisher Server: Administration and Security.

Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago.

Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2.

How EPA/ORD Moved to Drupal 7 Jessica Dearie U.S. EPA, Office of Research and Development Office of Science Information Management.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Planning an Active Directory Deployment Lesson 1.

Networks ∙ Services ∙ People Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.

Software sales at U Waterloo Successfully moved software sales online Handle purchases from university accounts Integrated with our Active Directory and.

Windows Enterprise Services.  Introductions  UNM Directory Services  RSAT  Organizational Units (OU)  Active Directory Groups  Naming Convention.

Unified Identity for Access Control Carl Ellison 7 April 2011 IDtrust.

LDAP: Synchronizing LDAP Information CNS 4650 Fall 2004 Rev. 2.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

Group Services CIO Council Update

Groups in the Electronic Directory:

An authorization service for Virtual Organizations (VO)

11i Journal Workflow: Maximize the Potential

PSJA AUTOMATION WORKFLOW AND LESSONS LEARNED

Chris Hyzer, University of Pennsylvania

Provisioning Groups, Memberships, and Permissions to LDAP

Central Authorization System (Grouper) June 2009

Introduction to Name and Directory Services

Grouper: A Toolkit for Managing Groups

PDI: Intro to Grouper Jeff Ruch Jeff Ruch ACNS Middleware

Signet & Privilege Management

Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi

Presentation transcript:

Cornell University Replacing a System that (sorta) Works Tom Parker Joy Veronneau Identity Management Team OIT/CIT Security Office Central Authorization

 Central Authorization at Cornell is generically handled by a Permit Server  Developed at Cornell and has been in use for over a decade  The Permit Server maps groups of NetIDs to “permits”  A permit is just a string token, such as “cit.staff” or “cu.student” Cornell’s Permit System Also a Permit

Permit Server Stats  Cornell has approximately 175,000 NetIDs.  There are over 800 permits but only about 325 are active.  Those active permits have about 500,000 memberships.  On our busiest day, there are about 375,000 queries to the permit server.  On that day the busiest minute has about 1,650 queries.  Creation of new permits generally limited to sys admins  Not used for personal groups like mailing lists Also a Permit

 AdminUI designed for the 1990s  No limitations, expirations  Limited delegation features  Users can’t see what permits they have  Permits can’t do negative authorizations For example, an institution may want to offer a service to all active students but only within the United States due to export regulations..  No self-enrollment options  Anyone (or anything) can be included in a Permit List No checks for misspellings or formatting errors Current Limitations Also a Permit

Some Grouper Features that our Permit Server Doesn’t Have  Distributed group management  Composite groups - groups whose membership is determined by the union, intersection, or relative complement of two other groups  Traceback of indirect membership  A future version of Grouper may include aging of groups and memberships  Self enrollment and unenrollment  Users can easily see what groups they are members of  Users can create and manage their own groups  Group membership flows nicely into LDAP directory  Uses existing repositories for subject sources

Initial Investigations  Fit-Gap analysis between Permit Server System and Grouper  Early versions of Grouper running in test  Built and tested scripts to migrate permits into Grouper  Modified UI for Cornell look and feel  Emphasis on discovery and use cases  Requirements gathering A grouper

Requirements, some easy, some not…

Major Discussion Points  Defining a namespace Of 30 Requirements-gathering meetings, eight were devoted to defining the namespace  Migration strategy How would we roll out a new campus-wide system without causing undue interruption to current services (or for that matter, any interruption whatsoever..)  Query mechanisms and LDAP security

Defining a Namespace  Grouper will likely handle many different types of groups. Some groups will be used to make authorization decisions Some may be used for non-authorization activities such as generating lists and calendaring.  When someone requests that a new group or stem be created, we will need a process for defining where in the Grouper name-space the new stem or group should be placed what it should be named.

Our Namespace Strategy  Define a basic name-space of stems in which new groups can be created so that as soon as we switch from using the Permit Server to using Grouper, we will be ready to create new groups.  Designate one or more people from each unit as the “owner” or “stem administrator” of their unit’s name-space.  In this way, we push authority to the departmental units and each unit can decide how they want to administer their Grouper stem.

Multiple Views of Delegated Authority  HR View of Delegated Authority Division Department, Unit, Job, Position, Also Role, Project, or other notions of responsibility Matrixed & non-matrixed  Fiscal Responsibility View(s) Role-based: Fiscal Officer, Account Manager, Account Supervisor Org Hierarchies: Responsibility Centers, Divisions, Departments, Units Account-based: Chart of Accounts, Account, Sub-Account, Object Codes, Project Codes, etc.  Academic View(s) College, Department, Program, etc. Statutory vs. endowed Project-based (crosses all of the above)  Research View(s) Closely related to, sometimes the same as, Academic view(s) Based on Funding Source or… Based on Signature Authority Or Project-based  Issues For All Delegation, Matrixing, Effective-dating (time boxing), etc. Resolution of orthogonal views (cross-walking multiple Orgs) Base the multiple views on administered data in enterprise sources

Research Unit Reference Chart  Office of Institutional Planning Structure designed to provide a view of delegated authority at the organizational entity level from the Board of Trustees view Currently updated once a year (every Spring) Willing to maintain this if users sign up to the idea  RURC has 48 Units  Decent representation (ITMC)  Makes sense because the structure below Unit Name is political not logical, and therefore unfathomable…  Affiliates (have their own tree)

So, for example

48 RURC Units

So, for example 48 RURC Units about 12 of these

So, for example 48 RURC Units about 12 of these

So, for example HR nests its own org structure here

So, for example HR nests its own org structure here

Our Migration Strategy  Phased approach Phase One: Permit Server replacement (I2 Grouper) Phase Two: Privilege Management (I2 Signet)  Staged rollout of new features New features come later Incl. addition of automatically provisioned groups  Making the Permit Server replacement as transparent to users as possible Application administrators can switch to native Grouper at their convenience (if they don’t take *too* long - maybe a little over a year) Builds credibility  LDAP Security

 Transparent cutover of Permit Server to Grouper  System owners and application developers migrate at their convenience Transparent Cutover (Current view) - We’re building a shim which is actually just an emulator - Runs on same server and port as permitd - Understands Cornell’s Stateless Server protocol (cussp) - Translates cussp queries and updates into Grouper API calls - Translates Grouper messages into cussp - Applications talking to the Permit Server won’t know the difference

 Transparent cutover of Permit Server to Grouper  System owners and application developers migrate at their convenience Transparent Cutover (Cutover view) - We’re building a shim which is actually just an emulator - Runs on same server and port as permitd - Understands Cornell’s Stateless Server protocol (cussp) - Translates cussp queries and updates into Grouper API calls - Translates Grouper messages into cussp - Applications talking to the Permit Server won’t know the difference

 Transparent cutover of Permit Server to Grouper  System owners and application developers migrate at their convenience Transparent Cutover (Cutover view) - We’re building a shim which is actually just an emulator - Runs on same server and port as permitd - Understands Cornell’s Stateless Server protocol (cussp) - Translates cussp queries and updates into Grouper API calls - Translates Grouper messages into cussp - Applications talking to the Permit Server won’t know the difference

Query Mechanisms  Read group memberships from directory or database? (Heated discussion)  The decision maker here was that some applications like Oracle Calendar are delivered ready to read groups from a directory  We decided to use Grouper’s LDAP Provisioning Connector to push group membership informatiom into the electronic directory  We also need to provide a web service query to provide compatibility with existing applications

Security of Group Membership Information  The Permit server allowed us to specify whether or not a group’s membership is “secret”  Application principals could read a permit’s membership if authorized to do so.  We can preserve this model using Grouper’s group read privilege and ACI’s on the group directory.

dc = authz, dc = cornell, dc = edu ou = groups objectclass = cornelledugroup attribute = cornellgroupreadpriv objectclass = edumember attribute = hasmember objec….... cn = cit.adsm.backline cornelledugroupreadpriv:backlineAppBindID cn = cit.adsm, ou = groups cornelledugroupreadpriv:GrouperAll Groups Directory

Grouper Subject Sources  NetIDs - yes  GuestIDs - not yet  Special Mailboxes - no  Application IDs - yes (no source for them exists currently…)  Administrative IDs - yes (no source for them exists currently…)  Medical School NetIDs?