Grouper after Groups Enabling Net+ Services with PAP, PEP, and PDP...Oh My! October 3rd, 2012 Bill Thompson IAM Architect, Unicon Chris Hyzer Grouper Developer,

Slides:



Advertisements
Similar presentations
Towards Common Identity Services Tom Barton University of Chicago.
Advertisements

Central Authentication Service Roadmap JA-SIG Winter 2004.
Grouper Training - Admin Loader - Part 1 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
Where the sidewalk used to end, privilege management Chris Hyzer University of Pennsylvania.
WSO2 Identity Server Road Map
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
XACML By Ganesh Godavari Craig Peltier. Information Sharing Information Sharing relates to the sharing of information between two or more entities. Entities.
GFIPM Web Services Implementation Status Update GFIPM Delivery Team Meeting November 2011.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
XACML Gyanasekaran Radhakrishnan. Raviteja Kadiyam.
XACML 2.0 in the Enterprise: Use- Cases and Deployment Challenges Prateek Mishra, Frank Villavicencio, Rich Levinson Oracle Identity Management Group 02/07/2006.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
XACML in real-world applications Doron Grinstein, CEO BiTKOO BiTKOO
Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Authorization Use Cases Identity and Authorization Services Working Group (IAS-WG) April, 2010.
Kuali Rice at Indiana University Rice Setup Options July 29-30, 2008 Eric Westfall.
Authorization Use Cases Identity and Authorization Services Working Group (IAS-WG) April, 2010.
James Cabral, David Webber, Farrukh Najmi, July 2012.
IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, /14/20151.
Grouper at the University of Minnesota Christopher A. Bongaarts Grouper Virtual Working Group May 20, 2013.
Access Management with Grouper Tom Barton University of Chicago.
Penn Groups PennGroups Central Authorization System June 2009.
Intro to Grouper There’s nothing fishy about Identity Management with Grouper.
What’s new with Grouper 10/5/9 Internet2 Fall Member Meeting Chris Hyzer, University of Pennsylvania.
1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.
Grouper Training Developers and Architects Advanced Topics Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Grouper Training - Admin Connectors Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
11 Usage policies for end point access control  XACML is Oasis standard to express enterprise security policies with a common XML based policy language.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Shibboleth: An Introduction
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp - SWITCH EGI TF Prague.
Kuali Rice A basic overview…. Kuali Rice Mission First and foremost to provide a consistent development framework and common middleware layer for Kuali.
1 GT XACML Authorization Rachana Ananthakrishnan Argonne National Laboratory.
Windows Role-Based Access Control Longhorn Update
Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Grouper Training Developers and Architects Integration Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
11 Restricting key use with XACML* for access control * Zack’-a-mul.
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
EMI INFSO-RI Argus Policies in Action Valery Tschopp (SWITCH) on behalf of the Argus PT.
ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009.
Implementing Kuali Identity Management at your Institution Jasig Spring 2010 Wednesday, March 10, am.
Apereo Grouper Seminar Part 3 – Hands on Grouper Chris Hyzer University of Pennsylvania and Internet2.
Kuali Identity Management: Introduction and Implementation Options Jasig - Spring 2010 Wednesday, March 10, :30 am.
8 Copyright © 2004, Oracle. All rights reserved. Making the Model Secure.
What’s new with Grouper 26-April-2010, Spring Member Meeting Chris Hyzer, Grouper developer.
Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2.
Grouper Training Admin Minor Upgrade Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons Attribution-NonCommercial.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
XACML Contributions Hal Lockhart, Oracle Corp. 2 Topics Authorization API Finding Input Attributes.
Access Control Policy Languages in XML Lê Anh Vũ Võ Thành Vinh
WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.
Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,
Grouper Training Developers and Architects Web Services - Part 1 Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Introducing Access Management
Identity and Access Management Challenges in uPortal
Why API?.
Chris Hyzer, University of Pennsylvania
Central Authorization System (Grouper) June 2009
Groups and Permissions
Una herramienta para la gestión de identidad, el control de acceso y uso compatible con la regulación de identidad europea eIDAS.
Presentation transcript:

Grouper after Groups Enabling Net+ Services with PAP, PEP, and PDP...Oh My! October 3rd, 2012 Bill Thompson IAM Architect, Unicon Chris Hyzer Grouper Developer, University of Pennsylvania

Grouper after Groups XACML – Policy, Rules, and the P*P Grouper as PAP, PDP, PEP Access Management Strategies Penn Example Grouper PEP POCs (Shiro, Spring,.NET) NET+ Services and Grouper Contents 2 – © 2012 Internet2

XML + Request/Response – subject allowed action on resource? Policy Administration Point (PAP) is used to write policies. Policy Decision Point (PDP) evaluates policies in the context of an access request Policy Enforcement Point (PEP) intercepts access requests and carries out the decisions of the PDP XACML and P*P 2 – © 2012 Internet2

XACML and P*P 2 – © 2012 Internet2 PAP PDP Policy Context handler PIP Attributes Subjects Request Response PEP Request Response Access Requestor Request Response 2 1

XACML and P*P 2 – © 2012 Internet2 PAP PDP Policy Context handler Request Response PEP Request Response Access Requestor Request Response 2 1 Grouper UI Grouper WS Plugin or Grouper Client Grouper WS Application

7 – © 2012 Internet2

Grouper Loader Include/Exclude Groups / Composites Grouper Inheritance Groups Roles Actions Resources Grouper as “Policy” Administration Point 2 – © 2012 Internet2

Active faculty members can login to the grading application System XYZ can view ad hoc attributes / people in the institution community database Active IT support staff can manage applications that they work on Example policies 2 – © 2012 Internet2

Active faculty members can login to the grading application Example policy in Grouper #1 2 – © 2012 Internet2 Institution community groups Faculty SOR Payroll System Loader Excludes Includes Faculty Grading Faculty Role Includes Excludes Login permission Application groups and permissions WS has permission Action: assign

System XYZ can view ad hoc attributes / people in the institution community database Example policy in Grouper #2 2 – © 2012 Internet2 Institution community groups Faculty Payroll system Loader System entity Col permission App groups / permissions WS get permissions Action: select Students Student system Col permission ColSet permission Col permission Col permission RowGroup permission WS get members

Active IT support staff can manage applications that they work on Example policy in Grouper #3 2 – © 2012 Internet2 Institution community groups IT org Payroll system Loader App Support Role Col permission App groups / permissions WS get permissions Action(s): restartTomcat restartApache deploy viewLogs all Col permission App1 permission IT org Composite Intersection userA

Is in Group/Role? Has permissions? –Determined via loader, grouper config, inheritance,... –Effective membership –Effective permissions –Available for caching Has permission based on context? –Grouper Limits –Only available at time of request –Access through Web Service API –XACML-like yes/no response to PDP request Grouper as “Policy” Decision Point 5 – © 2012 Internet2

Grouper connectors for Kuali Rice, uPortal, Atlassian Proof-of-concept connectors for Shiro, Spring, and.NET –Application developers can focus language/platform specific authorization API Grouper as “Policy” Enforcement Point 5 – © 2012 Internet2

Apache Shiro – Grouper group membership to Shiro hasRole – Grouper permissions to Shiro hasPermission Spring Security – Grouper group to GrantedAuthority.NET – Grouper group to.NET hasRole Jasig CAS – Course-grained access control via PersonDirectory Grouper plugin Grouper POC Connectors for Authorization APIs 5 – © 2012 Internet2

Config: Code: You are a supervisor! You can therefore see the extremely secure page. public void create(Contact contact); Grouper Connectors for Spring Security 5 – © 2012 Internet2

Config: [urls] /shiro-cas = casFilter /user/** = user /** = anon Code: Grouper Connector for Apache Shrio 5 – © 2012 Internet2

Config: Code: if (User.IsInRole("Administrator"))... Annotations: [Authorize(Roles = "Administrator")] public ActionResult Index() Grouper Connectors for.NET 5 – © 2012 Internet2

Caching Scoping for applications Permission name transformation Invalidating cache (change log listener + call back to app via https) Permissions could also be put in to Spring granted authorities Grouper POC Connectors...need more work. 5 – © 2012 Internet2

ChangeLog/PSP –propagate memberOf/eduPersonEntitlement via LDAP (consumed directly or via SAML) ChangeLog –propagate change notification, then sync (pull into) application specific authorization data store Grouper Connectors for Authorization APIs –read/cache group/permissions from Grouper upon initial access Grouper as PDP for permission with Limits –Web Services call for each access decision Access Management Strategies 5 – © 2012 Internet2

PAP at Grouper PDP via Grouper effective membership/permissions PEP via Connectors, propagation via LDAP/SAML, or notify and pull via Grouper WS, PSP propagate via service specific APIs or SCIM? Standard APIs for groups, people, and permissions provisioning Net+ Services Authorization Models 5 – © 2012 Internet2

Is it useful to describe Grouper in terms of P*P in the way it has been presented? or does it confuse the matter? Should Grouper project support/sponsor the connectors in the respective frameworks? Enterprise Access Management strategy for Net+ enablement? Questions/Discussion 5 – © 2012 Internet2

Grouper after Groups Enabling Net+ Services with PAP, PEP, and PDP...Oh My! Chris Hyzer Grouper Developer, University of Pennsylvania Bill Thompson IAM Architect, Unicon

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.