Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago.

Slides:



Advertisements
Similar presentations
File Server Organization and Best Practices IT Partners June, 02, 2010.
Advertisements

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
Lesson 4: Configuring File and Share Access
Widely Distributed Access Management Tom Barton University of Chicago.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Setting up the Grouper and Signet Databases Joy Veronneau Cornell University Identity Management November 7, 2006.
Understanding Active Directory
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Signet and Grouper for Distributed Attribute Administration
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
1 Early Adopters / Deployers Patterns and criteria for distinguishing roles and groups-based access control vs. privilege management. Why use one or the.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Group Management at Brown James Cramton Brown University April 24, 2007.
The Directory A distributed database Distributed maintenance.
Chapter 7: WORKING WITH GROUPS
Access Management with Grouper Tom Barton University of Chicago.
Penn Groups PennGroups Central Authorization System June 2009.
IOS110 Introduction to Operating Systems using Windows Session 8 1.
Intro to Grouper There’s nothing fishy about Identity Management with Grouper.
Moving Beyond Implementation: Next Steps for Enterprise Directories Tom Barton University of Chicago.
Moodle (Course Management Systems). Managing Your class In this Lecture, we’ll cover course management, including understanding and using roles, arranging.
Module 7 Active Directory and Account Management.
The DSpace Course Module – User management and authentication options.
Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.
Directories Keith Hazelton, University of Wisconsin Brendan Bellina, University of Notre Dame Tom Barton, University of Chicago.
Grouper Training Developers and Architects Advanced Topics Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
Chapter 9: SHARING FILE SYSTEM RESOURCES1 CHAPTER OVERVIEW  Create and manage file system shares and work with share permissions.  Use NTFS file system.
Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management Tom Barton, University of Chicago Lynn McRae, Stanford University.
Directory Workshop Parallel Sessions Rob Banz, Univ. of Maryland, Baltimore County Tom Barton, University of Memphis Keith Hazelton, University of Wisconsin,
Chapter 10: Rights, User, and Group Administration.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
© 2006 The University of Chicago Grouper Backgrounder for Authorization WG Tom Barton, U Chicago.
Hands-On Microsoft Windows Server 2008 Chapter 4-Part 1 Introduction to Active Directory and Account Manager.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.
Implementing a Role Management System Mair é ad Martin Carrie Regenstein Internet2 Fall Meeting September 20, 2005.
UC Groups: An Access Management Service Tom Barton University of Chicago.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
Module 10: Implementing Administrative Templates and Audit Policy.
ISC-ASTT PennGroups Central Authorization System (Grouper) June 2009.
Topics in Directories: Groups Dr. Tom Barton The University of Memphis.
Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.
Grouper Training Developers and Architects How to Design Groups Shilen Patel Duke University This work licensed under a Creative Commons Attribution-NonCommercial.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Grouper attributes and privileges FUTURE features in Internet2 MACE Grouper June 2009 Chris Hyzer University of Pennsylvania Internet2.
I2/NMI Update: Signet, Grouper, & GridShib
ACTIVE DIRECTORY ADMINISTRATION
Identity Management Integration CAMP
Moving Beyond Implementation: Authorization
Chris Hyzer, University of Pennsylvania
Moving Beyond Implementation: Next Steps for Enterprise Directories
Central Authorization System (Grouper) June 2009
Grouper: A Toolkit for Managing Groups
Signet & Privilege Management
Managing Roles & Privileges with Grouper and Signet Middleware
Presentation transcript:

Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago

Fall 2004 I2MM Outline  The problem with groups  Case study: U Chicago’s “USITE” computer labs  Tour of Grouper  USITE case study revisited  Grouper project status  Bonus round – personal groups

Fall 2004 I2MM Groups facilitate …  Customization – application UI tailored to user’s affiliations with the organization  Authorization “Lightweight” - relationship info feeding access decisions “Heavyweight” - assignment of structured privileges to groups  Messaging, scheduling, & collaboration Departments, courses, programs, cmtes, teams, …  Posix naming services

Fall 2004 I2MM Group management issues  Coordinating many sources of information  Provisioning groups in many locations  Supporting several styles of access to group membership information  Aging of groups and of memberships  Use of subgroups vs. effective membership  Referring to set theoretic combinations of groups (compound groups)  Privacy & visibility requirements

Fall 2004 I2MM The USITE access problem  Must control access to computers in labs independent of ability to authenticate  U Chicago’s Networking Services & Information Technologies (NSIT) established the Identity Management Working Group to solve this type of problem You’ll see “nsit” and “usite” in names of things to follow

Fall 2004 I2MM USITE access policy  Students 23 categories of current students Some entitle USITE access, some disenfranchise, others fail to entitle Time of year dependency for some categories  Current faculty & staff are entitled  Other more loosely affiliated people are not entitled  Exceptional administrative admits and denies across all categories above

Fall 2004 I2MM Use of group management  Various elemental USITE-related categories of people are modeled as groups  Subgroups are used to roll-up effective admit or deny status  Some groups are automatically managed, others manually  Some roll-up groups are manually managed to deal with time dependency or change in access policy

Fall 2004 I2MM Groups model for USITE access (ACL is “shaded green but not red”) usite_eligible (manual) admin_admit (manual) uc:faculty (auto) uc:staff (auto) categories of entitled students time dependent student categories categories of barred students admin_deny (manual) usite_barred (manual)

Fall 2004 I2MM Management related groups  Management privileges for manually managed groups also need to be managed!  So, more groups list who has what authority in managing groups that mediate USITE access Director of Learning Environments Lab Managers Student staff

Fall 2004 I2MM LDAP Data flow & Grouper’s role in USITE access uid: jdoe ucAffiliation: … isMemberOf: … SIS HR Dir. Learning Environments Lab Managers Loaders Grouper API Person registry Group registry Grouper UI Grouper API lab Grouper API Student staff

Fall 2004 I2MM Grouper groups  Stored in an RDBMS, the Group Registry  Attributes of groups Name Description Members  Possible to extend the set of attributes to support groups with more specific purposes

Fall 2004 I2MM Directory of groups  Groups are created within a hierarchy of directories, like files within a computer’s directory system Directories are also named Sometimes need to use the full name of a group, like the full pathname of a file Example: /nsit/usite/admin_admit  The directory delimiter can be configured for different effect Example: nsit:usite:admin_admit

Fall 2004 I2MM Grouper privileges  Access privileges - who has what access (read, write) to a group’s attributes  Naming privileges - who can create a group or subdirectory in what part of the directory of groups

Fall 2004 I2MM Access privileges  VIEW group’s name in lists & can refer to it, e.g., make it a subgroup of another group  READ basic information about a group  UPDATE membership and administer VIEW, READ, & UPDATE privileges  ADMIN can modify everything, including group name, description, & privileges, and can delete the group  OPTIN can add self to the members list  OPTOUT can remove self from the members list

Fall 2004 I2MM Naming privileges  STEM privilege in a given directory enables creation of subdirectories and administration of CREATE and STEM privileges for the directory and its immediate subdirectories Motivating idea: a directory is a naming “stem” over which authority is exercised and delegated by those with stem privilege  CREATE a group in a given directory

Fall 2004 I2MM Built-in privilege implementation  All access & naming privileges can be assigned to individual members or to groups Subgroups, compound groups, and aging can be used to manage privileges  Abstracted interfaces are presented for privilege management Sites can hook in their own privilege management and bypass Grouper’s built-in system

Fall 2004 I2MM USITE revisited – Grouper’s role  Make an “nsit:usite” directory in the group registry  Groups created within it dir_learning_env, lab_managers, student_staff usite_eligible, usite_barred admin_admit, admin_deny  Give stem privilege for “nsit:usite” to the Director of Learning Environments She can run her groups empire within

Fall 2004 I2MM USITE group access privileges (unqualified names in nsit:usite namespace) usite_eligible A:dir_learning_env V,R:all admin_admit U:usite_manage V,R:usite_view uc:faculty V,R:all uc:staff V,R:all categories of entitled students time dependent student categories categories of barred students admin_deny U:usite_manage V,R:usite_view usite_barred A:dir_learning_env V,R:all V:all

Fall 2004 I2MM USITE group management privileges (unqualified names in nsit:usite namespace)

Fall 2004 I2MM Grouper v1 features  API & UI for basic group management Create, read, update, delete, import, export Distributed management Subgroups & compound groups Aging of groups and memberships  Abstracted interfaces for Group and directory privileges Subject lookup Last activity

Fall 2004 I2MM Phases of Grouper v1 development  Phase 1: Basic management and export functions  Phase 2: Compound groups & Signet integration  Phase 3: Aging of groups and memberships  Phase 1 API available before end of year (2004, that is!)

Fall 2004 I2MM Grouper deliverables  U Chicago - Java API  U Bristol - Java UI  You – contributed loaders & connectors  Subject Lookup implementation jointly with Signet project  Group Registry creation scripts & sample batch import/export scripts  Documentation

Fall 2004 I2MM Grouper UI status  Conceptual mock-up completed  Modular design for look and feel  Grouper & Signet UIs will “leave the factory floor” bearing an I2 family resemblence

Fall 2004 I2MM Personal groups  Any user can create groups named personal:username:groupname  Good or evil? Yeah! Low overhead to let everyone do groups Booo! Valuable institutional data squirreled away in unknowable spaces that go away  Configuration: on/off Root directory for personal namespace (“personal” above)

Fall 2004 I2MM Further info & participation  MACE-Dir list  MACE-Dir-groups conference calls 

Fall 2004 I2MM Grouper in Context

Fall 2004 I2MM missing  Much on compound groups?  Enough about UI?  More signet?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.