Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grouper: A Toolkit for Managing Groups

Published byShinta Setiawan Modified over 5 years ago

Similar presentations

Presentation on theme: "Grouper: A Toolkit for Managing Groups"— Presentation transcript:

1 Grouper: A Toolkit for Managing Groups
Tom Barton blair christensen University of Chicago

2 Outline The problem with groups
Case study: U Chicago’s “USITE” computer labs Tour of Grouper USITE case study revisited Grouper project status Bonus round – personal groups Fall 2004 I2MM

3 Groups facilitate … Customization – application UI tailored to user’s affiliations with the organization Authorization “Lightweight” - relationship info feeding access decisions “Heavyweight” - assignment of structured privileges to groups Messaging, scheduling, & collaboration Departments, courses, programs, cmtes, teams, … Posix naming services Fall 2004 I2MM

4 Group management issues
Coordinating many sources of information Provisioning groups in many locations Supporting several styles of access to group membership information Aging of groups and of memberships Use of subgroups vs. effective membership Referring to set theoretic combinations of groups (compound groups) Privacy & visibility requirements Fall 2004 I2MM

5 The USITE access problem
Must control access to computers in labs independent of ability to authenticate U Chicago’s Networking Services & Information Technologies (NSIT) established the Identity Management Working Group to solve this type of problem You’ll see “nsit” and “usite” in names of things to follow Fall 2004 I2MM

6 USITE access policy Students Current faculty & staff are entitled
23 categories of current students Some entitle USITE access, some disenfranchise, others fail to entitle Time of year dependency for some categories Current faculty & staff are entitled Other more loosely affiliated people are not entitled Exceptional administrative admits and denies across all categories above Fall 2004 I2MM

7 Use of group management
Various elemental USITE-related categories of people are modeled as groups Subgroups are used to roll-up effective admit or deny status Some groups are automatically managed, others manually Some roll-up groups are manually managed to deal with time dependency or change in access policy Fall 2004 I2MM

8 Groups model for USITE access (ACL is “shaded green but not red”)
usite_eligible (manual) usite_barred (manual) admin_admit (manual) admin_deny (manual) uc:faculty (auto) uc:staff (auto) categories of barred students categories of entitled students time dependent student categories Fall 2004 I2MM

9 Management related groups
Management privileges for manually managed groups also need to be managed! So, more groups list who has what authority in managing groups that mediate USITE access Director of Learning Environments Lab Managers Student staff Fall 2004 I2MM

10 Data flow & Grouper’s role in USITE access
lab SIS Loaders Grouper API HR Person registry LDAP Grouper UI API Group registry Dir. Learning Environments uid: jdoe ucAffiliation: … isMemberOf: … Grouper API Lab Managers Student staff Fall 2004 I2MM

11 Grouper groups Stored in an RDBMS, the Group Registry
Attributes of groups Name Description Members Possible to extend the set of attributes to support groups with more specific purposes Fall 2004 I2MM

12 Directory of groups Groups are created within a hierarchy of directories, like files within a computer’s directory system Directories are also named Sometimes need to use the full name of a group, like the full pathname of a file Example: /nsit/usite/admin_admit The directory delimiter can be configured for different effect Example: nsit:usite:admin_admit Fall 2004 I2MM

13 Grouper privileges Access privileges - who has what access (read, write) to a group’s attributes Naming privileges - who can create a group or subdirectory in what part of the directory of groups Fall 2004 I2MM

14 Access privileges VIEW group’s name in lists & can refer to it, e.g., make it a subgroup of another group READ basic information about a group UPDATE membership and administer VIEW, READ, & UPDATE privileges ADMIN can modify everything, including group name, description, & privileges, and can delete the group OPTIN can add self to the members list OPTOUT can remove self from the members list Fall 2004 I2MM

15 Naming privileges STEM privilege in a given directory enables creation of subdirectories and administration of CREATE and STEM privileges for the directory and its immediate subdirectories Motivating idea: a directory is a naming “stem” over which authority is exercised and delegated by those with stem privilege CREATE a group in a given directory Fall 2004 I2MM

16 Built-in privilege implementation
All access & naming privileges can be assigned to individual members or to groups Subgroups, compound groups, and aging can be used to manage privileges Abstracted interfaces are presented for privilege management Sites can hook in their own privilege management and bypass Grouper’s built-in system Fall 2004 I2MM

17 USITE revisited – Grouper’s role
Make an “nsit:usite” directory in the group registry Groups created within it dir_learning_env, lab_managers, student_staff usite_eligible, usite_barred admin_admit, admin_deny Give stem privilege for “nsit:usite” to the Director of Learning Environments She can run her groups empire within Fall 2004 I2MM

18 USITE group access privileges (unqualified names in nsit:usite namespace)
usite_eligible A:dir_learning_env V,R:all usite_barred A:dir_learning_env V,R:all admin_admit U:usite_manage V,R:usite_view admin_deny U:usite_manage V,R:usite_view uc:faculty V,R:all uc:staff V,R:all categories of barred students V:all V:all V:all categories of entitled students V:all V:all time dependent student categories V:all V:all V:all V:all Fall 2004 I2MM

19 USITE group management privileges (unqualified names in nsit:usite namespace)
Fall 2004 I2MM

20 Grouper v1 features API & UI for basic group management
Create, read, update, delete, import, export Distributed management Subgroups & compound groups Aging of groups and memberships Abstracted interfaces for Group and directory privileges Subject lookup Last activity Fall 2004 I2MM

21 Phases of Grouper v1 development
Phase 1: Basic management and export functions Phase 2: Compound groups & Signet integration Phase 3: Aging of groups and memberships Phase 1 API available before end of year (2004, that is!) Fall 2004 I2MM

22 Grouper deliverables U Chicago - Java API U Bristol - Java UI
You – contributed loaders & connectors Subject Lookup implementation jointly with Signet project Group Registry creation scripts & sample batch import/export scripts Documentation Fall 2004 I2MM

23 Grouper UI status Conceptual mock-up completed
Modular design for look and feel Grouper & Signet UIs will “leave the factory floor” bearing an I2 family resemblence Fall 2004 I2MM

24 Personal groups Any user can create groups named personal:username:groupname Good or evil? Yeah! Low overhead to let everyone do groups Booo! Valuable institutional data squirreled away in unknowable spaces that go away Configuration: on/off Root directory for personal namespace (“personal” above) Fall 2004 I2MM

25 Further info & participation
MACE-Dir list MACE-Dir-groups conference calls Fall 2004 I2MM

Download ppt "Grouper: A Toolkit for Managing Groups"

Similar presentations

File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.
Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.

Privilege Management with Signet: Steps to an Application Keith Hazelton University of Wisconsin-Madison Internet2 MACE Broomfield, Colorado 1-July-04.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.

Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.

Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.

Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.

Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW  Create and manage file system shares and work.
Lesson 4: Configuring File and Share Access

Lesson 4: Configuring File and Share Access
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
Understanding Active Directory

Understanding Active Directory
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.

Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Signet and Grouper for Distributed Attribute Administration

Signet and Grouper for Distributed Attribute Administration
Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.

Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.

Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.

Similar presentations

Ads by Google