Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.

Published byAriana Limbrick Modified over 9 years ago

Similar presentations

Presentation on theme: "Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April."— Presentation transcript:

1 Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April 18, 2007

2 Overview It’s all about data structures –Attributes –Groups –Privileges –And other more exotic forms It’s all about data management –Databases, directories, people systems, and more –Signet manages complex permissions –Grouper manages complex groups

3 What’s an Attribute? Intuitively easy to answer –At least one name Sometimes more… –At least one value Sometimes more… –May be more structured Practically anything can be stuffed into an attribute, whether string or structure –Is this the right expression? –All parties need to understand it The data surrounding an attribute are as important as the attribute itself

4 What’s a Group? Intuitively easy to answer –A set of people Usually with common characteristics Representing groups is also understood –“Static” groups A group object represents the group and contains membership and other information –“Dynamic” groups If you have the secret attribute, you’re part of the group –One group can be represented both ways

5 What’s a Permission? Intuitively easy to answer –The right to perform some action on some resource Usually within a context Representing permissions is somewhat less understood Attribute-based access control hasn’t really taken off

6 XACML A rule consists of a triplet: subject, resource, action A policy is a set of rules and combinatorics Can be crammed into a SAML attribute or requested through its own protocol Version 2.0 ratified in March 2005 No interoperability event has been attempted Hasn’t been extremely popular

7 The Scope Experience Member Oops –Made interoperability with other systems much harder –No applications wanted to deal with this much structure Much less XML In retrospect, Member@testshib.org preferable

8 Sometimes it’s simple If a group can be represented as an attribute carried by a set of users… If a privilege can be represented as an attribute carried by a set of users… Thus, eduPersonEntitlement was born

9 But, sometimes it’s complex Overloading a string with too much information is worse –Whether or not a string is opaque can be a religious battle Some systems make good use of complex data structures

10 The chaos inside Think LDAP or relational database vs. data delivered to applications –They don’t want the user object or a database dump –But the DIT and triggers are extremely useful Manage your complex groups with Grouper Manage your permissions with Signet –Export them to LDAP, a RDBMS, Shibboleth, or other systems in your format of choice

11 Grouper Defines a “Groups Registry” –Centralized management of groups –Group math, group nesting, exclusion criteria –Hierarchical name-space (name stems & substems) –When you’re done, export the group to the systems that use or store it Can feed from existing group information Supports the creation of new groups –By schools, departments, and individuals! –Distributed/delegated model of control

12 Signet Brings privilege information together in one place -- a “Privilege Registry” –Central granting, can apply across multiple systems –Central reporting, history, auditing, review –Accessible to managers and holders of privileges Independent of specific vendors, systems, releases or technologies Distributed/delegated model of control

13 Enough talk Example time -- and this time you can help http://signet-demo.stanford.edu Super-user: demo/signet Other users: username/signet –tbarton/signet –lmcrae/signet

14 Privilege Elements by Example By authority of the Dean grantor principal investigators grantee (group/role) who have completed training prerequisite can approve purchases function in the School of Medicine scope for research projects resource up to $100,000 limit until January 1, 2007 as long as a faculty member at… conditions PrivilegeLifecycle

15 Configuring Signet XML configuration files: –subsystem.xml Defines the set of permissions, limits, etc. that exist –tree.xml Defines the structure of trees and scopes –users.xml Creates user data if you don’t have it already Database of your choice provides the real backend –SQL scripts to create Signet tables are provided for most major databases

16 Configuring Grouper Mix of manual and automation processes manage a common Groups Registry –Stored in an RDBMS –Information provisioned from here to enterprise data stores Opt-in and opt-out supported –People can, subject to policy, change their own memberships

17 Composite Groups Composite group membership is computed dynamically –A = B U C union –A = B ∩ C intersection –A = B – C relative complement Common use – “tweak” existing groups –Whitelist or blacklist factored in to another group

18 Exporting from Grouper API XML Import/Export Tool –Snapshots Groups Registry, including naming stems and privileges A single group All subordinate to a specified naming stem All matching a search condition Entire Registry LDAP Provisioning Connector

19 Federating Permissions & Groups The really big question: how do you knit together groups and permissions across realms? –Is it sufficient to just assert common attribute values? –Use common privilege definition metadata? –Integrate systems at a deeper layer than just attribute & metadata exchange? Does the virtual organization (VO) / IdP proxy model address this problem?

Download ppt "Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April."

Similar presentations

Centralized Application Permissions Privilege Management Nate Klingenstein 30 January 2007 OGF 19 Chapel Hill.

Centralized Application Permissions Privilege Management Nate Klingenstein 30 January 2007 OGF 19 Chapel Hill.
EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Kantara: From IRM to Context. The World of Access Keeps Expanding App sourcing and hosting User populations App access channels SasS apps Apps in public.

Kantara: From IRM to Context. The World of Access Keeps Expanding App sourcing and hosting User populations App access channels SasS apps Apps in public.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.

Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.

Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
A Middleware Unified Field Theory Identity Management / Directories Privileges / Groups Single Sign-On / Federation Enterprise Integration from network.

A Middleware Unified Field Theory Identity Management / Directories Privileges / Groups Single Sign-On / Federation Enterprise Integration from network.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.

Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.

Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.

Combining KMIP and XACML. What is XACML? XML language for access control Coarse or fine-grained Extremely powerful evaluation logic Ability to use any.
Signet and Grouper for Distributed Attribute Administration

Signet and Grouper for Distributed Attribute Administration
Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.

Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Similar presentations

Ads by Google