Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.

Published byEdmund Cain Modified over 8 years ago

Similar presentations

Presentation on theme: "Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University."— Presentation transcript:

1

2 Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn McRae, Stanford University Internet2 Spring Members Meeting, April 26, 2006

3 2 Groups and Roles Roles and Groups Who someone is (identity) People sharing a common trait, e.g., rank or privilege Roles -- you know it when you see it Institutional role, e.g., faculty, Dean Departmental roles, e.g., chair, admin Professional role, e.g., mathematician, buyer Project role, e.g., analyst, engineer Groups Any collection of people, role-holders or not? Depends on how you name it? Role vs group is not what matters

4 3 Groups and Privileges Two categories of information are used in making access control decisions Who you are aka “roles” cf RBAC What you can do aka “privileges” cf “value-based authority” Both types of information are conveyed through attributes about a person Grouper and Signet are tools that let you enrich descriptive attributes about people in both ways

5 4 Grouper Middleware software/toolkit User access through a common UI Program access through a common API Defines a “Groups Registry” Brings scattered duplicative groups together for re-use Allows useful actions on these groups -- group math, group nesting, exclusion criteria Hierarchical name-space (name stems & substems) Can leverage existing group information Supports the creation of new groups By schools, departments, and individuals! Distributed/delegated model of control

6 5 Signet Middleware software/toolkit User access through a common UI Program access through a common API Brings privilege information together in one place -- a “Privilege Registry” Central granting, can apply across multiple systems Central reporting, history, auditing, review Accessible to managers AND holders of privileges Independent of specific vendors, systems, releases or technologies Distributed/delegated model of control

7 6 Relative Roles of Signet & Grouper Grouper Signet RBAC model Users are placed into groups Grouper allows local creation and management of group membership Privileges can then be assigned to groups Signet manages privileges to groups (as well as to individuals) Both “role” and privilege information can be leveraged by systems

8 7 Access Control Decision Q: Subject + Resource + Action + Context Subject = who wants to take an action, typically a person Resource = what is the action against, e.g., file, building, data, service, etc. Action = what they want to do, e.g., view, modify, enter, approve, run, etc. Context = time of day, academic term, weather, etc. A: Policy interpretation and decision, e.g. Resource and action are available to a group, e.g., Faculty at MIT, Students in a class Available to anyone with “entitlement” for the service

9 8 Access Control Decision Identity Provider Service Provider Rules auth’d Subject tries to access resource Provider evaluates required identity attributes against rules for resource Provider grants or denies access

10 9 Palace Access M (MUSKETEER) Who are you? What can you do? organization=RoyalCourt affiliation=musketeer permission=palace_access

11 10 Identity & Access Management Each person’s online activities are shaped by many Sources of Authority Institutional policy making bodies Resource managers Program/activity heads Self Management of the information it conveys should be distributed Hook up all of those Sources of Authority to the middleware Common middleware infrastructure should be operated centrally Departments/programs/activities should not have to build their own core middleware

12 11 Big picture

13 12 Big picture, without Grouper/Signet

14 13 allow BIO_X allow BIO_X WIKI define BIO_X WIKI define BIO_X allow BioX allow BioX Email Lists define BioX Email Lists define BioX “Groups is good” Identity Management Affiliation: faculty Dept: Biology What about my team? …my project? …my senior staff? The Boss HR allow Bio-X allow Bio-X Calendar define Bio-X Calendar define Bio-X

15 14 Departmental & other local groups Identity Management Affiliation: faculty Dept: Biology The Boss Grouper biology:bio-x biology:bio-x:admin biology:bio-x:staff HR allow Bio-X allow Bio-X WIKI allow Bio-X allow Bio-X Email Lists Email Lists allow Bio-X allow Bio-X Calendar

16 15 Filling the gap Identity Management Affiliation: faculty Instructor: CS-313 The Professor What about my TAs? … my auditors? … extensions/makeup? HR SIS Courses SIS Courses Shib Allow CS-313 Allow CS-313 CourseWare CS-313 grades CourseWare CS-313 grades allow CS teaching allow CS teaching Library CompSci resources Library CompSci resources allow CS affiliates External Partner External Partner

17 16 Extending Course infrastructure Identity Management Affiliation: faculty Instructor: CS-313 The Professor Grouper Class:CS-313:TA isMemberOf: CS-313 U = HR SIS Courses SIS Courses Shib Allow CS-313 Allow CS-313 CourseWare CS-313 grades CourseWare CS-313 grades allow CS teaching allow CS teaching Library CompSci resources Library CompSci resources allow CS affiliates External Partner External Partner

18 17 Course Ware Course Ware Extending Course infrastructure Identity Management Affiliation: faculty The Professor Grouper class:CS-313:TA isMember: CS-313 U = faculty: CS-313 SIS Courses SIS Courses HR Shib allow CS-313 allow CS-313 CourseWare CS-313 grades CourseWare CS-313 grades allow CS teaching allow CS teaching Library CompSci resources Library CompSci resources allow CS affiliates External Partner External Partner

19 18 Guest IDs Guest IDs Creating new identity Identity Management Affiliation: ??? Sib Rula Lenska “Friends are here from Europe!” faculty, staff, student guest faculty, staff, student guest Athletic Facilities Athletic Facilities staff, guest staff, guest Printing student, guest student, guest Black board Black board

20 19 Creating new identity Identity Management Affiliation: guest Sib Rula Lenska Grouper guestids:admin guestids:guests Signet printing(max100) blackboard(music103) athletic(gym,after5) effective date expiration date Guest IDs Guest IDs faculty, staff, student guest faculty, staff, student guest Athletic Facilities Athletic Facilities staff, guest staff, guest Printing student, guest student, guest Black board Black board

21 20 Finance Distributing control of authority A.Greenspan “Unless the situation is reversed, these …trends will cause serious economic disruptions” phone email ticket Identity Management Affiliation: staff who can view who can view Reporting who can approve who can approve Reimburse- ments Reimburse- ments who can spend who can spend Requisitions

22 21 Depts Distributing control of authority Identity Management Affiliation: staff A.Greenspan Grouper Signet school:dept1 (view,all) B.Bernake school:dept2 (approve,1472,$100) Accounts Scope while staff Finance who can view who can view Reporting who can approve who can approve Reimburse- ments Reimburse- ments who can spend who can spend Requisitions

23 22 Distributing control of authority Identity Management Affiliation: staff A.Greenspan Grouper school:dept school Signet school:dept1 (view,all) school:dept:unit scope school:dept2 (approve,1472,$100) B.Bernake while staff Finance who can view who can view Reporting who can approve who can approve Reimburse- ments Reimburse- ments who can spend who can spend Requisitions

24 23 The duck test… Grouper Binary info – you’re either in some list or not Locally tweak or combine other groups Identification layer of an encompassing access management scheme Identity- or affiliation- based access control or distribution Signet Structured, qualified info – limits, conditions, scope, … Assignments to individuals as well as groups Delegation and chain of authority essential for access decisions Enable functional, not just technical, people to manage privileges Supports policy control closer to source of authority Audit requirements

25 24 Consider Signet when … Complex group intersections and hierarchies become cumbersome Difficult to track who has what and when Can’t easily move people; need to delete/add Implementation of related access rules is scattered across systems different procedures, different contacts, managing changes across areas, over time You need to coordinate policy, privileges and audit activities across systems

26 25 Signet & Grouper Overview

27 26 Grouper Overview Mix of manual and automation processes manage a common Groups Registry Stored in an RDBMS Automation processes provision info from the Groups Registry into LDAP, AD, directly into application- specific databases, wherever the value of the info warrants spending the resources to place it there Two types of managed objects: groups and naming stems Groups are created & named with a naming stem Group management authority is delegatable By group or by naming stem

28 27 Grouper Groups Any “subject” can be a group member or privilegee Persons, groups, site-defined subject types Uses Subject API developed by Grouper+Signet teams Subgroups (now), composite groups (v1.0), and aging (v1.1) of groups and memberships Privileges ADMIN, UPDATE, READ, VIEW, OPTIN, OPTOUT Group attribute set can be site-extended

29 28 Naming Stems Groups are created with naming stems Limits the authority to create and name groups Support distinct activities with own authority Naming stems can be arranged hierarchically eg, uc, uc:nsit, uc:nsit:labs Privileges STEM Create subordinate naming stems Assign privs for this naming stem CREATE – create groups with this naming stem

30 29 Composite Groups Membership is defined by composing the memberships of 2 other groups A = B U C union A = B ∩ C intersection A = B – C relative complement Common use – “tweak” existing groups Whitelist or blacklist factored in to another group

31 30 Example: Computer Cluster Access nsit:labs:eligible (manual) nsit:labs:whitelist (manual) uc:faculty (auto) uc:staff (auto) categories of entitled students (auto) time dependent student categories (auto) nsit:labs:blacklist (manual) categories of barred students (auto) nsit:labs:barred (manual) Allow access if in (nsit:labs:eligible – nsit:labs:barred)

32 31 Systems Integration API XML Import/Export Tool Snapshots Groups Registry, including naming stems and privileges A single group All subordinate to a specified naming stem All matching a search condition Entire Registry

33 32 Signet Overview Analysts define privileges in functional terms and specify associated system-level permissions Signet presents this functional view in a Web UI where users assign privileges & delegate authority across all areas in which they have authority Signet internally maps assigned privileges into system-specific terms needed by applications Privileges are exported, transformed, & provisioned into applications and infrastructure services Signet provides automated lifecycle controls

34 33 Privileges Building Blocks Functional view Subsystems Categories Functions Scope, Limits Prerequisites & Conditions System view Permissions Subject Action Resource

35 34 Functional View Subsystems contain… Limits Qualifiers, constraints for a privilege Scope Organizational hierarchy governing distributed delegation Functions The things a person can do; what they are getting privileges for Categories Provide useful arrangement of functions within a subsystem; for reporting, ease of use

36 35 Functional View Categories Functions Subsystems Clinical Trial Protocol A Patient Records Materials Control Manage Grant Lab Access Admin Student Admin Course Support Add/Drop students Schedule Classes Process Applicants Award Scholarships Manage Accounts Financial Aid Limits Which term From Fund… Read/Write Hours For school… For fund… Which campus Qty/day $ constraints organizing actions

37 36 Systems View Permissions Atomic units of control that map to specific access rules in systems Includes limits that must be evaluated when interpreting permissions Resources The target of a specific privilege; things that have access rules to control their use

38 37 Functional View  Permissions Resources/Permissions Student Admin Functional View Course Support Add/Drop students Schedule Classes Process Applicants Award Scholarships Manage Accounts Financial Aid reserve_time view_schedules student_records applicant_data view_fund_data update_fund_data update_course_data reserve_room Calendar Course Facilities Financial Student categoriesfunctions

39 38 API Permissions document XML representation of privileges for an individual or group Will be compatible with XACML Systems Integration

40 39 Privileges Lifecycle Conditions Provides automatic revocation of privileges Date controls -- from date, until date Will be based on person’s status, affiliation, etc. e.g., as long as person is at Stanford Prerequisites Pre-conditions that must be met to activate privileges e.g., training

41 40 Other features Assignments can be To an individual To a Group With/without ability to further delegate Distributed delegation using organizational hierarchy Records “chain of command ” Proxy assignment Temporary granting of one’s privilege to another

42 41 Privilege Elements by Example By authority of the Dean grantor principal investigators grantee (group/role) who have completed training prerequisite can approve purchases function in the School of Medicine scope for research projects resource up to $100,000 limit until January 1, 2007 as long as a faculty member at … conditions Privilege Lifecycle

43 42 Generic Integration Architecture

44 43 Further Integration Tasks Automated loading of groups & privileges Authentication service Application-specific integration capabilities Site-specific LDAP schema Authoring/maintaining subsystem metadata Solution requisites Which groups should be made available to the calendaring, email list, & wiki systems? The Boss may need an automatic grant of a Signet privilege to manage his wiki space Implementing service policies – Grouper naming stems & privileges or Signet privileges

45 44 Subject API: Site IAM Integration Requirements Subject - a person, group, application, or other type of object whose identity is managed by your IAM system Abstract the underlying technology and data model from a relying application Enable identifier namespaces to be selected to match application needs Username vs. opaque registryID vs. … Scenarios Map authenticated user to internal security principal Reference/search objects within application

46 45 Subject API: Integration with Site’s IAM

47 46 Source Adapter Configuration Name the source & specify connection details Name the type or types of subjects residing there Identify attributes/columns distinguished as “subjectID”, “name” and “description” Specify back-end-specific searches for each type and each search method Select Search by identifier Search Sites should make consistent assignment of source and type names across all source adapter instances They are persisted by Subject API clients

48 47 Signet & Grouper Roadmaps Now available Grouper v0.9. UI & API source release Signet 1.0. UI, binary release Subject API v0.1b Signet Roadmap v1.1, ? 2006 – full API source release v1.2, ? 2006, – rules processor Grouper Roadmap v1.0, May 2006 – group math v1.1, ? 2006 – group & membership aging Subject API v1.0, ? 2006 – minor changes, updates to reference implementations

49 48 Resources & Participation Grouper team: University of Chicago & University of Bristol http://grouper.internet2.edu Signet team: Stanford University http://signet.internet2.edu Internet2 Middleware Initiative http://middleware.internet2.edu/ Documents, software, cvs Details for subscribing to mailing lists Conference call agendas & dialing instructions

Download ppt "Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University."

Similar presentations

EzScoreboard.com A Fully Integrated Administration Service.

EzScoreboard.com A Fully Integrated Administration Service.
DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.

DIGIDOC A web based tool to Manage Documents. System Overview DigiDoc is a web-based customizable, integrated solution for Business Process Management.
Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.

Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.

Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.

Lynn McRae Stanford University Lynn McRae Stanford University Stanford Authority Manager Privilege management use.
CAMP: Building a Distributed Access Management Infrastructure Lynn McRae, Stanford University Denver, Nov 7-9, 2006.

CAMP: Building a Distributed Access Management Infrastructure Lynn McRae, Stanford University Denver, Nov 7-9, 2006.
Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.

Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.
Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.

Internet2 MACE Identity and Access Management (IAM) Projects integ-tb-kh-02.ppt Keith Hazelton, U Wisconsin With help.
Seton Hall University Banner Project – June 2007 Update Banner Project Update to the Finance Committee of the Board of Regents June 6, 2007 Stephen Landry,

Seton Hall University Banner Project – June 2007 Update Banner Project Update to the Finance Committee of the Board of Regents June 6, 2007 Stephen Landry,
Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.

Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,
Understanding Active Directory

Understanding Active Directory
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.

Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Signet and Grouper for Distributed Attribute Administration

Signet and Grouper for Distributed Attribute Administration
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Similar presentations

Ads by Google