Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Management with Grouper Tom Barton University of Chicago.

Published byHugo Kelley Clarke Modified over 8 years ago

Similar presentations

Presentation on theme: "Access Management with Grouper Tom Barton University of Chicago."— Presentation transcript:

1 Access Management with Grouper Tom Barton University of Chicago

2 Why? Lower cost by factoring access management out Simplify & make consistent by using one group in many places Let the right people manage access, directly See who can access what, in one place 2

3 Grouper: core concepts 3 Folders in hierarchies Group Direct members Subgroup Indirect members Composite groups Custom attributes

4 Security & delegation 4 Create groups Create subfolders Admin Update membership Read membership View group Opt-in Opt-out Delegation

5 5 Grouper integration

6 EXAMPLES 6

7 7

8 dn: uid=tbarton,ou=people,dc=uchicago,dc=edu ucismemberof: uc:org:nsit:integration:techag ucismemberof: uc:org:nsit:srdirs ucismemberof: uc:org:nsit:integration:iteco:wr ucismemberof: uc:applications:confluence:NSIT:esx ucismemberof: uc:org:nsit:integration:iteco:rd ucismemberof: uc:applications:confluence:NSIT:Directors ucismemberof: uc:org:nsit:staff ucismemberof: uc:applications:confluence:NSIT:Everyone ucismemberof: uc:org:nsit:integration:shib_group ucismemberof: uc:applications:bulkmail:users ucismemberof: uc:org:library:gnet:admins ucismemberof: uc:applications:gnetid:admins ucismemberof: uc:applications:wireless:authorized ucismemberof: uc:applications:cmail:users:authorized ucismemberof: uc:reference:affiliations:effective:staff LDAP entry for uid=tbarton,ou=people,dc=uchicago,dc=edu ucIsMemberOf : uc:org:nsit:srdirs ucIsMemberOf : uc:reference:affiliations:effective:staff Memberships become LDAP attributes 8 ucIsMemberOf : uc:applications:vpn:authorized

9 U Chicago: simple delegation Wireless & VPN Guest network ID management Business Objects access Different groups, different authorities 9 eligibleunauthorized student staff alumhospital closure locked authorized postdoc = ̶

10 Brown: Managing Access to Course Resources MACE Grouper Course Groups iTunesMajordomoConfluenceWebCT All Recipient list, Discussion SenderCan Use AdministratorInstructorBroadcast SenderSpace Admin Instructors (provisioned) Instructor Managers TAs TA and Designer ContributorInstructor Space Admin Content Developers Designer Mentors LearnerStudent Auditors Auditor Students (provisioned, read only) Student Vagabonds Auditor Other, outside MACE GrouperSuper Admin Super Admin(s)

11 11

12 12 NIH’s Cancer BioInformatics Grid

13 NEW IN V1.5.0 Just released … some capabilities are partial or “experimental” 13

14 Lite UI AJAX components for simple end-user tasks URL links directly to a group Integrated within Grouper UI webapp Two entry points: Admin UI & Lite UI Admin UI uses new components too More Lite UIs may be contributed by deployers 14

15 Performance 15

16 Audit Who did what when … Add/delete/update membership, group, folder, and Grouper privileges Attribute definition & assignment XML import Move/copy group or folder Audit reporting via Grouper Admin UI & Grouper Shell 16

17 Move & copy Copy/move groups/folders to another folder Why? Template groups & template folders Update organizational hierarchies Old group name optionally continues to refer to moved group Supported by Grouper Admin UI & Grouper Shell (Grouper-WS soon) 17

18 Notification Near real time provisioning of group info Group, membership, folder, and privilege changes Serialized Provided to registered consumers SQL & API access to transactions LDAP provisioning connector will use in v1.5.1 18

19 Attribute framework Assign custom attributes to principal Grouper objects Groups Folders Memberships Attributes Will have several value types, multi-values, etc Only an enumerated type in 1.5.0 Attributes are objects in folders, like groups, and their security model is similar to that of groups 19

20 Roles & permissions Role extends Group, links Subjects with Permissions Permission is a type of attribute assigned to a role or to a membership in a role Has an Action qualifier, eg, Read or Write Permission sets. Eg, organizational hierarchies Superior roles inherit subordinate permissions 20

21 Grouper & Identity Services Grouper’s roles & permissions are only low level capabilities, initially No high level interfaces have been implemented or even defined yet Looking for help with that from MACE- Paccman and from partner sites More later in this conference about Grouper and identity service interfaces in Kuali and in uPortal 21

22 Grouper roadmap Current version is 1.5.0 v1.5+ Notification enhancements Attribute & permission enhancements New LDAPPC = shibboleth AA + SPMLv2 v1.6 Point-in-time audit Role management interface uPortal integration Kuali Rice integration 22

23 23 www.internet2.edu/grouper

24 24

25 MACE/Internet2 IAM work Shibboleth InCommon Federation Grouper Comanage Identity services & application domestication Privilege & access management MACE-paccman working group !Signet Grouper to add some privilege management capability MACE-directories working group edu* schema, white papers, etc 25

26 Identity services activities & Higher Ed MACE-paccman working group Kuali Rice OSS projects, some JA-SIG affiliated Liberty, Identity Gang, etc International efforts akin to MACE’s Advanced CAMP June 2009 in Philly 26

Download ppt "Access Management with Grouper Tom Barton University of Chicago."

Similar presentations

Grouper Training End Users Lite UI – External Users

Grouper Training End Users Lite UI – External Users
Towards Common Identity Services Tom Barton University of Chicago.

Towards Common Identity Services Tom Barton University of Chicago.
Federated Identity, Shibboleth, and InCommon Tom Barton University of Chicago © 2009 The University of Chicago.

Federated Identity, Shibboleth, and InCommon Tom Barton University of Chicago © 2009 The University of Chicago.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.

Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.

Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.

Recent Developments in Directories Tom Barton, University of Chicago Keith Hazelton, University of Wisconsin.
A Middleware Unified Field Theory Identity Management / Directories Privileges / Groups Single Sign-On / Federation Enterprise Integration from network.

A Middleware Unified Field Theory Identity Management / Directories Privileges / Groups Single Sign-On / Federation Enterprise Integration from network.
Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.

Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.

Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
Signet and Grouper for Distributed Attribute Administration

Signet and Grouper for Distributed Attribute Administration
Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.

Apereo Grouper Seminar Part 2 – Penn and Grouper Chris Hyzer University of Pennsylvania and Internet2.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
1 Kuali Identity Management Advanced CAMP: Identity Services Summit for Higher Ed Open / Community-Source Projects.

1 Kuali Identity Management Advanced CAMP: Identity Services Summit for Higher Ed Open / Community-Source Projects.
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.

Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
Introduction to Grouper

Introduction to Grouper
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.

I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, 2011 9/14/20151.

IAM Online - Grouper Permissions Chris Hyzer University of Pennsylvania / Internet2 September 14, /14/20151.
Eric Westfall – Indiana University Jeremy Hanson – Iowa State University Building Applications with the KNS.

Eric Westfall – Indiana University Jeremy Hanson – Iowa State University Building Applications with the KNS.

Similar presentations

Ads by Google