Presentation is loading. Please wait.

Presentation is loading. Please wait.

Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago.

Published byDominic Quinn Modified over 8 years ago

Similar presentations

Presentation on theme: "Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago."— Presentation transcript:

1 Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago

2 Fall 2004 I2MM Outline  The problem with groups  Case study: U Chicago’s “USITE” computer labs  Tour of Grouper  USITE case study revisited  Grouper project status  Bonus round – personal groups

3 Fall 2004 I2MM Groups facilitate …  Customization – application UI tailored to user’s affiliations with the organization  Authorization “Lightweight” - relationship info feeding access decisions “Heavyweight” - assignment of structured privileges to groups  Messaging, scheduling, & collaboration Departments, courses, programs, cmtes, teams, …  Posix naming services

4 Fall 2004 I2MM Group management issues  Coordinating many sources of information  Provisioning groups in many locations  Supporting several styles of access to group membership information  Aging of groups and of memberships  Use of subgroups vs. effective membership  Referring to set theoretic combinations of groups (compound groups)  Privacy & visibility requirements

5 Fall 2004 I2MM The USITE access problem  Must control access to computers in labs independent of ability to authenticate  U Chicago’s Networking Services & Information Technologies (NSIT) established the Identity Management Working Group to solve this type of problem You’ll see “nsit” and “usite” in names of things to follow

6 Fall 2004 I2MM USITE access policy  Students 23 categories of current students Some entitle USITE access, some disenfranchise, others fail to entitle Time of year dependency for some categories  Current faculty & staff are entitled  Other more loosely affiliated people are not entitled  Exceptional administrative admits and denies across all categories above

7 Fall 2004 I2MM Use of group management  Various elemental USITE-related categories of people are modeled as groups  Subgroups are used to roll-up effective admit or deny status  Some groups are automatically managed, others manually  Some roll-up groups are manually managed to deal with time dependency or change in access policy

8 Fall 2004 I2MM Groups model for USITE access (ACL is “shaded green but not red”) usite_eligible (manual) admin_admit (manual) uc:faculty (auto) uc:staff (auto) categories of entitled students time dependent student categories categories of barred students admin_deny (manual) usite_barred (manual)

9 Fall 2004 I2MM Management related groups  Management privileges for manually managed groups also need to be managed!  So, more groups list who has what authority in managing groups that mediate USITE access Director of Learning Environments Lab Managers Student staff

10 Fall 2004 I2MM LDAP Data flow & Grouper’s role in USITE access uid: jdoe ucAffiliation: … isMemberOf: … SIS HR Dir. Learning Environments Lab Managers Loaders Grouper API Person registry Group registry Grouper UI Grouper API lab Grouper API Student staff

11 Fall 2004 I2MM Grouper groups  Stored in an RDBMS, the Group Registry  Attributes of groups Name Description Members  Possible to extend the set of attributes to support groups with more specific purposes

12 Fall 2004 I2MM Directory of groups  Groups are created within a hierarchy of directories, like files within a computer’s directory system Directories are also named Sometimes need to use the full name of a group, like the full pathname of a file Example: /nsit/usite/admin_admit  The directory delimiter can be configured for different effect Example: nsit:usite:admin_admit

13 Fall 2004 I2MM Grouper privileges  Access privileges - who has what access (read, write) to a group’s attributes  Naming privileges - who can create a group or subdirectory in what part of the directory of groups

14 Fall 2004 I2MM Access privileges  VIEW group’s name in lists & can refer to it, e.g., make it a subgroup of another group  READ basic information about a group  UPDATE membership and administer VIEW, READ, & UPDATE privileges  ADMIN can modify everything, including group name, description, & privileges, and can delete the group  OPTIN can add self to the members list  OPTOUT can remove self from the members list

15 Fall 2004 I2MM Naming privileges  STEM privilege in a given directory enables creation of subdirectories and administration of CREATE and STEM privileges for the directory and its immediate subdirectories Motivating idea: a directory is a naming “stem” over which authority is exercised and delegated by those with stem privilege  CREATE a group in a given directory

16 Fall 2004 I2MM Built-in privilege implementation  All access & naming privileges can be assigned to individual members or to groups Subgroups, compound groups, and aging can be used to manage privileges  Abstracted interfaces are presented for privilege management Sites can hook in their own privilege management and bypass Grouper’s built-in system

17 Fall 2004 I2MM USITE revisited – Grouper’s role  Make an “nsit:usite” directory in the group registry  Groups created within it dir_learning_env, lab_managers, student_staff usite_eligible, usite_barred admin_admit, admin_deny  Give stem privilege for “nsit:usite” to the Director of Learning Environments She can run her groups empire within

18 Fall 2004 I2MM USITE group access privileges (unqualified names in nsit:usite namespace) usite_eligible A:dir_learning_env V,R:all admin_admit U:usite_manage V,R:usite_view uc:faculty V,R:all uc:staff V,R:all categories of entitled students time dependent student categories categories of barred students admin_deny U:usite_manage V,R:usite_view usite_barred A:dir_learning_env V,R:all V:all

19 Fall 2004 I2MM USITE group management privileges (unqualified names in nsit:usite namespace)

20 Fall 2004 I2MM Grouper v1 features  API & UI for basic group management Create, read, update, delete, import, export Distributed management Subgroups & compound groups Aging of groups and memberships  Abstracted interfaces for Group and directory privileges Subject lookup Last activity

21 Fall 2004 I2MM Phases of Grouper v1 development  Phase 1: Basic management and export functions  Phase 2: Compound groups & Signet integration  Phase 3: Aging of groups and memberships  Phase 1 API available before end of year (2004, that is!)

22 Fall 2004 I2MM Grouper deliverables  U Chicago - Java API  U Bristol - Java UI  You – contributed loaders & connectors  Subject Lookup implementation jointly with Signet project  Group Registry creation scripts & sample batch import/export scripts  Documentation

23 Fall 2004 I2MM Grouper UI status  Conceptual mock-up completed  Modular design for look and feel  Grouper & Signet UIs will “leave the factory floor” bearing an I2 family resemblence

24 Fall 2004 I2MM Personal groups  Any user can create groups named personal:username:groupname  Good or evil? Yeah! Low overhead to let everyone do groups Booo! Valuable institutional data squirreled away in unknowable spaces that go away  Configuration: on/off Root directory for personal namespace (“personal” above)

25 Fall 2004 I2MM Further info & participation  MACE-Dir list  MACE-Dir-groups conference calls  http://middleware.internet2.edu/dir/groups http://middleware.internet2.edu/dir/groups

26 Fall 2004 I2MM Grouper in Context

27 Fall 2004 I2MM missing  Much on compound groups?  Enough about UI?  More signet?

Download ppt "Grouper: A Toolkit for Managing Groups Tom Barton blair christensen University of Chicago."

Similar presentations

File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.

Managing Roles & Privileges with Grouper and Signet Middleware Nate Klingenstein (some words stolen from Tom Barton & Lynn Mcrae) Helsinki EuroCAMP, April.
Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.

Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.

Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.

Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.

Handling Groups and Permissions: Grouper and Signet and uPortal Lynn McRae, Stanford University Keith Hazelton, University of Wisconsin With thanks to.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally.
Lesson 4: Configuring File and Share Access

Lesson 4: Configuring File and Share Access
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Setting up the Grouper and Signet Databases Joy Veronneau Cornell University Identity Management November 7, 2006.

Setting up the Grouper and Signet Databases Joy Veronneau Cornell University Identity Management November 7, 2006.
Understanding Active Directory

Understanding Active Directory
Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.

Introduction to Group Management Tom Barton, Blair Christensen University of Chicago.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.

11 SHARING FILE SYSTEM RESOURCES Chapter 9. Chapter 9: SHARING FILE SYSTEM RESOURCES2 CHAPTER OVERVIEW Create and manage file system shares and work with.
Signet and Grouper for Distributed Attribute Administration

Signet and Grouper for Distributed Attribute Administration
Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.

Active Directory Administration Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Creating Users, Computers, and Groups Automate creation.
Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.

Managing Roles & Privileges with Grouper and Signet Middleware Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University.

Similar presentations

Ads by Google