introduction to grouper
DESCRIPTION
Introduction to Grouper. Grouper story. Open source, community-driven project of the Internet2 Middleware Initiative Initial release v0.5 in December 2004 Grouper originally focused on robust management of groups, emphasizing: Delegation and distributed management - PowerPoint PPT PresentationTRANSCRIPT
Introduction to Grouper
• Open source, community-driven project of the Internet2 Middleware Initiative• Initial release v0.5 in December 2004
• Grouper originally focused on robust management of groups, emphasizing:• Delegation and distributed management• Integration with most any existing IdM infrastructure. See
case studies and campus contributions at:• https://spaces.internet2.edu/display/Grouper/Community+Co
ntributions• Grouper v2.0 provides broader set of access
management capabilities, including roles & permissions• Released 6 September 2011
2 October 2011
Grouper story
1. Start out using a single user attribute, affiliation, in LDAP or AD to let applications implement access policies
2. Enrich centralized access management using groups determined from systems of record • Courses, financial accounts, departments• Define service specific access policies in central IAM system
3. Get central IT out of the loop• Distributed management• Exceptions• Departmental apps
4. Increase integration of access management• Direct application integration with web services• ESB/SOA, REST/SOAP• Roles & privileges to support applications more deeply
3 October 2011
Access management is a process:making authZ more than authN
4
Grouper: core concepts
October 2011
Folders in hierarchies
Group
Direct members
Subgroup
Indirect members
Composite groups=
U
5
Security & delegation in Grouper
October 2011
• Create groups• Create subfolders
• Admin• Update membership• Read membership• View group• Opt-in• Opt-out
Delegation
6
Beyond groups
October 2011
Attributes
Roles
Permissions
Attribute definition
Permission definition
Role inheritance
Delegation model extends that for Groups
• Membership start & end times (optional)• Move or copy folders, groups, etc• User audit• Point in time audit• Rules
7 October 2011
Access management lifecycle support
October 2011
Grouper components
as of v2.0AnApplication
LDAP/ADPersonsOrgs
Identity Management
ShibbolethIdP
SPML
SAMLLDAP/AD
SOAP
REST
Grouper Client
Java API, Rules, Audit, External users,
Changelog Grouper Shell
GrouperDatabase
Web Services UIs: membership,
attributes, roles & permissions, admin,
invitation
Grouper Loader
LDAP Provisioning Connector
XMLscript
gsh%
Real-Time
XMPP
HTTPS
ESB
Grouper DataConnector
Another
XMPPHTTPS
Systems of Record
JNDI Source Adapter
JDBC Source Adapter
Subject API
Kuali Rice
Atlassian
REST
REST
Atlassian Connector
Kuali Connector
9
New and improved in Grouper v2.0
October 2011
Feature Description
Rules Execute built-in actions and expression language to add business logic to Grouper actions
Attribute and Permissions UIs
Ajax-y UIs to define, view, and assign attributes and permissions
Permission Disallow To manage inheritance of permissions via Role, Resource, or Action hierarchies
Permission Limits Built-in Policy Decision Point that combines run-time context with permissions to produce Allow/Deny
Point in Time Audit Query Grouper’s state at a previous time
External Subjects Invitation processes leverage federation to let external Subjects be given group memberships and permissions
Syncing Groupers Federate groups between two Groupers
Member Search & Sort
Selective Subject attribute caching for improved sorting and searching capability and speed
LdappcNG enhancement
Improved performance through caching
10
Tom Barton’s UChicago group memberships
June 2011
dn: uid=tbarton,ou=people,dc=uchicago,dc=eduucismemberof: uc:org:nsit:integration:techagucismemberof: uc:org:nsit:srdirsucismemberof: uc:org:nsit:integration:iteco:wrucismemberof: uc:applications:confluence:NSIT:esxucismemberof: uc:org:nsit:integration:iteco:rducismemberof: uc:applications:confluence:NSIT:Directorsucismemberof: uc:org:nsit:staffucismemberof: uc:applications:confluence:NSIT:Everyoneucismemberof: uc:org:nsit:integration:shib_groupucismemberof: uc:applications:bulkmail:usersucismemberof: uc:org:library:gnet:adminsucismemberof: uc:applications:gnetid:adminsucismemberof: uc:applications:wireless:authorizeducismemberof: uc:applications:cmail:users:authorizeducismemberof: uc:reference:affiliations:effective:staff
LDAP entry foruid=tbarton,ou=people,dc=uchicago,dc=edu
ucIsMemberOf : uc:org:nsit:srdirsucIsMemberOf :
uc:reference:affiliations:effective:staff
Memberships become LDAP attributes
11
ucIsMemberOf : uc:applications:vpn:authorized
June 2011
UChicago VPN simple delegation example
Different groups, different authorities.VPN only uses “vpn:authorized”.
12
eligible denied
studentstaff
alum hospital
closure
lockedvpn:authorized
postdoc= ̶M
IRB
June 2011
Core business systems IRB
OfficeIT Security
Team
IdM system
13
UChicago applications managed by Grouper, so far
aams Ad Astra Bulkmail Business Objects Enterprise Chalk CityRyde Cmail cnet Confluence Directory Administration dmca Facilities SIMS gnetid
grouper im isx IT EcosystemLab School LDAP listsMail Forwarding Microsoft Exchange modem pool myUChicago online directory password expiration rt
Service Now shibboleth Statements portletSVN tank UC Groups unifiedcomm uPoV Monitor versions voip vpn web hostingwebproxy Webshare webspace wireless
June 2011
14 October 2011