leveraging campus directories: lightweight authorization and group management keith hazelton...
TRANSCRIPT
![Page 1: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/1.jpg)
Leveraging Campus Directories: Lightweight Authorization and
Group Management
http://arch.doit.wisc.edu/keith/educause
Keith Hazelton
University of Wisconsin-Madison
Internet2 Middleware Architecture Committee for Education
Educause, October, 2004
![Page 2: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/2.jpg)
2004-10-20 Educause, Denver 2
Outline
• Identity Management (IdM) defined
• Life story of enterprise Identity Management:– The starting point: Enterprise directories
– Authorization, the early years: Individuals, services, groups (NMI Project Grouper)
– Authorization and privilege management: The infrastructure matures (NMI Project Signet)
• Exploring the early authorization phase, “lightweight authorization”
• Copyright Keith Hazelton, 2004. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
![Page 3: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/3.jpg)
2004-10-20 Educause, Denver 3
Identity Management (IdM) defined
• What is Identity Management (IdM)?“Identity management is the set of business processes, and a supporting infrastructure, for the creation, maintenance, and use of digital identities.” The Burton Group (a research firm specializing in IT infrastructure for the enterprise)
• What problems does Identity Management solve?
![Page 4: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/4.jpg)
2004-10-20 Educause, Denver 4
Identity Management is…
• “Hi! I’m Lisa.” (Identity)• “…and here’s my password to prove it.”
(Authentication)• “I want to open the Portal to check my email.”
(Authorization : Allowing Lisa to use theservices for which she’s authorized)
• “And I want to change my grade in last semester’s Physics course.”
(Authorization : Preventing her from doing things she’s not supposed to do)
![Page 5: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/5.jpg)
2004-10-20 Educause, Denver 5
Identity Management is also…
• New hire, Assistant Professor Alice– Department wants to give her an email
account before her appointment begins so they can get her off to a running start
• How does she get into our system and get set up with the accounts and services appropriate to faculty?
![Page 6: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/6.jpg)
2004-10-20 Educause, Denver 6
What questions are common to these scenarios?
• Are the people using these services who they claim to be?
• Are they a member of our campus community?• Have they been given permission?• Is their privacy being protected?
![Page 7: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/7.jpg)
2004-10-20 Educause, Denver 7
As for Lisa
• Sez who?– What Lisa’s username and password are?– What she should be able to do?– What she should be prevented from doing? – Scaling to the other 40,000 just like her on
campus
![Page 8: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/8.jpg)
2004-10-20 Educause, Denver 8
As for Professor Alice
• What accounts and services should faculty members be given?
• At what point in the hiring process should these be activated?
• Methods need to scale to 20,000 faculty and staff
• There is an Identity Management aspect to each and every one of these items
![Page 9: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/9.jpg)
2004-10-20 Educause, Denver 9
Identity Management, the Big, Scary Picture
![Page 10: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/10.jpg)
2004-10-20 Educause, Denver 10
IdM Starting Point: The Enterprise Directory
![Page 11: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/11.jpg)
2004-10-20 Educause, Denver 11
Enterprise Directory Services
• The Join: Establishing identity across systems
• Issuing digital identity credentials• Supporting authentication, Web Initial Sign-
on (Web-ISO)• Maintaining per-person information and
identity attributes• Making this available to application
developers and integrators
![Page 12: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/12.jpg)
2004-10-20 Educause, Denver 12
Authorization, the early years
• IdM value realized only when access to services & information enabled
• Authorization support is the keystone• Crude beginnings: If you can log in, you get it
all• Call to serve non-traditional audiences
breaks this model:– Applicants– Collaborative program students
![Page 13: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/13.jpg)
2004-10-20 Educause, Denver 13
Authorization, the early years
• First refinement on “Log in, get it all:”• Add service flags to the enterprise directory
as additional identity information– Lisa: Eligible for email– Fred: Eligible for student health services– Sam: Enrolled in Molecular Biology 432
• The horrendous scaling problem
![Page 14: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/14.jpg)
2004-10-20 Educause, Denver 14
Authorization, the early years
• Bringing in groups to deal with the scaling problem
![Page 16: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/16.jpg)
2004-10-20 Educause, Denver 16
![Page 17: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/17.jpg)
2004-10-20 Educause, Denver 17
![Page 18: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/18.jpg)
2004-10-20 Educause, Denver 18
![Page 19: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/19.jpg)
2004-10-20 Educause, Denver 19
Groups to the rescue
• Create a group, musketeers
• Say what services members of the group are eligible for
• Make selected individuals members of the group
![Page 20: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/20.jpg)
2004-10-20 Educause, Denver 20
Authorization and privilege management: The infrastructure matures (Signet)
• The emergence of Privilege Management:
By authority of the Dean grantor
principal investigators role (group)
who have completed training prerequisite
can approve purchases function
in the School of Medicine scope
for research projectsup to $100,000
limits
until January 1, 2006 condition
![Page 21: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/21.jpg)
2004-10-20 Educause, Denver 21
Back to the future: Lightweight Authorization and Groups
• NMI project Grouper: A toolkit for lightweight (group-based) authorization
• Led by Tom Barton, U Chicago
• International collaborative project– UI being developed at Bristol in UK
![Page 22: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/22.jpg)
2004-10-20 Educause, Denver 22
Grouper topics
• The problem with groups
• Case study: U Chicago’s “USITE” computer labs
• Tour of Grouper
• USITE case study revisited
• Grouper project status
![Page 23: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/23.jpg)
2004-10-20 Educause, Denver 23
Groups facilitate …
•Customization – application UI tailored to user’s affiliations with the organization
•Authorization–“Lightweight” - relationship info feeding access decisions
–“Heavyweight” - assignment of structured privileges to groups
•Messaging, scheduling, & collaboration–Departments, courses, programs, cmtes, teams, …
![Page 24: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/24.jpg)
2004-10-20 Educause, Denver 24
Group management issues
• Coordinating many sources of information• Provisioning groups in many locations• Supporting several styles of access to group membership information
• Aging of groups and of memberships• Use of subgroups vs. effective membership • Referring to set theoretic combinations of groups (compound groups)
• Privacy & visibility requirements
![Page 25: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/25.jpg)
2004-10-20 Educause, Denver 25
The USITE access problem
•Must control access to computers in labs independent of ability to authenticate
•U Chicago’s Networking Services & Information Technologies (NSIT) established the Identity Management Working Group to solve this type of problem
–You’ll see “nsit” and “usite” in names of things to follow
![Page 26: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/26.jpg)
2004-10-20 Educause, Denver 26
USITE access policy•Students
–23 categories of current students–Some entitle USITE access, some disenfranchise, others fail to entitle
–Time of year dependency for some categories
•Current faculty & staff are entitled•Other more loosely affiliated people are not entitled
•Exceptional administrative admits and denies across all categories above
![Page 27: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/27.jpg)
2004-10-20 Educause, Denver 27
Use of group management
• Various elemental USITE-related categories of people are modeled as groups
• Subgroups are used to roll-up effective admit or deny status
• Some groups are automatically managed, others manually
• Some roll-up groups are manually managed to deal with time dependency or change in access policy
![Page 28: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/28.jpg)
2004-10-20 Educause, Denver 28
Groups model for USITE access (ACL is “shaded green but not red”)
usite_eligible(manual)
admin_admit(manual)
uc:faculty(auto)
uc:staff(auto)
categories of entitled students
time dependent student categories
categories of barred students
admin_deny(manual)
usite_barred(manual)
![Page 29: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/29.jpg)
2004-10-20 Educause, Denver 29
Management related groups
• Management privileges for manually managed groups also need to be managed!
• So, more groups list who has what authority in managing groups that mediate USITE access– Director of Learning Environments
– Lab Managers
– Student staff
![Page 30: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/30.jpg)
2004-10-20 Educause, Denver 30
LDAP
Data flow & Grouper’s role in USITE access
uid: jdoeucAffiliation: …isMemberOf: …
SIS
HR
Dir. Learning Environments
Lab Managers
Loaders
GrouperAPI
Personregistry
Groupregistry
GrouperUI
GrouperAPI
lab
GrouperAPI
Student staff
![Page 31: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/31.jpg)
2004-10-20 Educause, Denver 31
Grouper groups
• Stored in an RDBMS, the Group Registry
• Attributes of groups– Name
– Description
– Members
• Possible to extend the set of attributes to support groups with more specific purposes
![Page 32: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/32.jpg)
2004-10-20 Educause, Denver 32
Grouper privileges
• Access privileges - who has what access (read, write) to a group’s attributes
• Naming privileges - who can create a group or subdirectory in what part of the directory of groups
![Page 33: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/33.jpg)
2004-10-20 Educause, Denver 33
Access privileges
• VIEW group’s name in lists & can refer to it, e.g., make it a subgroup of another group
• READ basic information about a group
• UPDATE membership and administer VIEW, READ, & UPDATE privileges
• ADMIN can modify everything, including group name, description, & privileges, and can delete the group
• OPTIN can add self to the members list
• OPTOUT can remove self from the members list
![Page 34: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/34.jpg)
2004-10-20 Educause, Denver 34
Naming privileges
• STEM privilege in a given directory enables creation of subdirectories and administration of CREATE and STEM privileges for the directory and its immediate subdirectories– Motivating idea: a directory is a naming “stem”
over which authority is exercised and delegated by those with stem privilege
• CREATE a group in a given directory
![Page 35: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/35.jpg)
2004-10-20 Educause, Denver 35
Built-in privilege implementation
• All access & naming privileges can be assigned to individual members or to groups– Subgroups, compound groups, and aging can be
used to manage privileges
• Abstracted interfaces are presented for privilege management– Sites can hook in their own privilege
management and bypass Grouper’s built-in system
![Page 36: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/36.jpg)
2004-10-20 Educause, Denver 36
USITE revisited – Grouper’s role
• Make an “nsit:usite” directory in the group registry
• Groups created within it– dir_learning_env, lab_managers, student_staff
– usite_eligible, usite_barred
– admin_admit, admin_deny
• Give stem privilege for “nsit:usite” to the Director of Learning Environments– She can run her groups empire within
![Page 37: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/37.jpg)
2004-10-20 Educause, Denver 37
USITE group access privileges
usite_eligibleA:dir_learning_env
V,R:all
admin_admitU:usite_manageV,R:usite_view
uc:facultyV,R:all
uc:staffV,R:all
categories of entitled students
time dependent student categories
categories of barred students
admin_denyU:usite_manageV,R:usite_view
usite_barredA:dir_learning_env
V,R:all
V:all V:all
V:allV:all V:all
V:all V:all V:all
V:all
![Page 38: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/38.jpg)
2004-10-20 Educause, Denver 38
USITE group management privileges
![Page 39: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/39.jpg)
2004-10-20 Educause, Denver 39
Oh, and Personal groups
• Any user can create groups named personal:username:groupname
• Good or evil?–Yeah! Low overhead to let everyone do groups–Booo! Valuable institutional data squirreled away in
unknowable spaces that go away
• Configuration: –on/off–Root directory for personal namespace (“personal” above)
![Page 40: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/40.jpg)
2004-10-20 Educause, Denver 40
Grouper v1 features
• API & UI for basic group management– Create, read, update, delete, import, export– Distributed management– Subgroups & compound groups– Aging of groups and memberships
• Abstracted interfaces for – Group and directory privileges– Subject lookup– Last activity
![Page 41: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/41.jpg)
2004-10-20 Educause, Denver 41
Phases of Grouper v1 development
• Phase 1: Basic management and export functions
• Phase 2: Compound groups & Signet integration
• Phase 3: Aging of groups and memberships
• Phase 1 API available before end of November 2004
![Page 42: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/42.jpg)
2004-10-20 Educause, Denver 42
Grouper deliverables
•U Chicago - Java API•U Bristol - Java UI•You – contributed loaders & connectors•Subject Lookup implementation
–jointly with Signet project
•Group Registry creation scripts & sample batch import/export scripts
•Documentation
![Page 43: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/43.jpg)
2004-10-20 Educause, Denver 43
Resources
• http://middleware.internet2.edu/dir/groups
• http://middleware.internet2.edu/signet
![Page 44: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/44.jpg)
2004-10-20 Educause, Denver 44
Grouper in Context
![Page 45: Leveraging Campus Directories: Lightweight Authorization and Group Management Keith Hazelton University of Wisconsin-Madison](https://reader036.vdocuments.us/reader036/viewer/2022062421/56649d1f5503460f949f2a84/html5/thumbnails/45.jpg)
2004-10-20 Educause, Denver 45
Process diagram