managing authorization with signet and grouper tom barton, university of chicago lynn mcrae,...
TRANSCRIPT
Managing Authorization with Signet and GrouperManaging Authorization with Signet and Grouper
Tom Barton, University of Chicago
Lynn McRae, Stanford University
Tom Barton, University of Chicago
Lynn McRae, Stanford University
2
Groups and Privilege managementGroups and Privilege management
• Groups• Who someone is (identity)• Populations sharing a common characteristic• Institutional role, departmental, personal
• Privileges• What someone can do (permissions)• Involved person, action, resource, context
• Exploring Grouper and Signet…• Groups for eligibility & authorization• Privileges, policy & permissions
3
Stone AgeStone Age
Clark
Leo
George
Lois
Peter
Nick
Ed
AdminAdmin
InputInput
ReportingReporting
ACL
ACL
ACL
ACL
ACL
ACL
ACL
4
Middle AgesMiddle Ages
AdminAdminGeorgeNick
InputInput
ReportingReporting
GeorgeNickClarkLois
GeorgeNickClarkLoisPeterLeoEd
Functional Groups
5
RenaissanceRenaissance
AdminAdminOwnerGeorgeNick
InputInput
ReportingReporting
StaffClarkLois
ClientsPeterLeoEd
“Role” Groups
6
20th century20th century
AdminAdminOwner
InputInput
ReportingReporting
Staff
Client
Staff
Faculty
Enterprise roles, affiliations
Identity Management!
7
Groups ManagementGroups Management
AdminAdminAdmin
InputInput
ReportingReporting
Staff
Client
Admins
Staff
Faculty
Clients
adds user-maintained groups
8
Something still missingSomething still missing
MaintMaintAdmin
InputInput
ReportingReporting
Staff
Client
ViewViewAdmin
UpdateUpdate
DeleteDelete
Staff
Client
Check outCheck out
SubmitSubmit
Staff
Client
Each system …
interprets policy …
separately.
and sets access rules ...
9
Privilege ManagementPrivilege Management
MaintMaint
InputInput
ReportingReporting
AccessManager
ViewView
UpdateUpdate
DeleteDelete
PEP
Check outCheck out
SubmitSubmitAuthor
Admins
Staff
Faculty
Clients
Manage
Read
ReadWrite
Permissions
Individuals
Policy
Reader
10
Identity & Access Management RealityIdentity & Access Management Reality
• Each person’s online activities are shaped by many Sources of Authority (SoAs)• Institutional policy making bodies• Resource managers• Program/activity/project heads• Self
• Management of the information it conveys should be distributed• Hook up all of those SoAs to the middleware
• Common middleware infrastructure should be operated centrally • To not oblige departments/programs/activities to build their own
core middleware
11
Connecting SoAs, Integrating with Existing InfrastructureConnecting SoAs, Integrating with Existing Infrastructure
12
Relative Roles of Signet & GrouperRelative Roles of Signet & Grouper
Grouper Signet
RBAC model• Users are placed into
groups (aka “roles”)
• Privileges are assigned to groups
• Groups can be arranged into hierarchies to effectively bestow privileges
• Grouper manages, well, groups
• Signet manages privileges
• Separates responsibilities for groups & privileges
13
The duck test…The duck test…
Grouper• Binary info – you’re
either in some list or not• Identity- or affiliation-
based access control or distribution
• Identification layer of an encompassing access management scheme
• Locally tweak or combine other groups
Signet• Structured, qualified info –
limits, conditions, scope, …• Oriented to individuals rather
than roles• Human judgment and chain of
authority essential for access decisions
• Enable functional, not just technical, people to manage privileges
• Supports policy control closer to source of authority
• Audit requirements
14
Illustrative Use Cases:Blackboard Collaboration SupportIllustrative Use Cases:Blackboard Collaboration Support
• What• Setup tools to support collaboration for
“organizations” or groups (in addition to classes)
• Grouper function• Registration. Organization liaison given group in
which to maintain organization membership
• Signet function• Manage which tools are enabled for which
organizations• Coordinates services across systems
15
Illustrative Use Cases:Computer Cluster AccessIllustrative Use Cases:Computer Cluster Access
• What• Express complex access policy in LDAP attributes that
condition workstation login
• Grouper function• Group hierarchy based on fine-grained affiliations classifies all
UChicago people according to eligibility policy• Whitelist & blacklist policy exception capability given to cluster
administrators• Cluster admins tweak classifying hierarchy as needed
• Signet function• None at present. Would be used if, for example, departments
were to authorize access to their own computer labs
16
Illustrative Use Cases:Expense Management SystemIllustrative Use Cases:Expense Management System
• What• Import user profile data into an EMS
• Grouper function• Maintain EMS-specific organizational
hierarchy
• Signet function• Assign who gets approval priv for which
parts of the EMS Org Hierarchy
17
Nutshell Description of GrouperNutshell Description of Grouper
• Mix of manual and automation processes manage a common Group Registry• Stored in an RDBMS• Automation processes provision info from the
Group Registry into LDAP, AD, directly into app-specific databases, wherever the value of the info warrants spending the resources to place it there
• Two types of managed objects: groups and namespaces (or “naming stems”)• Groups are created/named within a namespace
• Group management authority is delegatable• By group or by namespace
18
Grouper ArchitectureGrouper Architecture
19
Group AttributesGroup Attributes
20
Grouper GroupsGrouper Groups
• Any “subject” can be a group member or privilegee• Persons, groups, site-defined subject types• Uses Subject API developed by Grouper+Signet
teams
• Subgroups (now), compound groups (v1.0), and aging (v1.1) of groups and memberships
• Privileges• ADMIN, UPDATE, READ, VIEW, OPTIN, OPTOUT
• Group attribute set can be site-extended
21
Namespaces or StemsNamespaces or Stems
22
Grouper NamespacesGrouper Namespaces
• Groups are created within namespaces• Limits the authority to create and name groups• Support distinct activities with own authority
• Namespaces can be arranged hierarchically• Privileges
• STEM• Create subordinate namespaces• Assign privs for this namespace
• CREATE – create groups in this namespace
23
Example: Computer Cluster Access Example: Computer Cluster Access
it:labs:eligible (manual)
it:labs:whitelist (manual)
uc:faculty(auto)
uc:staff(auto)
categories of entitled students (auto)
time dependent student categories (auto)
it:labs:blacklist(manual)
categories of barred students (auto)
it:labs:barred (manual)
Allow access if “eligible” but not “barred”Allow access if “eligible” but not “barred”
24
LDAP
Data Flow & Grouper Roles in Computer Cluster AccessData Flow & Grouper Roles in Computer Cluster Access
uid: jdoeucAffiliation: …isMemberOf: …
SIS
HR
Lab DirectorADMIN
Lab ManagersUPDATE
Loaders
GrouperAPI
PersonRegistry
GroupsRegistry
GrouperUI
GrouperAPI
GrouperAPI
On-site staffREAD
25
Five Ways to Delegate Group ManagementFive Ways to Delegate Group Management
1. Create a group and assign someone to manage its membership (UPDATE)
2. Create a group and assign someone to manage who manages the group’s membership and who can see what about the group (ADMIN)
3. Create a namespace and assign someone to create groups within it (CREATE)
4. Create a namespace and assign someone to manage who can create groups within it (STEM)
5. Allow Self to OPTIN or OPTOUT of membership
26
Signet Privilege Management Signet Privilege Management
• Brings privilege information together in one place -- a “Privilege Registry”
• Provides user access through a common UI, programmatic access through a common API
• Defined independent of specific vendors, systems, releases or technologies
• Provides central reporting, auditing, review
• But distributed management, control
28
Signet OverviewSignet Overview
• Analysts define privileges in Signet in “business terms” and specify associated permissions.
• Signet presents this view in a Web UI where users assign privileges and delegate authority across all areas in which they have authority.
• Signet internally maps assigned privileges into system-specific terms needed by applications.
•
• Privileges are exported, transformed, & provisioned into applications and infrastructure services.
• Signet provides automated lifecycle controls
29
Privileges Building BlocksPrivileges Building Blocks
Business view• Subsystems
• Categories
• Functions
• Scope, Limits
• Prerequisites & Conditions
System view• Permissions
• Subject• Action• Resource
• Analysts define privileges in Signet in “business terms” and specify associated permissions.
30
Signet ComponentsSignet Components
• Define domains of ownership and responsibility
• Reflect real world boundaries
• Can be large or small
Financial systemStudent AdministrationHR systemNetwork access
managementResearch administrationClinical resourcesSubscription servicesSignet (Privilege
Registry)Grouper (Group Registry)
Subsystems
31
Business ViewBusiness View
Subsystems contain…
LimitsQualifiers, constraints for a privilege.
ScopeOrganizational hierarchy governing distributed delegation,
FunctionsThe things a person can do; what they are getting privileges for.
CategoriesProvide useful arrangement of functions within a subsystem; for reporting, ease of use.
32
Business ViewBusiness View
Categories FunctionsSubsystems
Clinical Trial Protocol A Patient Records
Materials Control
Manage Grant
Lab AccessAdmin
Student Admin Course Support
Add/Drop students
Schedule Classes
Process Applicants
Award Scholarships
Manage Accounts
FinancialAid
Limits
Which term
From Fund…
Read/Write
Hours
For school…
For fund…
Which campus
Qty/day
$ constraints
organizing actions
33
Signet User InterfaceSignet User Interface
• Signet presents this view in a Web UI where users assign and delegate authority across all areas in which they have authority.
34
Systems ViewSystems View
Permissions• Atomic units of control that map to specific
access rules in systems.• Includes limits that must be evaluated when
interpreting permissions.
Resources• The target of a specific privilege; things that
have access rules to control their use.
• Signet internally maps assigned privileges into system specific terms needed by applications.
35
Business View PermissionsBusiness View Permissions
Resources/Permissions
Student Admin
Business View
Course Support Add/Drop students
Schedule Classes
Process Applicants
Award Scholarships
Manage Accounts
Financial Aid
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
categories functions
36
Systems IntegrationSystems Integration
• Toolkit interface• Privileges document
• XML representation of privileges for an individual or group.
• Compatible with SAML and XACML representations of Subjects and Access Rules.
• Integration• Site-specific• Provisioning connectors• LDAP access
• Privileges are exported, transformed, and provisioned into integrated systems and infrastructure services.
37
Privileges DocumentPrivileges Document
<Privileges xmlns="http://middleware.internet2.edu/signet">
<subj:Subject id="[email protected]" xmlns:subj="http://middleware.internet2.edu/subject"> <subj:SubjectType>person</subj:SubjectType> <subj:SubjectName>Poole, Jean M.</subj:SubjectName> </subj:Subject>
<Permission subsystem="biomed" id="patient-record-access"> <Limit id="protocol"> <LimitValue>2005-formula-a</LimitValue> <LimitValue>2005-formula-b</LimitValue> </Limit> </Permission>
<Permission subsystem="biomed" id="approve-requisitions"> <Limit id="spending-limit"> <LimitValue>none</LimitValue> </Limit> </Permission>
</Privileges>
38
Provisioning Permissions into Applications (connectors)Provisioning Permissions into Applications (connectors)
<Privileges><Subject><Permission><Permission><Permission>
or
API
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
Calendar
CourseWare
Financials
Reporting
Space Mgmt
Student
39
Provisioning Permissions into Infrastructure (LDAP)Provisioning Permissions into Infrastructure (LDAP)
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
Directory
eduPersonEntitlement Calendar
CourseWare
Financials
Reporting
Space Mgmt
Student
40
Privileges LifecyclePrivileges Lifecycle
Conditions• Provides automatic revocation of privileges• Date controls -- from date, until date• Based on person’s status, affiliation, etc.
e.g., as long as person is at Stanford
Prerequisites• Pre-conditions that must be met to activate
privilegese.g., training
• Signet provides automated lifecycle controls
41
Other featuresOther features
Assignments can be• To an individual• To a Group
With/without ability to further delegate• Distributed delegation using organizational hierarchy• Records “chain of command”
Proxy assignment• Temporary granting of one’s privilege to another
42
Privilege Elements by ExamplePrivilege Elements by Example
By authority of the Dean grantor
principal investigators grantee (group/role)
who have completed training prerequisite
can approve purchases function
in the School of Medicine scope
for research projects resource
up to $100,000 limit
until January 1, 2006as long as a faculty member at…
conditions
Privilege Lifecycle
43
Subject API:Site IAM Integration RequirementsSubject API:Site IAM Integration Requirements
• Subject - a person, group, application, or other type of object whose identity is managed by your IAM system
• Abstract the underlying technology and data model from a relying application
• Enable alternate identifier namespaces to be selected to match application needs• Username vs. opaque registryID vs. …
• Scenarios• Map authenticated user to internal security principal• Reference/search objects within application
44
Subject API:Integration with Site’s IAM Subject API:Integration with Site’s IAM
45
Subject API: More InfoSubject API: More Info
• Subject and Source interface specs are at v0.1 – they may yet change• Searching• Some per-subjectType methods?
• JDBC source adapter is included now, JNDI source adapter will be provided in a subsequent release
• Grouper includes a GroupSourceAdapter that is a provider of ‘group’ subjectTypes from the Groups Registry
• Subject API will not support the Join function
46
Signet & Grouper RoadmapsSignet & Grouper Roadmaps
• Now available• Grouper v0.6. Basic group management, full GUI • Demo release of Signet v0.5 toolkit and UI
• Signet Roadmap• v0.6, early October 2005 – designated drivers, history• v1.0, late November 2005 – lifecycle conditions, XML• v1.x Toolkit / API release
• Grouper Roadmap• v0.9, mid-November 2005 - internal refactoring, some
enhancement• v1.0, mid-January 2006 – compound groups• v1.1, mid-March 2006 – group & membership aging
47
Resources & ParticipationResources & Participation
• Grouper• team: University of Chicago & University of Bristol• http://middleware.internet2.edu/dir/groups/grouper/
• Signet• team: Stanford University • http://middleware.internet2.edu/signet/
• Internet2 Middleware Initiative• http://middleware.internet2.edu/
• Documents, tarballs, cvs• Details for subscribing to mailing lists
• Conference call agendas & dialing instructions