Grouper attributes

and privileges

Grouper attributes and privilegesGrouper attributes and privileges

FUTURE features in Internet2 MACE GrouperFUTURE features in Internet2 MACE GrouperJune 2009June 2009

Chris HyzerChris HyzerUniversity of PennsylvaniaUniversity of Pennsylvania

Internet2Internet2

Grouper attributes and privilegesGrouper attributes and privileges

Grouper is an Internet2 open-source funded product– 5+ years old– Java, multi-platform, database vendor agnostic

The UPCOMING (fall 2009) 1.5 release will have more access management features– Many features discussed in this presentation are not implemented, the

design is not final, and the timeline for the features is not decided!!!!!!!– If you have a use case that needs features, let the grouper-dev list

know– Implementation has started

Attribute framework including privileges and roles This talk will outline some potential features of this

enhancement

05/08/23 Internet2 MACE Grouper 2

IntroductionIntroduction

Grouper attributes and privilegesGrouper attributes and privileges

05/08/23 Internet2 MACE Grouper 3

Penn’s Grouper architecturePenn’s Grouper architecture

Grouper attributes and privilegesGrouper attributes and privileges

Define attributes in namespace (organize and delegate)– E.g. penn:apps:payroll:schools:engineeringSchool– Attributes have: uuid, system name, display name, description

Assign attributes to groups, memberships, subjects, stems, or other attributes– E.g. user John Smith, while in the payrollUsers role can read

engineering school data (in the payroll system ) Allow fields/actions/verbs

– In the above example, there might be “read” or “write” Attribute could have a value (text, numeric, timestamp)

– E.g. user Jim in the ptoUsers role has the attribute proxyFor 12345678 Attributes could be multivalued

– E.g. proxyFor 12345678 and 12345679

05/08/23 Internet2 MACE Grouper 4

Attribute frameworkAttribute framework

Grouper attributes and privilegesGrouper attributes and privileges

Inherit from object (e.g. can read attribute if can read Group) Custom (similar to how Grouper secures memberships): only

certain subjects (people, systems, groups) can:– Create new attributes– Admin (edit / delete) attributes– View that attributes exist– Read attribute assignments– Update (add/edit/delete) attribute assignments/values– Optin to an attribute assignment– Optout of an attribute assignment

05/08/23 Internet2 MACE Grouper 5

Two attribute security strategies availableTwo attribute security strategies available

Grouper attributes and privilegesGrouper attributes and privileges

Attributes could be in an attribute set, where an assignment to the parent, implies assignment to the descendents– E.g. if I can read English data, I can read English201 data

Role hierarchies– E.g. if I am a senior loan administrator, I can do everything a normal

loan administrator can do, and more Effective group memberships

– If a privilege is assigned to the IT department role, and Steven Jones is in the org123 group, which is in the org12 group, which is in the IT department role, then Steven Jones effectively has the privilege

05/08/23 Internet2 MACE Grouper 6

Effective attributes (indirect)Effective attributes (indirect)

Grouper attributes and privilegesGrouper attributes and privileges

Limit permission use– E.g. permissions in penn:apps:payroll:orgs:% can only be assigned to

memberships in roles: penn:apps:payroll:roles:% Formatting and validation on attribute values

– E.g. timestamps are stored as ints, but displayed with this mask: dd-Mon-yyyy, and must be between now and 10 years from now

Enabled or disabled dates on memberships and attributes Meta attributes could be used as limits for privileges

– E.g. approve if amount is less than $50,000

05/08/23 Internet2 MACE Grouper 7

Metadata for organizing and user interfacesMetadata for organizing and user interfaces

Grouper attributes and privilegesGrouper attributes and privileges

Web based J2ee user interface SOAP / Rest web services (lite or batched)

– Including a decision point: does A have read on payroll data for org123? Command line administrator tool: GSH Command line client tool / library: Grouper client Auditing (user auditing and point in time) Change log / notifications: incremental provisioning out of Grouper LDAP provisioning Hooks infrastructure for customizations Subject API Composite groups

– E.g. if not active employee anymore, remove privs– Whitelist / blacklist

Dynamic groups: maintained by grouperLoader

05/08/23 Internet2 MACE Grouper 8

Leverage existing (Leverage existing (and futureand future) Grouper features) Grouper features