Introduction to Grouper

• Open source, community-driven project of the Internet2 Middleware Initiative• Initial release v0.5 in December 2004

• Grouper originally focused on robust management of groups, emphasizing:• Delegation and distributed management• Integration with most any existing IdM infrastructure. See

case studies and campus contributions at:• https://spaces.internet2.edu/display/Grouper/Community+Co

ntributions• Grouper v2.0 provides broader set of access

management capabilities, including roles & permissions• Released 6 September 2011

2 October 2011

Grouper story

1. Start out using a single user attribute, affiliation, in LDAP or AD to let applications implement access policies

2. Enrich centralized access management using groups determined from systems of record • Courses, financial accounts, departments• Define service specific access policies in central IAM system

3. Get central IT out of the loop• Distributed management• Exceptions• Departmental apps

4. Increase integration of access management• Direct application integration with web services• ESB/SOA, REST/SOAP• Roles & privileges to support applications more deeply

3 October 2011

Access management is a process:making authZ more than authN

4

Grouper: core concepts

October 2011

Folders in hierarchies

Group

Direct members

Subgroup

Indirect members

Composite groups=

U

5

Security & delegation in Grouper

October 2011

• Create groups• Create subfolders

• Admin• Update membership• Read membership• View group• Opt-in• Opt-out

Delegation

6

Beyond groups

October 2011

Attributes

Roles

Permissions

Attribute definition

Permission definition

Role inheritance

Delegation model extends that for Groups

• Membership start & end times (optional)• Move or copy folders, groups, etc• User audit• Point in time audit• Rules

7 October 2011

Access management lifecycle support

October 2011

Grouper components

as of v2.0AnApplication

LDAP/ADPersonsOrgs

Identity Management

ShibbolethIdP

SPML

SAMLLDAP/AD

SOAP

REST

Grouper Client

Java API, Rules, Audit, External users,

Changelog Grouper Shell

GrouperDatabase

Web Services UIs: membership,

attributes, roles & permissions, admin,

invitation

Grouper Loader

LDAP Provisioning Connector

XMLscript

gsh%

Real-Time

XMPP

HTTPS

ESB

Grouper DataConnector

Another

XMPPHTTPS

Systems of Record

JNDI Source Adapter

JDBC Source Adapter

Subject API

Kuali Rice

Atlassian

REST

REST

Atlassian Connector

Kuali Connector

9

New and improved in Grouper v2.0

October 2011

Feature Description

Rules Execute built-in actions and expression language to add business logic to Grouper actions

Attribute and Permissions UIs

Ajax-y UIs to define, view, and assign attributes and permissions

Permission Disallow To manage inheritance of permissions via Role, Resource, or Action hierarchies

Permission Limits Built-in Policy Decision Point that combines run-time context with permissions to produce Allow/Deny

Point in Time Audit Query Grouper’s state at a previous time

External Subjects Invitation processes leverage federation to let external Subjects be given group memberships and permissions

Syncing Groupers Federate groups between two Groupers

Member Search & Sort

Selective Subject attribute caching for improved sorting and searching capability and speed

LdappcNG enhancement

Improved performance through caching

10

Tom Barton’s UChicago group memberships

June 2011

dn: uid=tbarton,ou=people,dc=uchicago,dc=eduucismemberof: uc:org:nsit:integration:techagucismemberof: uc:org:nsit:srdirsucismemberof: uc:org:nsit:integration:iteco:wrucismemberof: uc:applications:confluence:NSIT:esxucismemberof: uc:org:nsit:integration:iteco:rducismemberof: uc:applications:confluence:NSIT:Directorsucismemberof: uc:org:nsit:staffucismemberof: uc:applications:confluence:NSIT:Everyoneucismemberof: uc:org:nsit:integration:shib_groupucismemberof: uc:applications:bulkmail:usersucismemberof: uc:org:library:gnet:adminsucismemberof: uc:applications:gnetid:adminsucismemberof: uc:applications:wireless:authorizeducismemberof: uc:applications:cmail:users:authorizeducismemberof: uc:reference:affiliations:effective:staff

LDAP entry foruid=tbarton,ou=people,dc=uchicago,dc=edu

ucIsMemberOf : uc:org:nsit:srdirsucIsMemberOf :

uc:reference:affiliations:effective:staff

Memberships become LDAP attributes

11

ucIsMemberOf : uc:applications:vpn:authorized

June 2011

UChicago VPN simple delegation example

Different groups, different authorities.VPN only uses “vpn:authorized”.

12

eligible denied

studentstaff

alum hospital

closure

lockedvpn:authorized

postdoc= ̶M

IRB

June 2011

Core business systems IRB

OfficeIT Security

Team

IdM system

13

UChicago applications managed by Grouper, so far

aams Ad Astra Bulkmail Business Objects Enterprise Chalk CityRyde Cmail cnet Confluence Directory Administration dmca Facilities SIMS gnetid

grouper im isx IT EcosystemLab School LDAP listsMail Forwarding Microsoft Exchange modem pool myUChicago online directory password expiration rt

Service Now shibboleth Statements portletSVN tank UC Groups unifiedcomm uPoV Monitor versions voip vpn web hostingwebproxy Webshare webspace wireless

June 2011

14 October 2011