using signet and grouper for access management
DESCRIPTION
Using Signet and Grouper for Access Management. Tom Barton, University of Chicago Lynn McRae, Stanford University. Identity & Access Management Reality. Each person’s online activities are shaped by many Sources of Authority (SoAs) Resource managers Program/activity heads - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/1.jpg)
Using Signet and Grouper for Access Management Using Signet and Grouper for Access Management
Tom Barton, University of Chicago
Lynn McRae, Stanford University
Tom Barton, University of Chicago
Lynn McRae, Stanford University
![Page 2: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/2.jpg)
2
Identity & Access Management RealityIdentity & Access Management Reality
• Each person’s online activities are shaped by many Sources of Authority (SoAs)• Resource managers• Program/activity heads• Other policy making bodies• Self
• Common middleware infrastructure should be operated centrally • To not oblige departments/programs/activities to build their
own core middleware
• Management of the information it conveys should be distributed• Hook up all of those SoAs to the middleware
![Page 3: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/3.jpg)
3
Connecting SoAs, Integrating with Existing InfrastructureConnecting SoAs, Integrating with Existing Infrastructure
![Page 4: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/4.jpg)
4
Relative Roles of Signet & GrouperRelative Roles of Signet & Grouper
Grouper Signet
RBAC model
• Users are placed into groups
• Privileges are assigned to groups
• Groups can be arranged into hierarchies to effectively bestow privileges
• Signet manages privileges
• Grouper manages, well, groups
![Page 5: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/5.jpg)
5
Nutshell Description of GrouperNutshell Description of Grouper
• Mix of manual and automation processes manage a common Group Registry• Many sources of authority are reflected in group
memberships
• Automation processes provision info from the Group Registry into LDAP, AD, directly into app-specific databases, or …• Wherever the value of the info warrants spending
the resources to place it there
• Group management authority is delegatable
![Page 6: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/6.jpg)
6
Grouper GroupsGrouper Groups
• Attributes of groups• Names: name, displayName, guid• Description• Members• Can extend the set of attributes to support groups
with more specific purposes
• Subgroups, compound groups, and aging• Stored in an RDBMS, the Group Registry
![Page 7: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/7.jpg)
7
Grouper NamespacesGrouper Namespaces
• Groups are created within namespaces• Scopes the authority to create and name groups• Support distinct activities with own authority
• Namespaces can be arranged hierarchically
it all central IT activities
it:labs manage computer labs
bsd all Bio Sci Division activities
bsd:peds Pediatrics resource access
![Page 8: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/8.jpg)
8
Example: Groups for Lab Access Example: Groups for Lab Access
it:labs:eligible (manual)
it:labs:whitelist (manual)
uc:faculty(auto)
uc:staff(auto)
categories of entitled students (auto)
time dependent student categories (auto)
it:labs:blacklist(manual)
categories of barred students (auto)
it:labs:barred (manual)
Allow access if “eligible” but not “barred”Allow access if “eligible” but not “barred”
![Page 9: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/9.jpg)
9
LDAP
Data Flow & Grouper Roles in Computer Lab AccessData Flow & Grouper Roles in Computer Lab Access
uid: jdoeucAffiliation: …isMemberOf: …
SIS
HR
Lab Director
Lab Managers
Loaders
GrouperAPI
PersonRegistry
GroupRegistry
GrouperUI
GrouperAPI
lab
GrouperAPI
On-site staff
![Page 10: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/10.jpg)
10
Grouper’s PrivilegesGrouper’s Privileges
• Access privileges• Who has what access (read, write) to a group’s
attributes• Naming privileges
• Who can create a group in each namespace• Who can create a new namespace subordinate to an
existing one• Privilege interfaces are abstracted
• Can use external privilege management system, like Signet
• Grouper’s built-in privilege management• Subgroups, compound groups, and aging can be
used to manage privileges with built-in capability
![Page 11: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/11.jpg)
11
Four Ways to Delegate Group ManagementFour Ways to Delegate Group Management
• Create a group and assign someone to manage its membership
• Create a group and assign someone to manage who manages the group’s membership and who can see what about the group
• Create a namespace and assign someone to manage who can create groups within it
• Allow Self to opt-in or opt-out of membership
![Page 12: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/12.jpg)
12
Representing Membership in Operational ContextsRepresenting Membership in Operational Contexts
• Standards for the I2MI community• LDAP, SAML/Shibboleth: isMemberOf• LDAP: hasMember
• Preserving privacy/visibility• Representing access privileges in, e.g., LDAP
• Desirable local standards • Naming of groups & namespaces• Privacy classes
• Incremental update and referential integrity
![Page 13: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/13.jpg)
13
Signet OverviewSignet Overview
• Analysts define privileges in Signet in “business terms” and specify associated permissions.
• Signet presents this view in a Web UI where users assign privileges and delegate authority across all areas in which they have authority.
• Signet internally maps assigned privileges into system-specific terms needed by applications.
•
• Privileges are exported, transformed, and provisioned into applications and infrastructure services.
![Page 14: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/14.jpg)
14
Privileges Building BlocksPrivileges Building Blocks
Business view• Subsystems
• Categories
• Functions
• Scope, Limits
• Prerequisites & Conditions
System view• Permissions
• Subject• Action• Resource
• Analysts define privileges in Signet in “business terms” and specify associated permissions.
![Page 15: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/15.jpg)
15
Signet ComponentsSignet Components
• Define domains of ownership and responsibility
• Reflect real world boundaries
• Can be large or small
Financial systemStudent AdministrationHR systemNetwork address plan
managementNetwork access
managementResearch administrationClinical resourcesPerson RegistrySignet (Privilege Registry)Grouper (Group Registry)
Subsystems
![Page 16: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/16.jpg)
16
Business ViewBusiness View
Subsystems contain…
FunctionsThe things a person can do; what they are getting privileges for.
CategoriesProvide useful arrangement of functions within a subsystem; for reporting, ease of use.
LimitsQualifiers, constraints for a privilege.
ScopeOrganizational hierarchy governing distributed delegation.
![Page 17: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/17.jpg)
17
Business ViewBusiness View
Categories FunctionsSubsystems
Clinical Trial Protocol A Patient Records
Materials Control
Manage Grant
Lab AccessAdministration
Student Admin Course Support Add/Drop students
Schedule Classes
Process Applicants
Award Scholarships
Manage Accounts
Financial Aid
Limits
Which term
From Fund…
Read/Write
Hours
For school…
For fund…
Which campus
Qty/day
$ constraints
organizing actions
![Page 18: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/18.jpg)
18
Signet User InterfaceSignet User Interface
• Signet presents this view in a Web UI where users assign and delegate authority across all areas in which they have authority.
![Page 19: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/19.jpg)
19
Systems ViewSystems View
Permissions• Atomic units of control that map to specific access
rules in systems.• Includes limits that must be evaluated when
interpreting permissions.
Resources• The target of a specific privilege; things that have
access rules to control their use.
• Signet internally maps assigned privileges into system specific terms needed by applications.
![Page 20: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/20.jpg)
20
Business View PermissionsBusiness View Permissions
Resources/Permissions
Student Admin
Business View
Course Support Add/Drop students
Schedule Classes
Process Applicants
Award Scholarships
Manage Accounts
Financial Aid
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
![Page 21: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/21.jpg)
21
Systems IntegrationSystems Integration
Privileges document• XML representation of privileges for an individual or
group.• Compatible with SAML and XACML representations
of Subjects and Access Rules.
Integration• Site-specific
• Privileges are exported, transformed, and provisioned into integrated systems and infrastructure services.
![Page 22: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/22.jpg)
22
Privileges DocumentPrivileges Document
Signet Privileges document (not final)
<Privileges xmlns="http://middleware.internet2.edu/signet"> <subj:Subject xmlns:subj="http://middleware.internet2.edu/subject"> <subj:SubjectId>[email protected]</subj:SubjectId> <subj:SubjectName>Poole, Jean M.</subj:SubjectName> </subj:Subjects> <Subsystem <SubsystemId>project-biox</SubsystemId> <Permission> <PermissionId>patient-record-access</ PermissionId > <Resource> <ResourceId>research-records</ResourceId> </Resource> <Limit> <LimitId>protocol</LimitId> <LimitnFunction>urn:oasis:names:tc:xacml:1.0:function:string-equal</LimitFunction> <LimitValue>2005-formula-b</LimitValue> <LimitValueType>http://www.w3.org/2001/XMLSchema#string</LimitValueType> </Limit> </Permission> <Permission> <PermissionId>approve-requisitions</SubsystemId> <Resource>
![Page 23: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/23.jpg)
23
Provisioning Permissions into ApplicationsProvisioning Permissions into Applications
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
Calendar
CourseWare
Financials
Reporting
Space Mgmt
Student
<Privileges><Subject><Permission><Permission><Permission>
![Page 24: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/24.jpg)
24
Provisioning Permissions into InfrastructureProvisioning Permissions into Infrastructure
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
Calendar
CourseWare
Financials
Reporting
Space Mgmt
Student
Directory
eduPersonEntitlement
![Page 25: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/25.jpg)
25
Other featuresOther features
Assignments can be• To an individual• To a Group
With/without ability to further delegate• Distributed delegation using organizational hierarchy
• Records “chain of command”
Proxy assignment• Temporary granting of one’s privilege to another
![Page 26: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/26.jpg)
26
Privileges LifecyclePrivileges Lifecycle
Conditions• Provides automatic revocation of privileges• Date controls -- from date, until date• Based on person’s status and affiliation,
e.g., as long as person is at Stanford
Prerequisites• Pre-conditions that must be met to activate privileges
e.g., training
![Page 27: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/27.jpg)
27
Privilege Elements by ExamplePrivilege Elements by Example
By authority of the Dean grantor
principal investigators grantee (group/role)
who have completed training prerequisite
can approve purchases function
in the School of Medicine scope
for research projects resource
up to $100,000 limit
until January 1, 2006as long as a faculty member at…
conditions
Privilege Lifecycle
![Page 28: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/28.jpg)
28
![Page 29: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/29.jpg)
29
Subject APISubject API
• Common application need to lookup people or other types of subjects• To search for and present them in a UI• To translate between different identifiers for the
same object• Example: username persistentID
• Subject API is a freestanding implementation meeting these needs. Site-configured …• Subject types: people & groups, and maybe
applications, computers, policies, whatever • Sources for each site-specific subject type• Specific query syntax for abstract query types
![Page 30: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/30.jpg)
30
Signet & Grouper DevelopmentSignet & Grouper Development
• Now available• Grouper API v0.5.5. Basic group management by
automation processes• Demo release of Signet v0.3 toolkit and UI
• June 2005• Grouper v0.6 - initial UI release• Subject API - initial release
• September 2005• Signet - initial production-ready release
• Grouper team: U Chicago & U Bristol• Signet team: Stanford University
![Page 31: Using Signet and Grouper for Access Management](https://reader035.vdocuments.net/reader035/viewer/2022062422/56814062550346895dabda55/html5/thumbnails/31.jpg)
31
Resources & ParticipationResources & Participation
• Grouper website http://middleware.internet2.edu/dir/groups/grouper/
• Signet website
http://middleware.internet2.edu/signet/
• Internet2 Middleware Initiative
http://middleware.internet2.edu/
• Documents, tarballs, cvs• Details for subscribing to mailing lists
• Conference call agendas & dialing instructions