Post on 21-Dec-2015
transcript
Introduction to Grouper
• Open source, community-driven project of the Internet2 Middleware Initiative• Initial release v0.5 in December 2004
• Grouper originally focused on robust management of groups, emphasizing:• Delegation and distributed management• Integration with most any existing IdM infrastructure. See
case studies and campus contributions at:• https://spaces.internet2.edu/display/Grouper/Community+
Contributions• Grouper v2.0 provides broader set of access
management capabilities, including roles & permissions• Released 6 September 2011
2 October 2011
Grouper story
1. Start out using a single user attribute, affiliation, in LDAP or AD to let applications implement access policies
2. Enrich centralized access management using groups determined from systems of record • Courses, financial accounts, departments• Define service specific access policies in central IAM system
3. Get central IT out of the loop• Distributed management• Exceptions• Departmental apps
4. Increase integration of access management• Direct application integration with web services• ESB/SOA, REST/SOAP• Roles & privileges to support applications more deeply
3 October 2011
Access management is a process:making authZ more than authN
4
Grouper: core concepts
October 2011
Folders in hierarchies
Group
Direct members
Subgroup
Indirect members
Composite groups=
U
5
Security & delegation in Grouper
October 2011
• Create groups• Create subfolders
• Admin• Update membership• Read membership• View group• Opt-in• Opt-out
Delegation
6
Beyond groups
October 2011
Attributes
Roles
Permissions
Attribute definition
Permission definition
Role inheritance
Delegation model extends that for Groups
• Membership start & end times (optional)• Move or copy folders, groups, etc• User audit• Point in time audit• Rules
7 October 2011
Access management lifecycle support
October 2011
Grouper components
as of v2.0AnApplication
LDAP/ADPersons
Orgs
Identity Management
ShibbolethIdP
SP
ML
SAML
LDAP/AD
SO
AP
RE
ST
Grouper Client
Java API, Rules, Audit, External users,
Changelog Grouper Shell
GrouperDatabase
Web Services UIs: membership,
attributes, roles & permissions, admin,
invitation
Grouper Loader
LDAP Provisioning Connector
XMLscript
gsh%
Real-Time
XMPP
HTTPS
ESB
Grouper DataConnector
Another
XMPPHTTPS
Systems of Record
JNDI Source Adapter
JDBC Source Adapter
Subject API
Kuali Rice
Atlassian
REST
RES
T
Atlassian Connector
Kuali Connector
9
New and improved in Grouper v2.0
October 2011
Feature Description
Rules Execute built-in actions and expression language to add business logic to Grouper actions
Attribute and Permissions UIs
Ajax-y UIs to define, view, and assign attributes and permissions
Permission Disallow To manage inheritance of permissions via Role, Resource, or Action hierarchies
Permission Limits Built-in Policy Decision Point that combines run-time context with permissions to produce Allow/Deny
Point in Time Audit Query Grouper’s state at a previous time
External Subjects Invitation processes leverage federation to let external Subjects be given group memberships and permissions
Syncing Groupers Federate groups between two Groupers
Member Search & Sort
Selective Subject attribute caching for improved sorting and searching capability and speed
LdappcNG enhancement
Improved performance through caching
10
Tom Barton’s UChicago group memberships
June 2011
dn: uid=tbarton,ou=people,dc=uchicago,dc=edu
ucismemberof: uc:org:nsit:integration:techag
ucismemberof: uc:org:nsit:srdirs
ucismemberof: uc:org:nsit:integration:iteco:wr
ucismemberof: uc:applications:confluence:NSIT:esx
ucismemberof: uc:org:nsit:integration:iteco:rd
ucismemberof: uc:applications:confluence:NSIT:Directors
ucismemberof: uc:org:nsit:staff
ucismemberof: uc:applications:confluence:NSIT:Everyone
ucismemberof: uc:org:nsit:integration:shib_group
ucismemberof: uc:applications:bulkmail:users
ucismemberof: uc:org:library:gnet:admins
ucismemberof: uc:applications:gnetid:admins
ucismemberof: uc:applications:wireless:authorized
ucismemberof: uc:applications:cmail:users:authorized
ucismemberof: uc:reference:affiliations:effective:staff
LDAP entry foruid=tbarton,ou=people,dc=uchicago,dc=edu
ucIsMemberOf : uc:org:nsit:srdirsucIsMemberOf :
uc:reference:affiliations:effective:staff
Memberships become LDAP attributes
11
ucIsMemberOf : uc:applications:vpn:authorized
June 2011
UChicago VPN simple delegation example
Different groups, different authorities.
VPN only uses “vpn:authorized”.
12
eligible denied
student
staff
alum hospital
closure
locked
vpn:authorized
postdoc= ̶M
IRB
June 2011
Core business systems IRB
OfficeIT Security
Team
IdM system
13
UChicago applications managed by Grouper, so far
aams
Ad Astra
Bulkmail
Business Objects Enterprise
Chalk
CityRyde
Cmail
cnet
Confluence
Directory Administration
dmca
Facilities SIMS
gnetid
grouper
im
isx
IT Ecosystem
Lab School
LDAP
lists
Mail Forwarding
Microsoft Exchange
modem pool
myUChicago
online directory
password expiration
rt
Service Now shibboleth Statements portletSVN tank UC Groups unifiedcomm uPoV Monitor versions voip vpn web hostingwebproxy Webshare webspace wireless
June 2011
14 October 2011