Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware...

Introduction to Grouper

• Open source, community-driven project of the Internet2 Middleware Initiative• Initial release v0.5 in December 2004

• Grouper originally focused on robust management of groups, emphasizing:• Delegation and distributed management• Integration with most any existing IdM infrastructure. See

case studies and campus contributions at:• https://spaces.internet2.edu/display/Grouper/Community+

Contributions• Grouper v2.0 provides broader set of access

management capabilities, including roles & permissions• Released 6 September 2011

2 October 2011

Grouper story

https://spaces.internet2.edu/display/Grouper/Community+Contributions

https://spaces.internet2.edu/display/Grouper/Community+Contributions

1. Start out using a single user attribute, affiliation, in LDAP or AD to let applications implement access policies

2. Enrich centralized access management using groups determined from systems of record • Courses, financial accounts, departments• Define service specific access policies in central IAM system

3. Get central IT out of the loop• Distributed management• Exceptions• Departmental apps

4. Increase integration of access management• Direct application integration with web services• ESB/SOA, REST/SOAP• Roles & privileges to support applications more deeply

3 October 2011

Access management is a process:making authZ more than authN

4

Grouper: core concepts

October 2011

Folders in hierarchies

Group

Direct members

Subgroup

Indirect members

Composite groups=

U

5

Security & delegation in Grouper

October 2011

• Create groups• Create subfolders

• Admin• Update membership• Read membership• View group• Opt-in• Opt-out

Delegation

6

Beyond groups

October 2011

Attributes

Roles

Permissions

Attribute definition

Permission definition

Role inheritance

Delegation model extends that for Groups

• Membership start & end times (optional)• Move or copy folders, groups, etc• User audit• Point in time audit• Rules

7 October 2011

Access management lifecycle support

October 2011

Grouper components

as of v2.0AnApplication

LDAP/ADPersons

Orgs

Identity Management

ShibbolethIdP

SP

ML

SAML

LDAP/AD

SO

AP

RE

ST

Grouper Client

Java API, Rules, Audit, External users,

Changelog Grouper Shell

GrouperDatabase

Web Services UIs: membership,

attributes, roles & permissions, admin,

invitation

Grouper Loader

LDAP Provisioning Connector

XMLscript

gsh%

Real-Time

XMPP

HTTPS

ESB

Grouper DataConnector

Another

XMPPHTTPS

Systems of Record

JNDI Source Adapter

JDBC Source Adapter

Subject API

Kuali Rice

Atlassian

REST

RES

T

Atlassian Connector

Kuali Connector

9

New and improved in Grouper v2.0

October 2011

Feature Description

Rules Execute built-in actions and expression language to add business logic to Grouper actions

Attribute and Permissions UIs

Ajax-y UIs to define, view, and assign attributes and permissions

Permission Disallow To manage inheritance of permissions via Role, Resource, or Action hierarchies

Permission Limits Built-in Policy Decision Point that combines run-time context with permissions to produce Allow/Deny

Point in Time Audit Query Grouper’s state at a previous time

External Subjects Invitation processes leverage federation to let external Subjects be given group memberships and permissions

Syncing Groupers Federate groups between two Groupers

Member Search & Sort

Selective Subject attribute caching for improved sorting and searching capability and speed

LdappcNG enhancement

Improved performance through caching

10

Tom Barton’s UChicago group memberships

June 2011

dn: uid=tbarton,ou=people,dc=uchicago,dc=edu

ucismemberof: uc:org:nsit:integration:techag

ucismemberof: uc:org:nsit:srdirs

ucismemberof: uc:org:nsit:integration:iteco:wr

ucismemberof: uc:applications:confluence:NSIT:esx

ucismemberof: uc:org:nsit:integration:iteco:rd

ucismemberof: uc:applications:confluence:NSIT:Directors

ucismemberof: uc:org:nsit:staff

ucismemberof: uc:applications:confluence:NSIT:Everyone

ucismemberof: uc:org:nsit:integration:shib_group

ucismemberof: uc:applications:bulkmail:users

ucismemberof: uc:org:library:gnet:admins

ucismemberof: uc:applications:gnetid:admins

ucismemberof: uc:applications:wireless:authorized

ucismemberof: uc:applications:cmail:users:authorized

ucismemberof: uc:reference:affiliations:effective:staff

LDAP entry foruid=tbarton,ou=people,dc=uchicago,dc=edu

ucIsMemberOf : uc:org:nsit:srdirsucIsMemberOf :

uc:reference:affiliations:effective:staff

Memberships become LDAP attributes

11

ucIsMemberOf : uc:applications:vpn:authorized

June 2011

UChicago VPN simple delegation example

Different groups, different authorities.

VPN only uses “vpn:authorized”.

12

eligible denied

student

staff

alum hospital

closure

locked

vpn:authorized

postdoc= ̶M

IRB

June 2011

Core business systems IRB

OfficeIT Security

Team

IdM system

13

UChicago applications managed by Grouper, so far

aams

Ad Astra

Bulkmail

Business Objects Enterprise

Chalk

CityRyde

Cmail

cnet

Confluence

Directory Administration

dmca

Facilities SIMS

gnetid

grouper

im

isx

IT Ecosystem

Lab School

LDAP

lists

Mail Forwarding

Microsoft Exchange

modem pool

myUChicago

online directory

password expiration

rt

Service Now shibboleth Statements portletSVN tank UC Groups unifiedcomm uPoV Monitor versions voip vpn web hostingwebproxy Webshare webspace wireless

June 2011

14 October 2011

Date post:	21-Dec-2015
Category:	Documents
View:	224 times
Download:	4 times

Introduction to Grouper. Open source, community-driven project of the Internet2 Middleware...

Documents