1

Early Adopters / DeployersEarly Adopters / Deployers

• Patterns and criteria for distinguishing roles and groups-based access control vs. privilege management. Why use one or the other, or more importantly, why do we need both? Updated documentation and presentation material will be offered for discussion and review.

• Software to move data in and out of Signet and Grouper is not part of the core of either product, but is vital to connect them to your infrastructure. We'll have a technical design discussion on our basic JDBC and JNDI SourceAdaptor and emerging Subject API specification, and will explore how to make these configurable to a variety of specific needs.

2

Use Case: “Groups are good”Use Case: “Groups are good”

• What• People create groups that have real-world meaning

and can be used in many ways -- my staff, project team, board members, etc.

• Grouper• Distributed model of managing such groups through

delegated name stems• Personal groups?

• Signet• Ability to assign privs to such groups

• Apps• Those interested in using shared groups in general

3

Use Case: Stanford: WebAuthUse Case: Stanford: WebAuth

• What• Allow access to web pages based on group

membership• Grouper (Stanford workgroup)

• User managed groups• System managed groups (course and department

affiliations)

• WebAuth• Data provisioned to LDAP directory• Extends Apache “require group” directive

in .htaccess file to refer to group references in Person LDAP entries

4

Use Case: Duke: Mailing ListsUse Case: Duke: Mailing Lists

• What• “basic authorization and mailing list

functionality”

• Grouper• Subscribers• Roles, e.g., owner, maintainer?

• Signet• ?

• Application?

5

Use Case: Duke: Calendar groupsUse Case: Duke: Calendar groups

• What• “basic authorization and mailing list

functionality”

• Grouper• Simple membership • How?

• Signet• ???

6

Use Case: USC: Additional groupsUse Case: USC: Additional groups

• What• Augment existing, beloved group

management system to support delegated administration of groups

• Grouper• Define basic inclusion/exclusion groups• Provisioned into LDAP

• Nightly processor• Integrate Grouper groups with LDAP groups,

apply group math

7

Use Case: U. Chicago: Instant MessagingUse Case: U. Chicago: Instant Messaging

• What• Instant messaging platform. The rosters would be

automatically populated based on work group.

• Grouper• Information that we keep on our users is not detailed enough

to be used to group people into their individual work groups. Grouper would be used by the managers of the individual work groups to define who is in their group.

• This data would then be read from the grouper db by a program which would provision the rosters of the relevant people in the IM server (directly to Jabber server? Via LDAP?)

8

Use Case: Others?Use Case: Others?

• What• Wiki groups• Files (e.g., AFS pts groups)• Portal groups• Document sharing (e.g., Docushare)• CVS Groups• Ticket tracking (Wash)

9

Use Case: Cornell: GuestIDsUse Case: Cornell: GuestIDs

• What• Guestids for people in a weekend course at the

hotel school, or a class that uses the blackboard system, or someone that needs wireless access for some period of time, etc.

• Grouper• All guests placed in a group (provisioned via LDAP)

to which privs are assigned• Admins placed in a group (provisioned from

PeopleSoft/HR, augmented by Admin adding people to same group)

• Self-signup guest discussion list group (opt-in)

10

Use Case: Cornell: GuestIDs (cont)Use Case: Cornell: GuestIDs (cont)

• Signet• Manage Admin access rights -- assignments to

groups• Assign guest privileges to full guest group (campus

bus)• … to individuals (weight room, blackboard, printing)

(only to those with guestIDs / in guest group?)• With effective and expiration dates (managed by

Signet)

• Other stuff• GuestId expiration based on last service

11

Use Case: Cornell: WebFinacialsUse Case: Cornell: WebFinacials

• What• Manage access privileges for account, or for all

accounts in department or unit

• Grouper• Each department defined as group, using

hierarchy naming and nesting• Capture account “membership” in departments or

as subgroups in department stem

• Signet• Assign level of priv (unit/dept) by scope• Qualify privilege by type (Labor, Gift, etc) & year

(limits)

12

Use Case: Cornell: WebFinacials (cont)Use Case: Cornell: WebFinacials (cont)

• Signet Prerequisite• Policy agreement (how recorded?)(rule condition)

• Signet Exported permissions• Subject (person with privilege)• Resource (specific acct, groups of accts)• Action (view) is implicit

• WebFinancials application• Can read account-level permission directly• Can map account request to a dept/uinit

permission via “isMemberOf”• Would like direct query to a web services auth

service

13

Use Case: Stanford: Financial Approver Use Case: Stanford: Financial Approver

• What• Designate financial approvers for several

electronic financial transactions

• Signet (Stanford Authority)• Similar to WebFinancials• Uses administrative departmental hierarchy• All/some accounts for a department - or- all

accounts for projects managed by a PI• Direct provisioning to Oracle Financials• “is an approver” is a testable fact (a role?)

14

Use Case: Brown: Course videosUse Case: Brown: Course videos

• What• Steve Carmody: I'd like to be able to say to Signet "give this

course [members?] permission to view this video", and have Signet's ldap connector add an entitlement value to the group object [?] in our ldap directory that represents the course...

• Grouper• ???

• Signet• Central accts office (root) delegates to [courseware that

delegates to] TA for Course X the auth to manage video permissions for students in course X

• The TA grants students authority to view specific videos - starting on … for 2 weeks

15

Use Case: USC: Portal Access ControlUse Case: USC: Portal Access Control

• What• Investigate replacing internal Portal groups with

Grouper/Signet management

• Grouper• ???

• Signet• ???

16

Use Case: Chicago: Licensed softwareUse Case: Chicago: Licensed software

• What• Centrally managed software with variety of licensed software --

site-licensed, departmental/project/individaul usage. Eliminate physical distribution.

• Grouper• Group per software package

• Signet• Function with software as limit

17

Use Case:Chicago: Blackboard CollaborationUse Case:Chicago: Blackboard Collaboration

• What• Setup tools to support collaboration for

“organizations” or groups (in addition to classes)

• Grouper• Registration. Organization liaison given group in

which to maintain organization membership

• Signet• Manage which tools are enabled for which

organizations• Coordinates services across systems

18

Use Case: MyVocsUse Case: MyVocs

• What• Could Grouper and Signet in myVocs expand the flexibity of group and

role assignments across a large collection of distributed applications. If Grouper/Signet are integrated into myVocs they will be available to UABgrid.

• NCSA and UAB are collaborating to integrate GridShib with myVocs. We are considering using Grouper as a source of attributes in myVocs, in particular, and VOs, in general.

• Grouper• Signet• Shibboleth

19

Use Case: U. Missouri: Great Plains NetworkUse Case: U. Missouri: Great Plains Network

• What• Manage authorization for individuals or groups of users in a Virtual Organization

that could span multiple institutions and identity management systems. The Great Plains Network (GPN) is developing a multi-institutional collaboration environment whose members comprise institutions/organizations that:• Utilize autonomous Identity Management systems operated by each institution from

which GPN collaborators are employed (identified)• Each institution can provide resources (e.g., processing or storage) that can be shared

among the participating parties using web based and grid computing technologies.• Participants (each person) must be provided with authorizations (e.g., edu entitlements)

to use various GPN VO resources through their home organization, but managed in some fashion from the GPN VO. This would require pushing entitlement data into multiple IdM systems from an external entity, such as the GPN VO. The management overhead of authorizations must be kept at a minimum, yet provide institutional controls at several levels.

• Participants authenticate themselves through their home institution and obtain "credentials" to access resources distributed throughout the VO community. There is not a single application or resource involved, but multiple applications and resources distributed among the participating institutions. Individuals may be granted collaborative access to none, some or all of the applications/resources offered by the VO.

20

Use Case: U. Missouri: Great Plains NetworkUse Case: U. Missouri: Great Plains Network

• Grouper• Each institution records V.O. membership locally; resulting “is

member” attribute is released to cooperating insitutions (big issue is who has authority to make assertions)

• Each institution records member role information locally (scientist? admin? where such exists), also as a shared attribute

• All necessary roles are articulated as groups at each institution, whether they have local members or not.

• Signet• Each institution assigned permissions to its own resources,

either to individuals (known locally) or to groups• Signet could “learn” about people outside the local identity

management software via login -- a useful concept?

21

Use Case: Wisconsin: Authorization WorkflowUse Case: Wisconsin: Authorization Workflow

• What• Replace paper-based authorization workflow

• Grouper• ???

• Signet• Delegation of authority, distribution down an organization

hierarchy

22

Use Case: UCDavis: Travel ExpenseUse Case: UCDavis: Travel Expense

• What• Manage expense approvals for Travel reimbursements• The new T&E system is a commercial product (Concur) being readied by the

Accounting division.

• Grouper• Define groups below departmental level for delegation

• Signet• Seed/maintain expense-approval delegations, starting with small set of policy-

based expense approvers (high-level administrators) who are readily identified. These top-level approvers delegate expense approval privileges for their organizational branch (or sub-branches) to various subordinates.

• Delegations may be done down to a sub-departmental level, i.e., to +/- arbitrary groups of departmental employees.

• Grantees may have limits on approval amounts different (lower) than that provided to grantors.

• Operationally, export privileges to the T&E system. I've been told that this system has a web services interface. Details TBD. If Accounting thinks the Signet UI is not far along enough to meet their needs, we may need an interim application. At the moment I've mapped T&E concepts to a Signet subsystem, and am readying prototype data (orgs and people).

23

Use Case: U.Chicago: Computer Cluster AccessUse Case: U.Chicago: Computer Cluster Access

• What• Express complex access policy in LDAP attributes that

condition workstation login

• Grouper function• Group hierarchy based on fine-grained affiliations classifies

all UChicago people according to eligibility policy• Whitelist & blacklist policy exception capability given to

cluster administrators• Cluster admins tweak classifying hierarchy as needed

• Signet function• None at present. Would be used if, for example,

departments were to authorize access to their own computer labs

24

Use Case: U.Chicago: Computer Cluster AccessUse Case: U.Chicago: Computer Cluster Access