Upload
juliana-hill
View
214
Download
0
Embed Size (px)
Citation preview
Grouper TrainingDevelopers and Architects
How to Design Permissions
Shilen Patel
Duke University
This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
• Introduction• Permission definitions• Permission names• Actions• Roles• Permission assignments• Limits• Inheritance• Application integration
2
Contents
Introduction
3
Attributes
Roles
Permissions
Attribute definition
Permission definition
Role inheritance
Delegation model extends that for Groups
• Type of attribute definition where the type of attribute is permission.
• Typically have one definition for a set of permission names (resources) and actions.
• Also contain security information.•Who can create permission assignments
using a given definition?•Who can see permission assignments?
4
Permission Definitions
• Permission names are the “resource” in the permission triple.
• Typically have more than one per permission definition.
5
Permission Names
• Each permission definition can have a set of actions that can be used to form permissions using that definition.
• Actions are free form strings (e.g. “read”, “write”, “admin”)
6
Actions
• Special type of groups.• Unlike regular groups, roles can be
associated directly with permission assignments.
• Roles can also have permission inheritance.
7
Roles
• Contain the triple• Subject (role or a specific subject within a
role)• Action•Resource (the permission name)
• Start and end dates• Permission will start on a future date.• Permission will end on a future date.
8
Permission Assignments
• Allowed versus disallowed permissions• Permission processor will resolve conflicts
when performing permission queries (e.g. PermissionFinder.hasPermission())• Direct assignments trump inherited assignments• A lower depth inherited assignment trumps a higher
depth inherited assignment (on the directed graph of inheritance)
• Inherited ALLOW assignments (of equal depth) trump inherited NOT_ALLOW assignments
9
Permission Assignments (continued)
• Runtime constraints on permissions assignments.
• There are many built-in limits (such as Weekday 9 to 5).
• When querying permissions using the permission processor, you can supply limit values (e.g. current time).
• Can only apply to permissions that are allowed (not disallowed).
10
Limits
• Role inheritance – One role inherits permissions of another role (e.g. senior manager inherits permissions assigned to a manager.)
• Resource inheritance – Permission on one resource implies permission on another. Useful in hierarchies (e.g. read access on the OIT resource within an application implies read access on OIT:IDM)
11
Inheritance
• Action inheritance – One action implies another (e.g. admin implies read).
• Group membership – Adding a group as a member of a role.
12
Inheritance (continued)
• Using the Grouper change log to propagate permissions to an external application.•Change log events occur when permissions
are added or dropped.•Change log will tell you which roles have
permission changes.•Change log category is “permission” and
change log action is “permissionChangeOnRole”
13
Application Integration
• Application can look up permissions using Grouper Web Services.• Possible approach for custom applications.•Need to consider caching especially if
permissions are fine-grained.•Can also send limit values in permission
queries and simply get a boolean response for whether the user has the permission.
14
Application Integration (continued)
• Grouper views• Useful for read-only queries when the permission processor is not
needed.• grouper_perms_assigned_role_v – shows all permissions
assigned to roles.• grouper_perms_role_v – shows all permissions assigned to users
due to the users being in a role, and the role being assigned the permission.
• grouper_perms_role_subject_v - shows all permissions assigned to users directly while in a role.
• grouper_perms_all_v – Union of grouper_perms_role_v and grouper_perms_role_subject_v.
• Grouper API
15
Application Integration (continued)
Click on the quiz link in the video description to reinforce your knowledge of this topic.
16
Quiz
Thanks!
Further information:
• Infosheets, mailing lists, wiki, downloads, etc.:www.internet2.edu/grouper
• Grouper demo server:grouperdemo.internet2.edu/
• Grouper Online Training Home:spaces.internet2.edu/x/IIGfAQ
This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License. 17