Embed Size (px)
Citation preview
Handling Groups and Permissions: Grouper and Signet and uPortalHandling Groups and Permissions: Grouper and Signet and uPortal
Lynn McRae, Stanford University
Keith Hazelton, University of Wisconsin
With thanks to Tom Barton, University of Chicago
Lynn McRae, Stanford University
Keith Hazelton, University of Wisconsin
With thanks to Tom Barton, University of Chicago
JA-SIG, Vancouver, BC, 06/06/06
2
Identity & Access ManagementIdentity & Access Management
• A person’s privileges are shaped by many Sources of Authority • Institutional policy making bodies• Resource managers• Program/activity heads• Individuals -- friends and self
• Management of privileges should be distributed• Hook up all of Sources of Authority to the middleware
• Common middleware infrastructure should be operated centrally • Departments/programs/activities/applications should not have
to build their own core middleware• Resources should be shared through the infrastructure
3
Access Control DecisionAccess Control Decision
Q: Subject + Resource + Action + Context• Subject = who or what wants to take an action• Resource = what is the action against, e.g., file,
building, data, service, etc.• Action = what they want to do, e.g., view, modify,
enter, approve, run, etc.• Context = time of day, academic term, weather, etc.
A: Policy interpretation and decision, e.g.• Resource and action are available to a group, e.g., Faculty
at MIT, Students in a class• Available to anyone with “entitlement” for the service
4
…by any other name…by any other name
Signet and XACML• Subject• Action• Resource• Context
uPortal Permission• Principal• Activity• Target
5
Policy based authorizationPolicy based authorization
IdentityProvider
ServiceProvider
Rules
auth’d
Subject tries toaccess resource
Provider evaluatesrequired identity attributes againstrules for resource
Provider grants ordenies access
6
Policy interpretationPolicy interpretation
Policy can be very simple• In group “uportal-sysadmins”• In role “faculty”
or more and more complicated• Faculty in Law School• or designated TAs• or other faculty teaching a Law school course• for courses offered this term• can or cannot submit grades
7
Groups and PrivilegesGroups and Privileges
• Two kinds of Subject information are used in making access control decisions• Who you are
• aka “groups” or “roles”• cf RBAC
• What you can do• aka “privileges”• cf “value-based authority” or “row-based authority”
• Both types of information are conveyed through attributes about a person
• Grouper and Signet are tools that let you enrich descriptive attributes about people in both ways
8
Big picture, without Grouper/SignetBig picture, without Grouper/Signet
9
Filling the gapFilling the gap
IdentityManagement
Affiliation: facultyInstructor: CS-313
TheProfessor
What about my TAs?… my auditors?
… extensions/makeup?
HRHR
SISCourses
SISCourses
Shib
AllowCS-313
AllowCS-313
CourseWare
CS-313grades
CourseWare
CS-313grades
allow CSteaching
allow CSteaching
LibraryCompSciresources
LibraryCompSciresources
allow CS affiliates
allow CS affiliates
ExternalPartner
ExternalPartner
10
Extending Course infrastructureExtending Course infrastructure
IdentityManagement
Affiliation: facultyInstructor: CS-313
TheProfessor
Grouper
Class:CS-313:TA
isMemberOf: CS-313
U
=
HRHR
SISCourses
SISCourses
Shib
AllowCS-313
AllowCS-313
CourseWare
CS-313grades
CourseWare
CS-313grades
allow CSteaching
allow CSteaching
LibraryCompSciresources
LibraryCompSciresources
allow CS affiliates
allow CS affiliates
ExternalPartner
ExternalPartner
11
Privilege managementPrivilege management
IdentityManagement
Affiliations
Sib
Marin Alsop
special_collections (manuscripts,view) (king_papers,copy) printing (max100)
athletic (golf_course)facilities (pool,after5)
faculty,staff,
studentguest
faculty,staff,
studentguest
AthleticFacilitiesAthletic
Facilities
staff,gueststaff,guest
PrintingPrinting
student,guest
student,guest
BlackboardBlackboard
Marc Crawford
James Billington
blackboard (music103)music (practice_room)
Signet
12
uPortal specific permissionsuPortal specific permissions
IdentityManagement
Affiliation: temp
Sib
Portal Admin
Signettab_admin(module3)
uportal_access(level1)
adminadminuPortaluPortal
spon.guestspon.guest
uPortaluPortal
Dept Admin
tab_admin(module8)
Signet
a long as “staff”
expiration date
13
Big picture, without Grouper/SignetBig picture, without Grouper/Signet
14
Big pictureBig picture
15
Signet & Grouper OverviewSignet & Grouper Overview
16
GrouperGrouper
Grouper• Middleware software/toolkit
• User access through a common UI• Program access through a common API
• Defines a “Groups Registry”• Brings scattered duplicative groups together for re-use• Allows useful actions on these groups -- group math,
group nesting, exclusion criteria• Hierarchical name-space (name stems & substems)
• Can leverage existing group information• Supports the creation of new groups
• By schools, departments, and individuals!• Distributed/delegated model of control
17
SignetSignet
Signet• Middleware software/toolkit
• User access through a common UI• Program access through a common API
• Brings privilege information together in one place -- a “Privilege Registry”• Central granting, can apply across multiple systems• Central reporting, history, auditing, review• Accessible to managers AND holders of privileges
• Independent of specific vendors, systems, releases or technologies
• Distributed/delegated model of control
18
Shared Subject APIShared Subject API
• Subject - a person, group, application, or other type of object whose identity is managed by your IAM system
• Abstract the underlying technology and data model from a relying application
• Source Adapters• Identify attributes/columns distinguished as “subjectID”,
“name” and “description”• Specify back-end-specific searches for each type and each
search method• Select• Search by identifier• Search
19
Grouper OverviewGrouper Overview
• Mix of manual and automation processes manage a common Groups Registry• Stored in an RDBMS• Automation processes provision info from the Groups
Registry into LDAP, AD, directly into application-specific databases, wherever the value of the info warrants spending the resources to place it there
• Two types of managed objects: groups and naming stems• Groups are created & named with a naming stem
• Group management authority is delegatable• By group or by naming stem
20
Grouper GroupsGrouper Groups
• Any “subject” can be a group member or privilegee• Persons, groups, site-defined subject types• Uses Subject API developed by Grouper+Signet
teams
• Subgroups (now), composite groups (v1.0), and aging (v1.1) of groups and memberships
• Privileges• ADMIN, UPDATE, READ, VIEW, OPTIN, OPTOUT
• Group attribute set can be site-extended
21
Naming StemsNaming Stems
• Groups are created with naming stems• Limits the authority to create and name groups• Support distinct activities with own authority
• Naming stems can be arranged hierarchicallyeg, uc, uc:nsit, uc:nsit:labs
• Privileges• STEM
• Create subordinate naming stems• Assign privs for this naming stem
• CREATE – create groups with this naming stem
22
Composite GroupsComposite Groups
• Membership is defined by composing the memberships of 2 other groups• A = B U C union• A = B C intersection• A = B – C relative complement
• Common use – “tweak” existing groups• Whitelist or blacklist factored in to another
group
23
Example: Computer Cluster Access Example: Computer Cluster Access
nsit:labs:eligible (manual)
nsit:labs:whitelist (manual)
uc:faculty(auto)
uc:staff(auto)
categories of entitled students (auto)
time dependent student categories (auto)
nsit:labs:blacklist(manual)
categories of barred students (auto)
nsit:labs:barred (manual)
Allow access if in (nsit:labs:eligible – nsit:labs:barred)
24
Systems IntegrationSystems Integration
• API
• XML Import/Export Tool • Snapshots Groups Registry, including
naming stems and privileges• A single group• All subordinate to a specified naming stem• All matching a search condition• Entire Registry
25
uPortal - Grouper Example: Managing e-ReservesuPortal - Grouper Example: Managing e-Reserves
• Task: Some library staff can manage e-Reserves (a group of some 100 members)
• Library knows who they are
• So let’s delegate management of group to them
• Well…
26
Example: Managing e-ReservesExample: Managing e-Reserves
• With uPortal today, privilege to manage groups is on or off for given person
• Delegating group management to library staff gives authority over all groups
• So instead, a central IT staff person manages e-Reserve group membership
27
Example: Managing e-ReservesExample: Managing e-Reserves
• If uPortal used Grouper• Create a library “stem”• One assignment by central IT staff to a
library staff member giving them “stem” privilege over the library stem
• They in turn create an e-Reserve group under that stem and manage its membership
• And the Grouper UI gives them a good way to do that
28
uPortal - Grouper Example:Institutional AffiliationsuPortal - Grouper Example:Institutional Affiliations
• Tabs in UW-Madison’s uPortal install are specific to broad institutional affiliations (read groups)• Student, Faculty, Staff, Advisor,…
• But it’s not only the portal that cares about membership in these affiliations
• Best to manage them as part of shared infrastructure via Grouper
• Loaders from Systems of Record populate the groups (single integration point for them)
• uPortal and other apps consume as needed
29
Reuse of subject info maintained by Grouper & Signet Reuse of subject info maintained by Grouper & Signet
GrouperSignet
uPortal
LibraryLMS
30
Reuse of subject info maintained by Grouper & Signet Reuse of subject info maintained by Grouper & Signet
GrouperSignet
uPortal
LibraryLMS
31
Signet OverviewSignet Overview
• Analysts define privileges in functional terms and specify associated system-level permissions
• Signet presents this functional view in a Web UI where users assign privileges & delegate authority across all areas in which they have authority
• Signet internally maps assigned privileges into system-specific terms needed by applications
• Privileges are exported, transformed, & provisioned into applications and infrastructure services
• Signet provides automated lifecycle controls
32
Privileges Building BlocksPrivileges Building Blocks
Functional view• Subsystems• Categories• Functions• Scope, Limits• Prerequisites &
Conditions
System view• Permissions
• Subject• Action• Resource
33
Functional ViewFunctional View
Subsystems contain…
LimitsQualifiers, constraints for a privilege
ScopeOrganizational hierarchy governing distributed delegation
FunctionsThe things a person can do; what they are getting privileges for
CategoriesProvide useful arrangement of functions within a subsystem; for reporting, ease of use
34
Functional ViewFunctional View
Categories FunctionsSubsystems
Clinical Trial Protocol A Patient Records
Materials Control
Manage Grant
Lab AccessAdmin
Student Admin Course Support
Add/Drop students
Schedule Classes
Process Applicants
Award Scholarships
Manage Accounts
FinancialAid
Limits
Which term
From Fund…
Read/Write
Hours
For school…
For fund…
Which campus
Qty/day
$ constraints
organizing actions
35
Systems ViewSystems View
Permissions• Atomic units of control that map to specific
access rules in systems• Includes limits that must be evaluated when
interpreting permissions
Resources• The target of a specific privilege; things that
have access rules to control their use
36
Functional View PermissionsFunctional View Permissions
Resources/Permissions
Student Admin
Functional View
Course Support Add/Drop students
Schedule Classes
Process Applicants
Award Scholarships
Manage Accounts
Financial Aid
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
categories functions
37
• Privilege Management Java API
• Permissions document• XML representation of privileges for an
individual or group• Will be compatible with XACML• For provisioning of privilege data into
applications
Systems IntegrationSystems Integration
38
Privileges LifecyclePrivileges Lifecycle
Conditions• Provides automatic revocation of privileges• Date controls -- from date, until date• Will be based on person’s status, affiliation, etc.
e.g., as long as person is at Stanford
Prerequisites• Pre-conditions that must be met to activate privileges
e.g., training
39
Other featuresOther features
Assignments can be• To an individual• To a Group
With/without ability to further delegate• Distributed delegation using organizational hierarchy
• Records “chain of command”
Proxy assignment• Temporary granting of one’s privilege to another
40
Privilege Elements by ExamplePrivilege Elements by Example
By authority of the Dean grantor
principal investigators grantee (group/role)
who have completed training prerequisite
can approve purchases function
in the School of Medicine scope
for research projects resource
up to $100,000 limit
until January 1, 2007as long as a faculty member at…
conditions
Privilege Lifecycle
41
42
43
Signet & Grouper RoadmapsSignet & Grouper Roadmaps
• Now available• Grouper v0.9. UI & API source release• Signet 1.0. UI, binary release• Subject API v0.1b
• Signet Roadmap• v1.1, Summer 2006 – full API source release, rules
processor• Grouper Roadmap
• v1.0, July 2006 – group math• v1.1, September 2006 – group & membership aging
• Subject API• v1.0, ? 2006 – minor changes, updates to reference
implementations
44
Resources & ParticipationResources & Participation
• Grouper• team: University of Chicago & University of Bristol• http://grouper.internet2.edu
• Signet• team: Stanford University • http://signet.internet2.edu
• Internet2 Middleware Initiative• http://middleware.internet2.edu/
• Documents, software, cvs• Details for subscribing to mailing lists
• Conference call agendas & dialing instructions
