Managing Roles & Privileges with Grouper and Signet Middleware

Managing Roles & Privileges with Grouper and Signet MiddlewareManaging Roles & Privileges with Grouper and Signet Middleware

Tom Barton, University of Chicago

Lynn McRae, Stanford University

Tom Barton, University of Chicago

Lynn McRae, Stanford University

Internet2 Spring Members Meeting, April 26, 2006

2

Groups and RolesGroups and Roles

• Roles and Groups• Who someone is (identity)• People sharing a common trait, e.g., rank or privilege

• Roles -- you know it when you see it• Institutional role, e.g., faculty, Dean• Departmental roles, e.g., chair, admin• Professional role, e.g., mathematician, buyer• Project role, e.g., analyst, engineer

• Groups• Any collection of people, role-holders or not?• Depends on how you name it?

• Role vs group is not what matters

3

Groups and PrivilegesGroups and Privileges

• Two categories of information are used in making access control decisions• Who you are

• aka “roles”• cf RBAC

• What you can do• aka “privileges”• cf “value-based authority”

• Both types of information are conveyed through attributes about a person

• Grouper and Signet are tools that let you enrich descriptive attributes about people in both ways

4

GrouperGrouper

Grouper• Middleware software/toolkit

• User access through a common UI• Program access through a common API

• Defines a “Groups Registry”• Brings scattered duplicative groups together for re-use• Allows useful actions on these groups -- group math,

group nesting, exclusion criteria• Hierarchical name-space (name stems & substems)

• Can leverage existing group information• Supports the creation of new groups

• By schools, departments, and individuals!• Distributed/delegated model of control

5

SignetSignet

Signet• Middleware software/toolkit

• User access through a common UI• Program access through a common API

• Brings privilege information together in one place -- a “Privilege Registry”• Central granting, can apply across multiple systems• Central reporting, history, auditing, review• Accessible to managers AND holders of privileges

• Independent of specific vendors, systems, releases or technologies

• Distributed/delegated model of control

6

Relative Roles of Signet & GrouperRelative Roles of Signet & Grouper

Grouper Signet

RBAC model• Users are placed into

groups

• Grouper allows local creation and management of group membership

• Privileges can then be assigned to groups

• Signet manages privileges to groups (as well as to individuals)

• Both “role” and privilege information can be leveraged by systems

7

Access Control DecisionAccess Control Decision

Q: Subject + Resource + Action + Context• Subject = who wants to take an action, typically a person• Resource = what is the action against, e.g., file, building,

data, service, etc.• Action = what they want to do, e.g., view, modify, enter,

approve, run, etc.• Context = time of day, academic term, weather, etc.

A: Policy interpretation and decision, e.g.• Resource and action are available to a group, e.g., Faculty

at MIT, Students in a class• Available to anyone with “entitlement” for the service

8

Access Control DecisionAccess Control Decision

IdentityProvider

ServiceProvider

Rules

auth’d

Subject tries toaccess resource

Provider evaluatesrequired identity attributes againstrules for resource

Provider grants ordenies access

9

Palace AccessPalace Access

M (MUSKETEER)Who are you?

What can you do?

organization=RoyalCourtaffiliation=musketeer

permission=palace_access

10

Identity & Access ManagementIdentity & Access Management

• Each person’s online activities are shaped by many Sources of Authority • Institutional policy making bodies• Resource managers• Program/activity heads• Self

• Management of the information it conveys should be distributed• Hook up all of those Sources of Authority to the middleware

• Common middleware infrastructure should be operated centrally • Departments/programs/activities should not have to build their

own core middleware

11

Big pictureBig picture

12

Big picture, without Grouper/SignetBig picture, without Grouper/Signet

13

allowBIO_XallowBIO_X

WIKIdefineBIO_X

WIKIdefineBIO_X

allowBioX

allowBioX

Email Lists

defineBioX

Email Lists

defineBioX

“Groups is good”“Groups is good”

IdentityManagement

Affiliation: facultyDept: Biology

What about my team?…my project?

…my senior staff?

The Boss

HRHRallowBio-XallowBio-X

CalendardefineBio-X

CalendardefineBio-X

14

Departmental & other local groupsDepartmental & other local groups

IdentityManagement

Affiliation: facultyDept: Biology

The Boss

Grouper

biology:bio-x

biology:bio-x:admin

biology:bio-x:staff

HRHR

allowBio-XallowBio-X

WIKIWIKI


EmailLists

EmailLists


CalendarCalendar

15

Filling the gapFilling the gap

IdentityManagement

Affiliation: facultyInstructor: CS-313

TheProfessor

What about my TAs?… my auditors?

… extensions/makeup?

HRHR

SISCourses

SISCourses

Shib

AllowCS-313

AllowCS-313

CourseWare

CS-313grades

CourseWare

CS-313grades

allow CSteaching

allow CSteaching

LibraryCompSciresources


allow CS affiliates

allow CS affiliates

ExternalPartner

ExternalPartner

16

Extending Course infrastructureExtending Course infrastructure

IdentityManagement

Affiliation: facultyInstructor: CS-313

TheProfessor

Grouper

Class:CS-313:TA

isMemberOf: CS-313

U

=

HRHR

SISCourses

SISCourses

Shib

AllowCS-313

AllowCS-313

CourseWare

CS-313grades

CourseWare

CS-313grades

allow CSteaching

allow CSteaching



allow CS affiliates

allow CS affiliates

ExternalPartner

ExternalPartner

17

CourseWare

CourseWare

Extending Course infrastructureExtending Course infrastructure

IdentityManagement

Affiliation: faculty

TheProfessor

Grouper

class:CS-313:TA

isMember: CS-313

U

=

faculty: CS-313SIS

CoursesSIS

Courses

HRHR

Shib

allowCS-313

allowCS-313

CourseWare

CS-313grades

CourseWare

CS-313grades

allow CSteaching

allow CSteaching



allow CS affiliates

allow CS affiliates

ExternalPartner

ExternalPartner

18

GuestIDs

GuestIDs

Creating new identityCreating new identity

IdentityManagement

Affiliation: ???

Sib

Rula Lenska

“Friends are herefrom Europe!”

faculty,staff,

studentguest

faculty,staff,

studentguest

AthleticFacilitiesAthletic

Facilities

staff,gueststaff,guest

PrintingPrinting

student,guest

student,guest

BlackboardBlackboard

19

Creating new identityCreating new identity

IdentityManagement

Affiliation: guest

Sib

Rula Lenska

Grouper

guestids:admin

guestids:guests

Signet

printing(max100)

blackboard(music103)

athletic(gym,after5)

effective dateexpiration date

GuestIDs

GuestIDs

faculty,staff,

studentguest

faculty,staff,

studentguest

AthleticFacilitiesAthletic

Facilities

staff,gueststaff,guest

PrintingPrinting

student,guest

student,guest

BlackboardBlackboard

20

FinanceFinance

Distributing control of authorityDistributing control of authority

A.Greenspan

“Unless the situation is reversed, these …trends will cause

serious economic disruptions”

phone

email

ticket

IdentityManagement

Affiliation: staff

who canview

who canview

ReportingReporting

who canapprovewho canapprove

Reimburse-ments

Reimburse-ments

who canspend

who canspend

RequisitionsRequisitions

21

DeptsDepts


IdentityManagement

Affiliation: staff

A.Greenspan

Grouper

Signet

school:dept1 (view,all)

B.Bernake

school:dept2 (approve,1472,$100)

Accounts

Scope

while staff

FinanceFinance

who canview

who canview

ReportingReporting


Reimburse-ments

Reimburse-ments

who canspend

who canspend


22


IdentityManagement

Affiliation: staff

A.Greenspan

Grouper

school:dept

school

Signet

school:dept1 (view,all)

school:dept:unit

scope

school:dept2 (approve,1472,$100)

B.Bernake

while staff

FinanceFinance

who canview

who canview

ReportingReporting


Reimburse-ments

Reimburse-ments

who canspend

who canspend


23

The duck test…The duck test…

Grouper• Binary info – you’re

either in some list or not• Locally tweak or

combine other groups• Identification layer of an

encompassing access management scheme

• Identity- or affiliation-based access control or distribution

Signet• Structured, qualified info –

limits, conditions, scope, …• Assignments to individuals as

well as groups• Delegation and chain of

authority essential for access decisions

• Enable functional, not just technical, people to manage privileges

• Supports policy control closer to source of authority

• Audit requirements

24

Consider Signet when …Consider Signet when …

• Complex group intersections and hierarchies become cumbersome• Difficult to track who has what and when• Can’t easily move people; need to delete/add

• Implementation of related access rules is scattered across systems• different procedures, different contacts,

managing changes across areas, over time

• You need to coordinate policy, privileges and audit activities across systems

25

Signet & Grouper OverviewSignet & Grouper Overview

26

Grouper OverviewGrouper Overview

• Mix of manual and automation processes manage a common Groups Registry• Stored in an RDBMS• Automation processes provision info from the Groups

Registry into LDAP, AD, directly into application-specific databases, wherever the value of the info warrants spending the resources to place it there

• Two types of managed objects: groups and naming stems• Groups are created & named with a naming stem

• Group management authority is delegatable• By group or by naming stem

27

Grouper GroupsGrouper Groups

• Any “subject” can be a group member or privilegee• Persons, groups, site-defined subject types• Uses Subject API developed by Grouper+Signet

teams

• Subgroups (now), composite groups (v1.0), and aging (v1.1) of groups and memberships

• Privileges• ADMIN, UPDATE, READ, VIEW, OPTIN, OPTOUT

• Group attribute set can be site-extended

28

Naming StemsNaming Stems

• Groups are created with naming stems• Limits the authority to create and name groups• Support distinct activities with own authority

• Naming stems can be arranged hierarchicallyeg, uc, uc:nsit, uc:nsit:labs

• Privileges• STEM

• Create subordinate naming stems• Assign privs for this naming stem

• CREATE – create groups with this naming stem

29

Composite GroupsComposite Groups

• Membership is defined by composing the memberships of 2 other groups• A = B U C union• A = B ∩ C intersection• A = B – C relative complement

• Common use – “tweak” existing groups• Whitelist or blacklist factored in to another

group

30

Example: Computer Cluster Access Example: Computer Cluster Access

nsit:labs:eligible (manual)

nsit:labs:whitelist (manual)

uc:faculty(auto)

uc:staff(auto)

categories of entitled students (auto)

time dependent student categories (auto)

nsit:labs:blacklist(manual)

categories of barred students (auto)

nsit:labs:barred (manual)

Allow access if in (nsit:labs:eligible – nsit:labs:barred)

31

Systems IntegrationSystems Integration

• API

• XML Import/Export Tool • Snapshots Groups Registry, including

naming stems and privileges• A single group• All subordinate to a specified naming stem• All matching a search condition• Entire Registry

32

Signet OverviewSignet Overview

• Analysts define privileges in functional terms and specify associated system-level permissions

• Signet presents this functional view in a Web UI where users assign privileges & delegate authority across all areas in which they have authority

• Signet internally maps assigned privileges into system-specific terms needed by applications

• Privileges are exported, transformed, & provisioned into applications and infrastructure services

• Signet provides automated lifecycle controls

33

Privileges Building BlocksPrivileges Building Blocks

Functional view• Subsystems• Categories• Functions• Scope, Limits• Prerequisites &

Conditions

System view• Permissions

• Subject• Action• Resource

34

Functional ViewFunctional View

Subsystems contain…

LimitsQualifiers, constraints for a privilege

ScopeOrganizational hierarchy governing distributed delegation

FunctionsThe things a person can do; what they are getting privileges for

CategoriesProvide useful arrangement of functions within a subsystem; for reporting, ease of use

35

Functional ViewFunctional View

Categories FunctionsSubsystems

Clinical Trial Protocol A Patient Records

Materials Control

Manage Grant

Lab AccessAdmin

Student Admin Course Support

Add/Drop students

Schedule Classes

Process Applicants

Award Scholarships

Manage Accounts

FinancialAid

Limits

Which term

From Fund…

Read/Write

Hours

For school…

For fund…

Which campus

Qty/day

$ constraints

organizing actions

36

Systems ViewSystems View

Permissions• Atomic units of control that map to specific

access rules in systems• Includes limits that must be evaluated when

interpreting permissions

Resources• The target of a specific privilege; things that

have access rules to control their use

37

Functional View PermissionsFunctional View Permissions

Resources/Permissions

Student Admin

Functional View

Course Support Add/Drop students

Schedule Classes

Process Applicants

Award Scholarships

Manage Accounts

Financial Aid

reserve_time

view_schedules

student_records

applicant_data

view_fund_data

update_fund_data

update_course_data

reserve_room

Calendar

Course

Facilities

Financial

Student

categories functions

38

• API

• Permissions document• XML representation of privileges for an

individual or group• Will be compatible with XACML

Systems IntegrationSystems Integration

39

Privileges LifecyclePrivileges Lifecycle

Conditions• Provides automatic revocation of privileges• Date controls -- from date, until date• Will be based on person’s status, affiliation, etc.

e.g., as long as person is at Stanford

Prerequisites• Pre-conditions that must be met to activate privileges

e.g., training

40

Other featuresOther features

Assignments can be• To an individual• To a Group

With/without ability to further delegate• Distributed delegation using organizational hierarchy

• Records “chain of command”

Proxy assignment• Temporary granting of one’s privilege to another

41

Privilege Elements by ExamplePrivilege Elements by Example

By authority of the Dean grantor

principal investigators grantee (group/role)

who have completed training prerequisite

can approve purchases function

in the School of Medicine scope

for research projects resource

up to $100,000 limit

until January 1, 2007as long as a faculty member at…

conditions

Privilege Lifecycle

42

Generic Integration ArchitectureGeneric Integration Architecture

43

Further Integration TasksFurther Integration Tasks

• Automated loading of groups & privileges• Authentication service• Application-specific integration capabilities• Site-specific LDAP schema• Authoring/maintaining subsystem metadata• Solution requisites

• Which groups should be made available to the calendaring, email list, & wiki systems?

• The Boss may need an automatic grant of a Signet privilege to manage his wiki space

• Implementing service policies – Grouper naming stems & privileges or Signet privileges

44

Subject API:Site IAM Integration RequirementsSubject API:Site IAM Integration Requirements

• Subject - a person, group, application, or other type of object whose identity is managed by your IAM system

• Abstract the underlying technology and data model from a relying application

• Enable identifier namespaces to be selected to match application needs• Username vs. opaque registryID vs. …

• Scenarios• Map authenticated user to internal security

principal• Reference/search objects within application

45

Subject API:Integration with Site’s IAM Subject API:Integration with Site’s IAM

46

Source Adapter ConfigurationSource Adapter Configuration

• Name the source & specify connection details• Name the type or types of subjects residing there• Identify attributes/columns distinguished as “subjectID”, “name”

and “description”• Specify back-end-specific searches for each type and each

search method• Select• Search by identifier• Search

• Sites should make consistent assignment of source and type names across all source adapter instances• They are persisted by Subject API clients

47

Signet & Grouper RoadmapsSignet & Grouper Roadmaps

• Now available• Grouper v0.9. UI & API source release• Signet 1.0. UI, binary release• Subject API v0.1b

• Signet Roadmap• v1.1, ? 2006 – full API source release• v1.2, ? 2006, – rules processor

• Grouper Roadmap• v1.0, May 2006 – group math• v1.1, ? 2006 – group & membership aging

• Subject API• v1.0, ? 2006 – minor changes, updates to reference

implementations

48

Resources & ParticipationResources & Participation

• Grouper• team: University of Chicago & University of Bristol• http://grouper.internet2.edu

• Signet• team: Stanford University • http://signet.internet2.edu

• Internet2 Middleware Initiative• http://middleware.internet2.edu/

• Documents, software, cvs• Details for subscribing to mailing lists

• Conference call agendas & dialing instructions

http://middleware.internet2.edu/