1
Early Adopters / DeployersEarly Adopters / Deployers
• Patterns and criteria for distinguishing roles and groups-based access control vs. privilege management. Why use one or the other, or more importantly, why do we need both? Updated documentation and presentation material will be offered for discussion and review.
• Software to move data in and out of Signet and Grouper is not part of the core of either product, but is vital to connect them to your infrastructure. We'll have a technical design discussion on our basic JDBC and JNDI SourceAdaptor and emerging Subject API specification, and will explore how to make these configurable to a variety of specific needs.
2
Use Case: “Groups are good”Use Case: “Groups are good”
• What• People create groups that have real-world meaning
and can be used in many ways -- my staff, project team, board members, etc.
• Grouper• Distributed model of managing such groups through
delegated name stems• Personal groups?
• Signet• Ability to assign privs to such groups
• Apps• Those interested in using shared groups in general
3
Use Case: Stanford: WebAuthUse Case: Stanford: WebAuth
• What• Allow access to web pages based on group
membership• Grouper (Stanford workgroup)
• User managed groups• System managed groups (course and department
affiliations)
• WebAuth• Data provisioned to LDAP directory• Extends Apache “require group” directive
in .htaccess file to refer to group references in Person LDAP entries
4
Use Case: Duke: Mailing ListsUse Case: Duke: Mailing Lists
• What• “basic authorization and mailing list
functionality”
• Grouper• Subscribers• Roles, e.g., owner, maintainer?
• Signet• ?
• Application?
5
Use Case: Duke: Calendar groupsUse Case: Duke: Calendar groups
• What• “basic authorization and mailing list
functionality”
• Grouper• Simple membership • How?
• Signet• ???
6
Use Case: USC: Additional groupsUse Case: USC: Additional groups
• What• Augment existing, beloved group
management system to support delegated administration of groups
• Grouper• Define basic inclusion/exclusion groups• Provisioned into LDAP
• Nightly processor• Integrate Grouper groups with LDAP groups,
apply group math
7
Use Case: U. Chicago: Instant MessagingUse Case: U. Chicago: Instant Messaging
• What• Instant messaging platform. The rosters would be
automatically populated based on work group.
• Grouper• Information that we keep on our users is not detailed enough
to be used to group people into their individual work groups. Grouper would be used by the managers of the individual work groups to define who is in their group.
• This data would then be read from the grouper db by a program which would provision the rosters of the relevant people in the IM server (directly to Jabber server? Via LDAP?)
8
Use Case: Others?Use Case: Others?
• What• Wiki groups• Files (e.g., AFS pts groups)• Portal groups• Document sharing (e.g., Docushare)• CVS Groups• Ticket tracking (Wash)
9
Use Case: Cornell: GuestIDsUse Case: Cornell: GuestIDs
• What• Guestids for people in a weekend course at the
hotel school, or a class that uses the blackboard system, or someone that needs wireless access for some period of time, etc.
• Grouper• All guests placed in a group (provisioned via LDAP)
to which privs are assigned• Admins placed in a group (provisioned from
PeopleSoft/HR, augmented by Admin adding people to same group)
• Self-signup guest discussion list group (opt-in)
10
Use Case: Cornell: GuestIDs (cont)Use Case: Cornell: GuestIDs (cont)
• Signet• Manage Admin access rights -- assignments to
groups• Assign guest privileges to full guest group (campus
bus)• … to individuals (weight room, blackboard, printing)
(only to those with guestIDs / in guest group?)• With effective and expiration dates (managed by
Signet)
• Other stuff• GuestId expiration based on last service
11
Use Case: Cornell: WebFinacialsUse Case: Cornell: WebFinacials
• What• Manage access privileges for account, or for all
accounts in department or unit
• Grouper• Each department defined as group, using
hierarchy naming and nesting• Capture account “membership” in departments or
as subgroups in department stem
• Signet• Assign level of priv (unit/dept) by scope• Qualify privilege by type (Labor, Gift, etc) & year
(limits)
12
Use Case: Cornell: WebFinacials (cont)Use Case: Cornell: WebFinacials (cont)
• Signet Prerequisite• Policy agreement (how recorded?)(rule condition)
• Signet Exported permissions• Subject (person with privilege)• Resource (specific acct, groups of accts)• Action (view) is implicit
• WebFinancials application• Can read account-level permission directly• Can map account request to a dept/uinit
permission via “isMemberOf”• Would like direct query to a web services auth
service
13
Use Case: Stanford: Financial Approver Use Case: Stanford: Financial Approver
• What• Designate financial approvers for several
electronic financial transactions
• Signet (Stanford Authority)• Similar to WebFinancials• Uses administrative departmental hierarchy• All/some accounts for a department - or- all
accounts for projects managed by a PI• Direct provisioning to Oracle Financials• “is an approver” is a testable fact (a role?)
14
Use Case: Brown: Course videosUse Case: Brown: Course videos
• What• Steve Carmody: I'd like to be able to say to Signet "give this
course [members?] permission to view this video", and have Signet's ldap connector add an entitlement value to the group object [?] in our ldap directory that represents the course...
• Grouper• ???
• Signet• Central accts office (root) delegates to [courseware that
delegates to] TA for Course X the auth to manage video permissions for students in course X
• The TA grants students authority to view specific videos - starting on … for 2 weeks
15
Use Case: USC: Portal Access ControlUse Case: USC: Portal Access Control
• What• Investigate replacing internal Portal groups with
Grouper/Signet management
• Grouper• ???
• Signet• ???
16
Use Case: Chicago: Licensed softwareUse Case: Chicago: Licensed software
• What• Centrally managed software with variety of licensed software --
site-licensed, departmental/project/individaul usage. Eliminate physical distribution.
• Grouper• Group per software package
• Signet• Function with software as limit
17
Use Case:Chicago: Blackboard CollaborationUse Case:Chicago: Blackboard Collaboration
• What• Setup tools to support collaboration for
“organizations” or groups (in addition to classes)
• Grouper• Registration. Organization liaison given group in
which to maintain organization membership
• Signet• Manage which tools are enabled for which
organizations• Coordinates services across systems
18
Use Case: MyVocsUse Case: MyVocs
• What• Could Grouper and Signet in myVocs expand the flexibity of group and
role assignments across a large collection of distributed applications. If Grouper/Signet are integrated into myVocs they will be available to UABgrid.
• NCSA and UAB are collaborating to integrate GridShib with myVocs. We are considering using Grouper as a source of attributes in myVocs, in particular, and VOs, in general.
• Grouper• Signet• Shibboleth
19
Use Case: U. Missouri: Great Plains NetworkUse Case: U. Missouri: Great Plains Network
• What• Manage authorization for individuals or groups of users in a Virtual Organization
that could span multiple institutions and identity management systems. The Great Plains Network (GPN) is developing a multi-institutional collaboration environment whose members comprise institutions/organizations that:• Utilize autonomous Identity Management systems operated by each institution from
which GPN collaborators are employed (identified)• Each institution can provide resources (e.g., processing or storage) that can be shared
among the participating parties using web based and grid computing technologies.• Participants (each person) must be provided with authorizations (e.g., edu entitlements)
to use various GPN VO resources through their home organization, but managed in some fashion from the GPN VO. This would require pushing entitlement data into multiple IdM systems from an external entity, such as the GPN VO. The management overhead of authorizations must be kept at a minimum, yet provide institutional controls at several levels.
• Participants authenticate themselves through their home institution and obtain "credentials" to access resources distributed throughout the VO community. There is not a single application or resource involved, but multiple applications and resources distributed among the participating institutions. Individuals may be granted collaborative access to none, some or all of the applications/resources offered by the VO.
20
Use Case: U. Missouri: Great Plains NetworkUse Case: U. Missouri: Great Plains Network
• Grouper• Each institution records V.O. membership locally; resulting “is
member” attribute is released to cooperating insitutions (big issue is who has authority to make assertions)
• Each institution records member role information locally (scientist? admin? where such exists), also as a shared attribute
• All necessary roles are articulated as groups at each institution, whether they have local members or not.
• Signet• Each institution assigned permissions to its own resources,
either to individuals (known locally) or to groups• Signet could “learn” about people outside the local identity
management software via login -- a useful concept?
21
Use Case: Wisconsin: Authorization WorkflowUse Case: Wisconsin: Authorization Workflow
• What• Replace paper-based authorization workflow
• Grouper• ???
• Signet• Delegation of authority, distribution down an organization
hierarchy
22
Use Case: UCDavis: Travel ExpenseUse Case: UCDavis: Travel Expense
• What• Manage expense approvals for Travel reimbursements• The new T&E system is a commercial product (Concur) being readied by the
Accounting division.
• Grouper• Define groups below departmental level for delegation
• Signet• Seed/maintain expense-approval delegations, starting with small set of policy-
based expense approvers (high-level administrators) who are readily identified. These top-level approvers delegate expense approval privileges for their organizational branch (or sub-branches) to various subordinates.
• Delegations may be done down to a sub-departmental level, i.e., to +/- arbitrary groups of departmental employees.
• Grantees may have limits on approval amounts different (lower) than that provided to grantors.
• Operationally, export privileges to the T&E system. I've been told that this system has a web services interface. Details TBD. If Accounting thinks the Signet UI is not far along enough to meet their needs, we may need an interim application. At the moment I've mapped T&E concepts to a Signet subsystem, and am readying prototype data (orgs and people).
23
Use Case: U.Chicago: Computer Cluster AccessUse Case: U.Chicago: Computer Cluster Access
• What• Express complex access policy in LDAP attributes that
condition workstation login
• Grouper function• Group hierarchy based on fine-grained affiliations classifies
all UChicago people according to eligibility policy• Whitelist & blacklist policy exception capability given to
cluster administrators• Cluster admins tweak classifying hierarchy as needed
• Signet function• None at present. Would be used if, for example,
departments were to authorize access to their own computer labs
24
Use Case: U.Chicago: Computer Cluster AccessUse Case: U.Chicago: Computer Cluster Access