Access Management with Grouper

Tom BartonUniversity of Chicago

2

Outline

• Why build an access management tool?• Grouper basics• Implementation examples• New features• Grouper Roadmap

3

Why?

• Lower cost by factoring access management out

• Simplify & make consistent by using one group in many places

• Let the right people manage access, directly

• See who can access what, in one place

4

Grouper: core concepts

Folders in hierarchies

Group

Direct members

Subgroup

Indirect members

• Composite groups• Custom attributes

5

Security & delegation

• Create groups• Create subfolders

• Admin• Update membership• Read membership• View group• Opt-in• Opt-out

Delegation

6

What’s in a Grouper group?

• Folder name• Names – one short, one display• GUID• Description• Members – opaque Subject references• Privilegees – opaque Subject references• Operational attributes

7

Grouper integrationApplication

LDAP/ADPersonsOrgs

Identity Management

ShibbolethIdP

SAMLLDAP/AD

SO

AP

RE

ST

Grouper Client

Grouper Shell

GrouperDatabase

Web Services

JavaAPI

UIJNDI Source Adapter

JDBC Source Adapter

Subject API

Grouper Loader

LDAP Provisioning Connector

Systems of Record

XMLscript

gsh%

Grouper integration:Subject API

• Uses:• Grab Subject’s attributes• Search for Subjects• Identifier crosswalk

• JNDI & JDBC adapters provided• Plug-in interface for custom adapters

9

Grouper integration:LDAP provisioning connector

• Push groups and/or memberships to LDAP• Variety of selection criteria• Configurable appearance of LDAP entries• Full & incremental provisioning modes now• Asynchronous updating planned

JavaAPI

LDAP Provisioning Connector

LDAP/AD

10

Grouper integration:Web Services

• (SOAP, REST) x (Lite, Heavy)• Large fraction of java API is exposed• Authentication by container or Rampart

• Basic, kerberos, X.509, SAML• actAs

• .NET and PHP dev guides by U Newcastle

11

Grouper integration:Loader

• Dynamically create and maintain memberships and systems of groups by SQL queries

• Quartz-based service/daemon

12

Grouper Integration:Grouper Shell

• Command line interface to java API & tools• XML import/export• Batch scripts• Low-level grouper system administration

Grouper integration:Hooks

• 3rd party extension of key API events• Veto & notify• Group, Stem, Member, Membership, Composite,

Field, GrouperSession, GroupType, GroupTypeTuple• preInsert, postInsert, postCommitInsert, preUpdate,

postUpdate, postCommitUpdate, preDelete, postDelete, postCommitDelete

• addMember, removeMember• LifecycleHooks

14

EXAMPLES

15

16

dn: uid=tbarton,ou=people,dc=uchicago,dc=eduucismemberof: uc:org:nsit:integration:techagucismemberof: uc:org:nsit:srdirsucismemberof: uc:org:nsit:integration:iteco:wrucismemberof: uc:applications:confluence:NSIT:esxucismemberof: uc:org:nsit:integration:iteco:rducismemberof: uc:applications:confluence:NSIT:Directorsucismemberof: uc:org:nsit:staffucismemberof: uc:applications:confluence:NSIT:Everyoneucismemberof: uc:org:nsit:integration:shib_groupucismemberof: uc:applications:bulkmail:usersucismemberof: uc:org:library:gnet:adminsucismemberof: uc:applications:gnetid:adminsucismemberof: uc:applications:wireless:authorizeducismemberof: uc:applications:cmail:users:authorizeducismemberof: uc:reference:affiliations:effective:staff

LDAP entry foruid=tbarton,ou=people,dc=uchicago,dc=edu

ucIsMemberOf : uc:org:nsit:srdirsucIsMemberOf :

uc:reference:affiliations:effective:staff

Memberships become LDAP attributes

ucIsMemberOf : uc:applications:vpn:authorized

17

UChicago: simple delegation examples

• Wireless & VPN• Guest network ID management • Business Objects access• Different groups, different authorities

eligible unauthorized

studentstaff

alum hospital

closure

lockedauthorized

postdoc

= ̶L

Brown University’s Course Group Schema• Course : [ Subject ] : [ Number ] : [ Term ] : [ Section ]

• All• Administrator

• Instructor (Provisioned)• TeachingAssistant• Manager

• Contributor• ContentDeveloper• Mentor

• Learner• Student (Provisioned)• Auditor• Vagabond

• Schema is flattened to provision LDAP• 12 groups per course provision hasMember attribute in Groups OU• Person objects get isMemberOf pointers to groups

Brown’s Application Role MappingMACE Grouper Course

GroupsiTunes Majordomo Confluence WebCT

All   Recipient list, Discussion Sender Can Use  

Administrator Instructor Broadcast Sender Space Admin  

Instructors (provisioned)       Instructor

Managers        

TAs       TA and Designer

Contributor Instructor   Space Admin  

Content Developers       Designer

Mentors        

Learner Student      

Auditors       Auditor

Students (provisioned, read only)       Student

Vagabonds       Auditor

Other, outside MACE Grouper Super Admin     Super Admin(s)

20

21

22

23 NIH’s Cancer BioInformatics Grid

24

NEW IN V1.5Just released … some capabilities are partial or “experimental”

25

Lite UI

• AJAX components for simple end-user tasks

• URL links directly to a group• Integrated within Grouper UI webapp

• Two entry points: Admin UI & Lite UI• Admin UI uses new components too

• More Lite UIs may be contributed by deployers

26

Performance

1 10 10010

100

1000

10000

100000

71

440

16955

48 48

111Grouper 1.4.2Grouper 1.5

number of indirect memberships due to single direct membership

mill

isec

onds

27

Audit

• Who did what when …• Add/delete/update membership, group,

folder, and Grouper privileges• Attribute definition & assignment• XML import•Move/copy group or folder

• Audit reporting via Grouper Admin UI & Grouper Shell

28

Move & copy

• Copy/move groups/folders to another folder• Why?

• Template groups & template folders• Update organizational hierarchies

• Old group name optionally continues to refer to moved group

• Supported by Grouper Admin UI & Grouper Shell (Grouper-WS soon)

29

Notification

• Near real time provisioning of group info• Group, membership, folder, and privilege

changes• Serialized• Provided to registered consumers• SQL & API access to transactions

• LDAP provisioning connector will use in v1.6

30

Attribute framework

• Assign custom attributes to principal Grouper objects• Groups• Folders• Memberships• Attributes

• Value types, multi-values, etc• Attributes are objects in folders, like groups, and

their security model is similar to that of groups

31

Roles & permissions

• Role extends Group, links Subjects with Permissions

• Permission is a type of attribute assigned to a role or to a membership in a role• Has an Action qualifier, eg, Read or Write• Permission sets. Eg, organizational hierarchies

• Superior roles inherit subordinate permissions

32

Grouper & Identity Services

• Grouper’s roles & permissions are only low level capabilities in v1.5

• No high level interfaces have been implemented or even defined yet

• Looking for help with that from MACE-Paccman and from partner sites

• More later in this conference about Grouper and identity service interfaces in Kuali and in uPortal

33

Grouper roadmap

• Current version is 1.5.1• v1.6

• Flattened memberships optimize notifications• More attribute types• Ldappc-NG = shibboleth AA + SPMLv2• Grouper-KIM connector

• Subject Web Service• v2.0

• Point-in-time audit• Role management interface• uPortal integration

34

www.internet2.edu/grouper

35

36

MACE/Internet2 IAM work

• Shibboleth• InCommon Federation• Grouper• Comanage

• Identity services & application domestication• Privilege & access management

• MACE-paccman working group• !Signet• Grouper to add some privilege management capability

• MACE-directories working group• edu* schema, white papers, etc

37

Identity services activities & Higher Ed

• MACE-paccman working group• Kuali Rice• OSS projects, some JA-SIG affiliated• Liberty, Identity Gang, etc• International efforts akin to MACE’s• Advanced CAMP June 2009 in Philly