Groups, Roles, and Privileges

Groups, Roles, and Privileges
Tom Barton
University of Chicago
Outline
• Why use an access management tool?
• Essential concepts by way of Grouper
• Implementation examples
2
June 2011
Why use an access management tool?
• Lower cost by factoring access
management out of individual applications
• Simplify & make consistent by using the
same group or role in many places
• Let the right people manage access,
directly, with no IT required
• See who can access what, in one place
• Reduce risk by automatically removing
access
3
June 2011
Grouper: core concepts
Folders in hierarchies
Group
Direct members
Subgroup
Indirect members
4
June 2011
U
=
Composite groups
Security & delegation in Grouper
• Create groups
• Create subfolders
• Admin
• Update membership
• Read membership
• View group
• Opt-in
• Opt-out
5
June 2011
Delegation
What’s in a Grouper group?
•
•
•
•
•
•
•
•
Folder name
Names – one short, one display
GUID – globally unique identifier
Description
Members – opaque Subject references
Privilegees – opaque Subject references
Operational attributes
Site-defined attributes
6
June 2011
Beyond groups
Attributes
Roles
Role inheritance
Permissions
Attribute definition
Permission definition
7
June 2011
Delegation
model extends
that for Groups
Access management lifecycle support
•
•
•
•
•
Membership start & end times (optional)
Move or copy folders, groups, etc
User audit
Point in time audit
Rules
8
June 2011
Identity
Management
Persons
Orgs
Grouper
Shibboleth DataConnector
IdP
SAML
LDAP/AD
Grouper
Client
SP
SO
A
RE P
ST
LDAP/AD
ML
LDAP
Provisioning
Connector
JDBC
JNDI
Source Source
Adapter Adapter
Kuali Connector
MP
PP
H
P
X M TP S TTP
S
HT
Another
Atlassian Connector
Grouper
Shell
L
XM ipt
r
sc
Java API, Rules, Audit,
External users,
Grouper
Changelog
Loader
RealGrouper
Time
Database
X
ESB
June 2011
Web
Services
UIs: membership,
attributes, roles &
permissions admin,
permissions,
admin
invitation
Subject API
Systems
of Record
9
Application
Grouper
components
as of v2.0
gsh%
Access management is a process:
making authZ more than authN
• Start out with a single LDAP attribute
• affiliation
• Get central IT out of the loop
• distributed management
• exceptions
• departmental apps
• Increase integration of access management
• Direct app integration with web services
• ESB/SOA, REST/SOAP
• Roles & privileges to support larger, deeper apps
10
June 2011
EXAMPLES
11
Tom Barton’s UChicago group memberships
12
June 2011
Memberships become LDAP attributes
dn: uid=tbarton,ou=people,dc=uchicago,dc=edu
ucismemberof: uc:org:nsit:integration:techag
ucismemberof: uc:org:nsit:srdirs
ucismemberof: uc:org:nsit:integration:iteco:wr
ucismemberof: uc:applications:confluence:NSIT:esx
ucismemberof: uc:org:nsit:integration:iteco:rd
ucismemberof: uc:applications:confluence:NSIT:Directors
ucismemberof: uc:org:nsit:staff
ucIsMemberOf
LDAP entry for:
ucismemberof: uc:applications:confluence:NSIT:Everyone
ucismemberof:
uc:org:nsit:integration:shib_group
uid=tbarton,ou=people,dc=uchicago,dc=edu
uc:reference:affiliations:effective:staff
uc:applications:vpn:authorized
uc:org:nsit:srdirs
ucismemberof: uc:applications:bulkmail:users
ucismemberof: uc:org:library:gnet:admins
ucismemberof: uc:applications:gnetid:admins
ucismemberof: uc:applications:wireless:authorized
ucismemberof: uc:applications:cmail:users:authorized
ucismemberof: uc:reference:affiliations:effective:staff
13
June 2011
UChicago VPN simple delegation example
eligible
vpn:authorized
Core
business
systems
=
staff
student
postdoc
IRB
alum
IdM
system
denied
̶
closure
hospital
locked
IRB
Office
IT Security
Team
Different groups, different authorities.
VPN only uses “vpn:authorized”.
14
June 2011
UChicago applications managed by
Grouper, so far
aams
Ad Astra
Bulkmail
Business Objects Enterprise
Chalk
CityRyde
Cmail
cnet
Confluence
Directory Administration
dmca
Facilities SIMS
gnetid
15
June 2011
grouper
im
isx
IT Ecosystem
Lab School
LDAP
lists
Mail Forwarding
Microsoft Exchange
modem pool
myUChicago
online directory
password expiration
rt
Service Now
shibboleth
Statements portlet
SVN
tank
UC Groups
unifiedcomm
uPoV Monitor
versions
voip
vpn
web hosting
webproxy
Webshare
webspace
wireless
Distributed management: keep it straight
UChicago
Applications
Org
aams
ARD
affiliations
klaraj
AdAstra
CCSR
curricula
tbarton
…
…
…
…
16
June 2011
Reference
Personal
Northern
Arizona’s
Add a
Group
Portlet
17
June 2011
Managing instructional
and institutional groups
across 80 institutions in
the central region of
France
18
June 2011
① SURFfederatie SAML
+
① SURFteams (grouper)
+
=
② OpenSocial
+
① Collaboration tools
19
June 2011
SURFnet’s
national scale
collaboration
platform
Thanks!
Further questions?
Infosheets, mail lists, wiki, downloads, etc:
www.internet2.edu/grouper
Grouper demo server:
https://grouperdemo.internet2.edu/
20
June 2011