Using Signet and Grouper for Access Management

1
Using Signet and Grouper for Access Management

• Tom Barton, University of Chicago
• Lynn McRae, Stanford University

2
Identity Access Management Reality

• Each persons online activities are shaped by
  many Sources of Authority (SoAs)
• Resource managers
• Program/activity heads
• Other policy making bodies
• Self
• Common middleware infrastructure should be
  operated centrally
• To not oblige departments/programs/activities to
  build their own core middleware
• Management of the information it conveys should
  be distributed
• Hook up all of those SoAs to the middleware

3
Connecting SoAs, Integrating with Existing
Infrastructure
4
Relative Roles of Signet Grouper

• RBAC model
• Users are placed into groups
• Privileges are assigned to groups
• Groups can be arranged into hierarchies to
  effectively bestow privileges
• Signet manages privileges
• Grouper manages, well, groups

Grouper
Signet
5
Nutshell Description of Grouper

• Mix of manual and automation processes manage a
  common Group Registry
• Many sources of authority are reflected in group
  memberships
• Automation processes provision info from the
  Group Registry into LDAP, AD, or directly into
  app-specific databases, or
• Wherever the value of the info warrants spending
  the resources to place it there
• Group management authority is delegatable

6
Grouper Groups

• Attributes of groups
• Names name, displayName, guid
• Description
• Members
• Can extend the set of attributes to support
  groups with more specific purposes
• Subgroups, compound groups, and aging
• Stored in an RDBMS, the Group Registry

7
Grouper Namespaces

• Groups are created within namespaces
• Scopes the authority to create and name groups
• Support distinct activities with own authority
• Namespaces can be arranged hierarchically
• it all central IT activities
• itlabs manage computer labs
• bsd all Bio Sci Division activities
• bsdpeds Pediatrics resource access

8
Example Groups for Lab Access
Allow access if eligible but not barred
itlabsbarred (manual)
itlabseligible (manual)
itlabswhitelist (manual)
itlabsblacklist (manual)
ucfaculty (auto)
ucstaff (auto)
categories of entitled students (auto)
9
Data Flow Grouper Roles in Computer Lab Access
SIS
lab
HR
Person Registry
LDAP
Group Registry
Lab Director
uid jdoe ucAffiliation isMemberOf
Grouper API
Lab Managers
On-site staff
10
Groupers Privileges

• Access privileges
• Who has what access (read, write) to a groups
  attributes
• Naming privileges
• Who can create a group in each namespace
• Who can create a new namespace subordinate to an
  existing one
• Privilege interfaces are abstracted
• Can use external privilege management system,
  like Signet
• Groupers built-in privilege management
• Subgroups, compound groups, and aging can be used
  to manage privileges with built-in capability

11
Four Ways to Delegate Group Management

• Create a group and assign someone to manage its
  membership
• Create a group and assign someone to manage who
  manages the groups membership and who can see
  what about the group
• Create a namespace and assign someone to manage
  who can create groups within it
• Allow Self to opt-in or opt-out of membership

12
Representing Membership in Operational Contexts

• Standards for the I2MI community
• LDAP, SAML/Shibboleth isMemberOf
• LDAP hasMember
• Preserving privacy/visibility
• Representing access privileges in, e.g., LDAP
• Desirable local standards
• Naming of groups namespaces
• Privacy classes
• Incremental update and referential integrity

13
Signet Overview

• Central Repository and toolkitfor Privilege
  Information
• Analysts define privileges in Signet in business
  terms and specify associated permissions.
• Signet presents this view in a Web UI where users
  assign privileges and delegate authority across
  all areas in which they have authority.
• Signet internally maps assigned privileges into
  system-specific terms needed by applications.
• Privileges are exported, transformed, and
  provisioned into applications and infrastructure
  services.

14
Privileges Building Blocks

• Analysts define privileges in Signet in business
  terms and specify associated permissions.

• Business view
• Subsystems
• Categories
• Functions
• Scope, Limits
• Prerequisites Conditions

• System view
• Permissions
• Subject
• Action
• Resource

15
Signet Components
Subsystems
Financial system Student Administration HR
system Network address plan management Network
access management Research administration Clinical
resources Person Registry Signet (Privilege
Registry) Grouper (Group Registry)

• Define domains of ownership and responsibility
• Reflect real world boundaries
• Can be large or small

16
Business View

• Subsystems contain
• Functions
• The things a person can do what they are
  getting privileges for.
• Categories
• Provide useful arrangement of functions within a
  subsystem for reporting, ease of use.

• Limits
• Qualifiers, constraints for a privilege.
• Scope
• Organizational hierarchy governing distributed
  delegation.

17
Business View
Course Support
Add/Drop students
Student Admin
Which term
Schedule Classes
Which campus
Process Applicants
Financial Aid
For school
Award Scholarships
From Fund
Manage Accounts
For fund
Patient Records
Clinical Trial
Protocol A
Read/Write
Materials Control
Qty/day
Manage Grant
Administration
constraints
Lab Access
Hours
Categories
Subsystems
Functions
Limits
organizing
actions
18
Signet User Interface

• Signet presents this view in a Web UI where users
  assign and delegate authority across all areas in
  which they have authority.

19
Systems View

• Signet internally maps assigned privileges into
  system specific terms needed by applications.

• Permissions
• Atomic units of control that map to specific
  access rules in systems.
• Includes limits that must be evaluated when
  interpreting permissions.
• Resources
• The target of a specific privilege things that
  have access rules to control their use.

20
Business View ? Permissions
Calendar
Student Admin
reserve_time
view_schedules
Add/Drop students
Course Support
Course
Schedule Classes
update_course_data
Facilities
reserve_room
Process Applicants
Financial Aid
Financial
Award Scholarships
view_fund_data
Manage Accounts
update_fund_data
Student
student_records
applicant_data
Business View
Resources/Permissions
21
Systems Integration

• Privileges are exported, transformed, and
  provisioned into integrated systems and
  infrastructure services.

• Toolkit API
• Java object interface
• Privileges document
• XML representation of privileges for an
  individual or group.
• Compatible with SAML and XACML representations of
  Subjects and Access Rules.

22
Privileges Document
Signet Privileges document (not final)
ltPrivileges xmlns"http//middleware.internet2.edu
/signet"gt ltsubjSubject xmlnssubj"http//mi
ddleware.internet2.edu/subject"gt
ltsubjSubjectIdgtjpoole_at_kitn.edult/subjSubjectIdgt
ltsubjSubjectNamegtPoole, Jean
M.lt/subjSubjectNamegt lt/subjSubjectsgt
ltSubsystem ltSubsystemIdgtproject-bioxlt/Su
bsystemIdgt ltPermissiongt
ltPermissionIdgtpatient-record-accesslt/
PermissionId gt ltResourcegt
ltResourceIdgtresearch-recordslt/Resource
Idgt lt/Resourcegt
ltLimitgt ltLimitIdgtprotocollt/Lim
itIdgt ltLimitnFunctiongturnoasi
snamestcxacml1.0functionstring-equallt/LimitF
unctiongt ltLimitValuegt2005-form
ula-blt/LimitValuegt
ltLimitValueTypegthttp//www.w3.org/2001/XMLSchemas
tringlt/LimitValueTypegt lt/Limitgt
lt/Permissiongt ltPermissiongt
ltPermissionIdgtapprove-requisitionslt/Subsyst
emIdgt ltResourcegt
23
Provisioning Permissions into Applications
Calendar
Calendar
reserve_time
view_schedules
CourseWare
Course
update_course_data
ltPrivilegesgt ltSubjectgt ltPermissiongt ltPermissiongt lt
Permissiongt
Financials
Facilities
reserve_room
Financial
Reporting
view_fund_data
update_fund_data
Space Mgmt
Student
student_records
Student
applicant_data
24
Provisioning Permissions into Infrastructure
eduPersonEntitlement
Calendar
Calendar
reserve_time
view_schedules
CourseWare
Course
Directory
update_course_data
Financials
Facilities
reserve_room
Financial
Reporting
view_fund_data
update_fund_data
Space Mgmt
Student
student_records
Student
applicant_data
25
Other features

• Assignments can be
• To an individual
• To a Group
• With/without ability to further delegate
• Distributed delegation using organizational
  hierarchy
• Records chain of command
• Proxy assignment
• Temporary granting of ones privilege to another

26
Privileges Lifecycle

• Conditions
• Provides automatic revocation of privileges
• Date controls -- from date, until date
• Based on persons status and affiliation,
• e.g., as long as person is at Stanford
• Prerequisites
• Pre-conditions that must be met to activate
  privileges
• e.g., training

27
Privilege Elements by Example
Lifecycle
Privilege
28
(No Transcript)
29
Subject API

• Common application need to lookup people or other
  types of subjects
• To search for and present them in a UI
• To translate between different identifiers for
  the same object
• Example username ? persistentID
• Subject API is a freestanding implementation
  meeting these needs. Site-configured
• Subject types people groups, and maybe
  applications, computers, policies, whatever
• Sources for each site-specific subject type
• Specific query syntax for abstract query types

30
Signet Grouper Development

• Now available
• Grouper API v0.5.5. Basic group management by
  automation processes
• Demo release of Signet v0.3 toolkit and UI
• June 2005
• Grouper v0.6 - initial UI release
• Subject API - initial release
• September 2005
• Signet - initial production-ready release
• Grouper team U Chicago U Bristol
• Signet team Stanford University

31
Resources Participation

• Grouper website http//middleware.internet2.edu/di
  r/groups/grouper/
• Signet website
• http//middleware.internet2.edu/signet/
• Internet2 Middleware Initiative
• http//middleware.internet2.edu/
• Details for subscribing to mailing lists
• Conference call agendas dialing instructions