Grouper: A Toolkit for Managing Groups

1
Grouper A Toolkit for Managing Groups

• Tom Barton
• blair christensen
• University of Chicago

2
Outline

• The problem with groups
• Case study U Chicagos USITE computer labs
• Tour of Grouper
• USITE case study revisited
• Grouper project status
• Bonus round personal groups

3
Groups facilitate

• Customization application UI tailored to users
  affiliations with the organization
• Authorization
• Lightweight - relationship info feeding access
  decisions
• Heavyweight - assignment of structured
  privileges to groups
• Messaging, scheduling, collaboration
• Departments, courses, programs, cmtes, teams,
• Posix naming services

4
Group management issues

• Coordinating many sources of information
• Provisioning groups in many locations
• Supporting several styles of access to group
  membership information
• Aging of groups and of memberships
• Use of subgroups vs. effective membership
• Referring to set theoretic combinations of groups
  (compound groups)
• Privacy visibility requirements

5
The USITE access problem

• Must control access to computers in labs
  independent of ability to authenticate
• U Chicagos Networking Services Information
  Technologies (NSIT) established the Identity
  Management Working Group to solve this type of
  problem
• Youll see nsit and usite in names of things
  to follow

6
USITE access policy

• Students
• 23 categories of current students
• Some entitle USITE access, some disenfranchise,
  others fail to entitle
• Time of year dependency for some categories
• Current faculty staff are entitled
• Other more loosely affiliated people are not
  entitled
• Exceptional administrative admits and denies
  across all categories above

7
Use of group management

• Various elemental USITE-related categories of
  people are modeled as groups
• Subgroups are used to roll-up effective admit or
  deny status
• Some groups are automatically managed, others
  manually
• Some roll-up groups are manually managed to deal
  with time dependency or change in access policy

8
Groups model for USITE access (ACL is shaded
green but not red)
usite_eligible (manual)
usite_barred (manual)
admin_admit (manual)
admin_deny (manual)
ucfaculty (auto)
ucstaff (auto)
categories of barred students
categories of entitled students
time dependent student categories
9
Management related groups

• Management privileges for manually managed groups
  also need to be managed!
• So, more groups list who has what authority in
  managing groups that mediate USITE access
• Director of Learning Environments
• Lab Managers
• Student staff

10
Data flow Groupers role in USITE access
lab
SIS
HR
Person registry
LDAP
Group registry
Dir. Learning Environments
uid jdoe ucAffiliation isMemberOf
Grouper API
Lab Managers
Student staff
11
Grouper groups

• Stored in an RDBMS, the Group Registry
• Attributes of groups
• Name
• Description
• Members
• Possible to extend the set of attributes to
  support groups with more specific purposes

12
Directory of groups

• Groups are created within a hierarchy of
  directories, like files within a computers
  directory system
• Directories are also named
• Sometimes need to use the full name of a group,
  like the full pathname of a file
• Example /nsit/usite/admin_admit
• The directory delimiter can be configured for
  different effect
• Example nsitusiteadmin_admit

13
Grouper privileges

• Access privileges - who has what access (read,
  write) to a groups attributes
• Naming privileges - who can create a group or
  subdirectory in what part of the directory of
  groups

14
Access privileges

• VIEW groups name in lists can refer to it,
  e.g., make it a subgroup of another group
• READ basic information about a group
• UPDATE membership and administer VIEW, READ,
  UPDATE privileges
• ADMIN can modify everything, including group
  name, description, privileges, and can delete
  the group
• OPTIN can add self to the members list
• OPTOUT can remove self from the members list

15
Naming privileges

• STEM privilege in a given directory enables
  creation of subdirectories and administration of
  CREATE and STEM privileges for the directory and
  its immediate subdirectories
• Motivating idea a directory is a naming stem
  over which authority is exercised and delegated
  by those with stem privilege
• CREATE a group in a given directory

16
Built-in privilege implementation

• All access naming privileges can be assigned to
  individual members or to groups
• Subgroups, compound groups, and aging can be used
  to manage privileges
• Abstracted interfaces are presented for privilege
  management
• Sites can hook in their own privilege management
  and bypass Groupers built-in system

17
USITE revisited Groupers role

• Make an nsitusite directory in the group
  registry
• Groups created within it
• dir_learning_env, lab_managers, student_staff
• usite_eligible, usite_barred
• admin_admit, admin_deny
• Give stem privilege for nsitusite to the
  Director of Learning Environments
• She can run her groups empire within

18
USITE group access privileges(unqualified names
in nsitusite namespace)
usite_eligible Adir_learning_env V,Rall
usite_barred Adir_learning_env V,Rall
admin_admit Uusite_manage V,Rusite_view
admin_deny Uusite_manage V,Rusite_view
ucfaculty V,Rall
ucstaff V,Rall
categories of barred students
Vall
Vall
Vall
categories of entitled students
Vall
Vall
time dependent student categories
Vall
Vall
Vall
Vall
19
USITE group management privileges(unqualified
names in nsitusite namespace)
20
Grouper v1 features

• API UI for basic group management
• Create, read, update, delete, import, export
• Distributed management
• Subgroups compound groups
• Aging of groups and memberships
• Abstracted interfaces for
• Group and directory privileges
• Subject lookup
• Last activity

21
Phases of Grouper v1 development

• Phase 1 Basic management and export functions
• Phase 2 Compound groups Signet integration
• Phase 3 Aging of groups and memberships
• Phase 1 API available before end of year (2004,
  that is!)

22
Grouper deliverables

• U Chicago - Java API
• U Bristol - Java UI
• You contributed loaders connectors
• Subject Lookup implementation
• jointly with Signet project
• Group Registry creation scripts sample batch
  import/export scripts
• Documentation

23
Grouper UI status

• Conceptual mock-up completed
• Modular design for look and feel
• Grouper Signet UIs will leave the factory
  floor bearing an I2 family resemblence

24
Personal groups

• Any user can create groups named
  personalusernamegroupname
• Good or evil?
• Yeah! Low overhead to let everyone do groups
• Booo! Valuable institutional data squirreled away
  in unknowable spaces that go away
• Configuration
• on/off
• Root directory for personal namespace (personal
  above)

25
Further info participation

• MACE-Dir list
• MACE-Dir-groups conference calls
• http//middleware.internet2.edu/dir/groups

26
Grouper in Context
27
missing

• Much on compound groups?
• Enough about UI?
• More signet?