Document 7355418
Download
Report
Transcript Document 7355418
Grouper: A Toolkit for
Managing Groups
Tom Barton
blair christensen
University of Chicago
Outline
The problem with groups
Case study: U Chicago’s “USITE”
computer labs
Tour of Grouper
USITE case study revisited
Grouper project status
Bonus round – personal groups
Fall 2004 I2MM
Groups facilitate …
Customization – application UI tailored to
user’s affiliations with the organization
Authorization
• “Lightweight” - relationship info feeding access
decisions
• “Heavyweight” - assignment of structured privileges
to groups
Messaging, scheduling, & collaboration
• Departments, courses, programs, cmtes, teams, …
Posix naming services
Fall 2004 I2MM
Group management issues
Coordinating many sources of information
Provisioning groups in many locations
Supporting several styles of access to group
membership information
Aging of groups and of memberships
Use of subgroups vs. effective membership
Referring to set theoretic combinations of
groups (compound groups)
Privacy & visibility requirements
Fall 2004 I2MM
The USITE access problem
Must control access to computers in
labs independent of ability to
authenticate
U Chicago’s Networking Services &
Information Technologies (NSIT)
established the Identity Management
Working Group to solve this type of
problem
• You’ll see “nsit” and “usite” in names of things to
follow
Fall 2004 I2MM
USITE access policy
Students
• 23 categories of current students
• Some entitle USITE access, some disenfranchise,
others fail to entitle
• Time of year dependency for some categories
Current faculty & staff are entitled
Other more loosely affiliated people are
not entitled
Exceptional administrative admits and
denies across all categories above
Fall 2004 I2MM
Use of group management
Various elemental USITE-related categories
of people are modeled as groups
Subgroups are used to roll-up effective admit
or deny status
Some groups are automatically managed,
others manually
Some roll-up groups are manually managed
to deal with time dependency or change in
access policy
Fall 2004 I2MM
Groups model for USITE access
(ACL is “shaded green but not red”)
usite_eligible
(manual)
admin_admit
(manual)
uc:faculty
(auto)
uc:staff
(auto)
usite_barred
(manual)
admin_deny
(manual)
categories of barred
students
categories of entitled students
time dependent student
categories
Fall 2004 I2MM
Management related groups
Management privileges for manually
managed groups also need to be
managed!
So, more groups list who has what
authority in managing groups that
mediate USITE access
• Director of Learning Environments
• Lab Managers
• Student staff
Fall 2004 I2MM
Data flow & Grouper’s role in
USITE access
SIS
Loaders
HR
Grouper
API
lab
Person
registry
Dir. Learning
Environments
Grouper
UI
Grouper
API
LDAP
Group
registry
Grouper
API
Lab Managers
uid: jdoe
ucAffiliation: …
isMemberOf: …
Student staff
Fall 2004 I2MM
Grouper groups
Stored in an RDBMS, the Group Registry
Attributes of groups
• Name
• Description
• Members
Possible to extend the set of attributes to
support groups with more specific
purposes
Fall 2004 I2MM
Directory of groups
Groups are created within a hierarchy of
directories, like files within a computer’s
directory system
• Directories are also named
• Sometimes need to use the full name of a group,
like the full pathname of a file
• Example: /nsit/usite/admin_admit
The directory delimiter can be configured
for different effect
• Example: nsit:usite:admin_admit
Fall 2004 I2MM
Grouper privileges
Access privileges - who has what
access (read, write) to a group’s
attributes
Naming privileges - who can create a
group or subdirectory in what part of the
directory of groups
Fall 2004 I2MM
Access privileges
VIEW group’s name in lists & can refer to it,
e.g., make it a subgroup of another group
READ basic information about a group
UPDATE membership and administer VIEW,
READ, & UPDATE privileges
ADMIN can modify everything, including
group name, description, & privileges, and
can delete the group
OPTIN can add self to the members list
OPTOUT can remove self from the members
list
Fall 2004 I2MM
Naming privileges
STEM privilege in a given directory
enables creation of subdirectories and
administration of CREATE and STEM
privileges for the directory and its
immediate subdirectories
• Motivating idea: a directory is a naming “stem”
over which authority is exercised and delegated by
those with stem privilege
CREATE a group in a given directory
Fall 2004 I2MM
Built-in privilege implementation
All access & naming privileges can be
assigned to individual members or to
groups
• Subgroups, compound groups, and aging can be
used to manage privileges
Abstracted interfaces are presented for
privilege management
• Sites can hook in their own privilege management
and bypass Grouper’s built-in system
Fall 2004 I2MM
USITE revisited – Grouper’s role
Make an “nsit:usite” directory in the
group registry
Groups created within it
• dir_learning_env, lab_managers, student_staff
• usite_eligible, usite_barred
• admin_admit, admin_deny
Give stem privilege for “nsit:usite” to the
Director of Learning Environments
• She can run her groups empire within
Fall 2004 I2MM
USITE group access privileges
(unqualified names in nsit:usite directory)
usite_eligible
A:dir_learning_env
V,R:all
usite_barred
A:dir_learning_env
V,R:all
admin_admit
U:usite_manage
V,R:usite_view
admin_deny
U:usite_manage
V,R:usite_view
uc:faculty
V,R:all
uc:staff
V,R:all
categories of entitled students
V:all
V:all
V:all
V:all
categories of barred
students
V:all
V:all
V:all
time dependent student
categories
V:all
V:all
Fall 2004 I2MM
USITE group management privileges
(unqualified names in nsit:usite directory)
Fall 2004 I2MM
Grouper v1 features
API & UI for basic group management
• Create, read, update, delete, import, export
• Distributed management
• Subgroups & compound groups
• Aging of groups and memberships
Abstracted interfaces for
• Group and directory privileges
• Subject lookup
• Last activity
Fall 2004 I2MM
Phases of Grouper v1 development
Phase 1: Basic management and export
functions
Phase 2: Compound groups & Signet
integration
Phase 3: Aging of groups and
memberships
Phase 1 API available before end of
November 2004
Fall 2004 I2MM
Grouper deliverables
U Chicago - Java API
U Bristol - Java UI
You – contributed loaders & connectors
Subject Lookup implementation
• jointly with Signet project
Group Registry creation scripts &
sample batch import/export scripts
Documentation
Fall 2004 I2MM
Grouper UI status
Conceptual mock-up completed
Modular design for look and feel
Grouper & Signet UIs will “leave the
factory floor” bearing an I2 family
resemblence
Fall 2004 I2MM
Personal groups
Any user can create groups named
personal:username:groupname
Good or evil?
• Yeah! Low overhead to let everyone do groups
• Booo! Valuable institutional data squirreled away
in unknowable spaces that go away
Configuration:
• on/off
• Root directory for personal namespace (“personal”
above)
Fall 2004 I2MM
Further info & participation
MACE-Dir list
MACE-Dir-groups conference calls
http://middleware.internet2.edu/dir/groups
Fall 2004 I2MM