Document 7355418

Download Report

Transcript Document 7355418 

Grouper: A Toolkit for
Managing Groups
Tom Barton
blair christensen
University of Chicago
Outline
The problem with groups
Case study: U Chicago’s “USITE”
computer labs
Tour of Grouper
USITE case study revisited
Grouper project status
Bonus round – personal groups
Fall 2004 I2MM
Groups facilitate …
Customization – application UI tailored to
user’s affiliations with the organization
Authorization
• “Lightweight” - relationship info feeding access
decisions
• “Heavyweight” - assignment of structured privileges
to groups
Messaging, scheduling, & collaboration
• Departments, courses, programs, cmtes, teams, …
Posix naming services
Fall 2004 I2MM
Group management issues
Coordinating many sources of information
Provisioning groups in many locations
Supporting several styles of access to group
membership information
Aging of groups and of memberships
Use of subgroups vs. effective membership
Referring to set theoretic combinations of
groups (compound groups)
Privacy & visibility requirements
Fall 2004 I2MM
The USITE access problem
Must control access to computers in
labs independent of ability to
authenticate
U Chicago’s Networking Services &
Information Technologies (NSIT)
established the Identity Management
Working Group to solve this type of
problem
• You’ll see “nsit” and “usite” in names of things to
follow
Fall 2004 I2MM
USITE access policy
Students
• 23 categories of current students
• Some entitle USITE access, some disenfranchise,
others fail to entitle
• Time of year dependency for some categories
Current faculty & staff are entitled
Other more loosely affiliated people are
not entitled
Exceptional administrative admits and
denies across all categories above
Fall 2004 I2MM
Use of group management
Various elemental USITE-related categories
of people are modeled as groups
Subgroups are used to roll-up effective admit
or deny status
Some groups are automatically managed,
others manually
Some roll-up groups are manually managed
to deal with time dependency or change in
access policy
Fall 2004 I2MM
Groups model for USITE access
(ACL is “shaded green but not red”)
usite_eligible
(manual)
admin_admit
(manual)
uc:faculty
(auto)
uc:staff
(auto)
usite_barred
(manual)
admin_deny
(manual)
categories of barred
students
categories of entitled students
time dependent student
categories
Fall 2004 I2MM
Management related groups
Management privileges for manually
managed groups also need to be
managed!
So, more groups list who has what
authority in managing groups that
mediate USITE access
• Director of Learning Environments
• Lab Managers
• Student staff
Fall 2004 I2MM
Data flow & Grouper’s role in
USITE access
SIS
Loaders
HR
Grouper
API
lab
Person
registry
Dir. Learning
Environments
Grouper
UI
Grouper
API
LDAP
Group
registry
Grouper
API
Lab Managers
uid: jdoe
ucAffiliation: …
isMemberOf: …
Student staff
Fall 2004 I2MM
Grouper groups
Stored in an RDBMS, the Group Registry
Attributes of groups
• Name
• Description
• Members
Possible to extend the set of attributes to
support groups with more specific
purposes
Fall 2004 I2MM
Directory of groups
Groups are created within a hierarchy of
directories, like files within a computer’s
directory system
• Directories are also named
• Sometimes need to use the full name of a group,
like the full pathname of a file
• Example: /nsit/usite/admin_admit
The directory delimiter can be configured
for different effect
• Example: nsit:usite:admin_admit
Fall 2004 I2MM
Grouper privileges
Access privileges - who has what
access (read, write) to a group’s
attributes
Naming privileges - who can create a
group or subdirectory in what part of the
directory of groups
Fall 2004 I2MM
Access privileges
VIEW group’s name in lists & can refer to it,
e.g., make it a subgroup of another group
READ basic information about a group
UPDATE membership and administer VIEW,
READ, & UPDATE privileges
ADMIN can modify everything, including
group name, description, & privileges, and
can delete the group
OPTIN can add self to the members list
OPTOUT can remove self from the members
list
Fall 2004 I2MM
Naming privileges
STEM privilege in a given directory
enables creation of subdirectories and
administration of CREATE and STEM
privileges for the directory and its
immediate subdirectories
• Motivating idea: a directory is a naming “stem”
over which authority is exercised and delegated by
those with stem privilege
CREATE a group in a given directory
Fall 2004 I2MM
Built-in privilege implementation
All access & naming privileges can be
assigned to individual members or to
groups
• Subgroups, compound groups, and aging can be
used to manage privileges
Abstracted interfaces are presented for
privilege management
• Sites can hook in their own privilege management
and bypass Grouper’s built-in system
Fall 2004 I2MM
USITE revisited – Grouper’s role
Make an “nsit:usite” directory in the
group registry
Groups created within it
• dir_learning_env, lab_managers, student_staff
• usite_eligible, usite_barred
• admin_admit, admin_deny
Give stem privilege for “nsit:usite” to the
Director of Learning Environments
• She can run her groups empire within
Fall 2004 I2MM
USITE group access privileges
(unqualified names in nsit:usite directory)
usite_eligible
A:dir_learning_env
V,R:all
usite_barred
A:dir_learning_env
V,R:all
admin_admit
U:usite_manage
V,R:usite_view
admin_deny
U:usite_manage
V,R:usite_view
uc:faculty
V,R:all
uc:staff
V,R:all
categories of entitled students
V:all
V:all
V:all
V:all
categories of barred
students
V:all
V:all
V:all
time dependent student
categories
V:all
V:all
Fall 2004 I2MM
USITE group management privileges
(unqualified names in nsit:usite directory)
Fall 2004 I2MM
Grouper v1 features
API & UI for basic group management
• Create, read, update, delete, import, export
• Distributed management
• Subgroups & compound groups
• Aging of groups and memberships
Abstracted interfaces for
• Group and directory privileges
• Subject lookup
• Last activity
Fall 2004 I2MM
Phases of Grouper v1 development
Phase 1: Basic management and export
functions
Phase 2: Compound groups & Signet
integration
Phase 3: Aging of groups and
memberships
Phase 1 API available before end of
November 2004
Fall 2004 I2MM
Grouper deliverables
U Chicago - Java API
U Bristol - Java UI
You – contributed loaders & connectors
Subject Lookup implementation
• jointly with Signet project
Group Registry creation scripts &
sample batch import/export scripts
Documentation
Fall 2004 I2MM
Grouper UI status
Conceptual mock-up completed
Modular design for look and feel
Grouper & Signet UIs will “leave the
factory floor” bearing an I2 family
resemblence
Fall 2004 I2MM
Personal groups
Any user can create groups named
personal:username:groupname
Good or evil?
• Yeah! Low overhead to let everyone do groups
• Booo! Valuable institutional data squirreled away
in unknowable spaces that go away
Configuration:
• on/off
• Root directory for personal namespace (“personal”
above)
Fall 2004 I2MM
Further info & participation
MACE-Dir list
MACE-Dir-groups conference calls
http://middleware.internet2.edu/dir/groups
Fall 2004 I2MM