Introduction to Grouper

1. Introduction to Grouper

2. Grouper story • Open source, community-driven project of the Internet2 Middleware Initiative • Initial release v0.5 in December 2004 • Grouper originally focused on robust management of groups, emphasizing: • Delegation and distributed management • Integration with most any existing IdM infrastructure. See case studies and campus contributions at: • https://spaces.internet2.edu/display/Grouper/Community+Contributions • Grouper v2.0 provides broader set of access management capabilities, including roles & permissions • Released 6 September 2011

3. Access management is a process:making authZ more than authN • Start out using a single user attribute, affiliation, in LDAP or AD to let applications implement access policies • Enrich centralized access management using groups determined from systems of record • Courses, financial accounts, departments • Define service specific access policies in central IAM system • Get central IT out of the loop • Distributed management • Exceptions • Departmental apps • Increase integration of access management • Direct application integration with web services • ESB/SOA, REST/SOAP • Roles & privileges to support applications more deeply

4. Grouper: core concepts Folders in hierarchies Group Direct members Subgroup Indirect members = Composite groups U

5. Security & delegation in Grouper • Create groups • Create subfolders • Admin • Update membership • Read membership • View group • Opt-in • Opt-out Delegation

6. Beyond groups Attributes Role inheritance Roles Permissions Delegation model extends that for Groups Attribute definition Permission definition

7. Access management lifecycle support • Membership start & end times (optional) • Move or copy folders, groups, etc • User audit • Point in time audit • Rules

8. Grouper components as of v2.0

9. New and improved in Grouper v2.0

10. Tom Barton’s UChicago group memberships

11. Memberships become LDAP attributes dn: uid=tbarton,ou=people,dc=uchicago,dc=edu ucismemberof: uc:org:nsit:integration:techag ucismemberof: uc:org:nsit:srdirs ucismemberof: uc:org:nsit:integration:iteco:wr ucismemberof: uc:applications:confluence:NSIT:esx ucismemberof: uc:org:nsit:integration:iteco:rd ucismemberof: uc:applications:confluence:NSIT:Directors ucismemberof: uc:org:nsit:staff ucismemberof: uc:applications:confluence:NSIT:Everyone ucismemberof: uc:org:nsit:integration:shib_group ucismemberof: uc:applications:bulkmail:users ucismemberof: uc:org:library:gnet:admins ucismemberof: uc:applications:gnetid:admins ucismemberof: uc:applications:wireless:authorized ucismemberof: uc:applications:cmail:users:authorized ucismemberof: uc:reference:affiliations:effective:staff LDAP entry for uid=tbarton,ou=people,dc=uchicago,dc=edu ucIsMemberOf : uc:org:nsit:srdirs ucIsMemberOf : uc:reference:affiliations:effective:staff ucIsMemberOf : uc:applications:vpn:authorized

12. UChicago VPN simple delegation example IdM system Different groups, different authorities. VPN only uses “vpn:authorized”. Core business systems IRB IT Security Team IRB Office eligible denied staff ̶ = closure vpn:authorized student postdoc locked alum hospital

13. UChicago applications managed by Grouper, so far Service Now shibboleth Statements portlet SVN tank UC Groups unifiedcomm uPoV Monitor versions voip vpn web hosting webproxy Webshare webspace wireless aams Ad Astra Bulkmail Business Objects Enterprise Chalk CityRyde Cmail cnet Confluence Directory Administration dmca Facilities SIMS gnetid grouper im isx IT Ecosystem Lab School LDAP lists Mail Forwarding Microsoft Exchange modem pool myUChicago online directory password expiration rt