Grouper: A Toolkit for Managing Groups

Tom Bartonblair christensenUniversity of Chicago

Fall 2004 I2MM

Outline

The problem with groups

Case study: U Chicago’s “USITE” computer labs

Tour of Grouper

USITE case study revisited

Grouper project status

Bonus round – personal groups

Fall 2004 I2MM

Groups facilitate …

Customization – application UI tailored to user’s affiliations with the organization

Authorization• “Lightweight” - relationship info feeding access decisions

• “Heavyweight” - assignment of structured privileges to groups

Messaging, scheduling, & collaboration• Departments, courses, programs, cmtes, teams, …

Posix naming services

Fall 2004 I2MM

Group management issues

Coordinating many sources of informationProvisioning groups in many locationsSupporting several styles of access to group membership information

Aging of groups and of membershipsUse of subgroups vs. effective membership Referring to set theoretic combinations of groups (compound groups)

Privacy & visibility requirements

Fall 2004 I2MM

The USITE access problem

Must control access to computers in labs independent of ability to authenticate

U Chicago’s Networking Services & Information Technologies (NSIT) established the Identity Management Working Group to solve this type of problem

• You’ll see “nsit” and “usite” in names of things to follow

Fall 2004 I2MM

USITE access policy

Students• 23 categories of current students• Some entitle USITE access, some disenfranchise, others fail to entitle

• Time of year dependency for some categories

Current faculty & staff are entitledOther more loosely affiliated people are not entitled

Exceptional administrative admits and denies across all categories above

Fall 2004 I2MM

Use of group management

Various elemental USITE-related categories of people are modeled as groups

Subgroups are used to roll-up effective admit or deny status

Some groups are automatically managed, others manually

Some roll-up groups are manually managed to deal with time dependency or change in access policy

Fall 2004 I2MM

Groups model for USITE access (ACL is “shaded green but not red”)

usite_eligible(manual)

admin_admit(manual)

uc:faculty(auto)

uc:staff(auto)

categories of entitled students

time dependent student categories

categories of barred students

admin_deny(manual)

usite_barred(manual)

Fall 2004 I2MM

Management related groups

Management privileges for manually managed groups also need to be managed!

So, more groups list who has what authority in managing groups that mediate USITE access

• Director of Learning Environments• Lab Managers• Student staff

Fall 2004 I2MM

LDAP

Data flow & Grouper’s role in USITE access

uid: jdoeucAffiliation: …isMemberOf: …

SIS

HR

Dir. Learning Environments

Lab Managers

Loaders

GrouperAPI

Personregistry

Groupregistry

GrouperUI

GrouperAPI

lab

GrouperAPI

Student staff

Fall 2004 I2MM

Grouper groups

Stored in an RDBMS, the Group Registry

Attributes of groups• Name • Description• Members

Possible to extend the set of attributes to support groups with more specific purposes

Fall 2004 I2MM

Directory of groups

Groups are created within a hierarchy of directories, like files within a computer’s directory system

• Directories are also named• Sometimes need to use the full name of a group, like the full pathname of a file

• Example: /nsit/usite/admin_admit

The directory delimiter can be configured for different effect

• Example: nsit:usite:admin_admit

Fall 2004 I2MM

Grouper privileges

Access privileges - who has what access (read, write) to a group’s attributes

Naming privileges - who can create a group or subdirectory in what part of the directory of groups

Fall 2004 I2MM

Access privileges

VIEW group’s name in lists & can refer to it, e.g., make it a subgroup of another group

READ basic information about a groupUPDATE membership and administer VIEW, READ, & UPDATE privileges

ADMIN can modify everything, including group name, description, & privileges, and can delete the group

OPTIN can add self to the members listOPTOUT can remove self from the members list

Fall 2004 I2MM

Naming privileges

STEM privilege in a given directory enables creation of subdirectories and administration of CREATE and STEM privileges for the directory and its immediate subdirectories

• Motivating idea: a directory is a naming “stem” over which authority is exercised and delegated by those with stem privilege

CREATE a group in a given directory

Fall 2004 I2MM

Built-in privilege implementation

All access & naming privileges can be assigned to individual members or to groups

• Subgroups, compound groups, and aging can be used to manage privileges

Abstracted interfaces are presented for privilege management

• Sites can hook in their own privilege management and bypass Grouper’s built-in system

Fall 2004 I2MM

USITE revisited – Grouper’s role

Make an “nsit:usite” directory in the group registry

Groups created within it• dir_learning_env, lab_managers, student_staff• usite_eligible, usite_barred• admin_admit, admin_deny

Give stem privilege for “nsit:usite” to the Director of Learning Environments

• She can run her groups empire within

Fall 2004 I2MM

USITE group access privileges(unqualified names in nsit:usite namespace)

usite_eligibleA:dir_learning_env

V,R:all

admin_admitU:usite_manageV,R:usite_view

uc:facultyV,R:all

uc:staffV,R:all

categories of entitled students

time dependent student categories

categories of barred students

admin_denyU:usite_manageV,R:usite_view

usite_barredA:dir_learning_env

V,R:all

V:all V:all

V:allV:all V:all

V:all V:all V:all

V:all

Fall 2004 I2MM

USITE group management privileges(unqualified names in nsit:usite namespace)

Fall 2004 I2MM

Grouper v1 features

API & UI for basic group management• Create, read, update, delete, import, export• Distributed management• Subgroups & compound groups• Aging of groups and memberships

Abstracted interfaces for • Group and directory privileges• Subject lookup• Last activity

Fall 2004 I2MM

Phases of Grouper v1 development

Phase 1: Basic management and export functions

Phase 2: Compound groups & Signet integration

Phase 3: Aging of groups and memberships

Phase 1 API available before end of year (2004, that is!)

Fall 2004 I2MM

Grouper deliverables

U Chicago - Java APIU Bristol - Java UIYou – contributed loaders & connectorsSubject Lookup implementation

• jointly with Signet project

Group Registry creation scripts & sample batch import/export scripts

Documentation

Fall 2004 I2MM

Grouper UI status

Conceptual mock-up completed

Modular design for look and feel

Grouper & Signet UIs will “leave the factory floor” bearing an I2 family resemblence

Fall 2004 I2MM

Personal groups

Any user can create groups named personal:username:groupname

Good or evil?• Yeah! Low overhead to let everyone do groups• Booo! Valuable institutional data squirreled away in unknowable spaces that go away

Configuration: • on/off• Root directory for personal namespace (“personal” above)

Fall 2004 I2MM

Further info & participation

MACE-Dir list

MACE-Dir-groups conference calls

http://middleware.internet2.edu/dir/groups