managing authorization with signet and grouper tom barton, university of chicago lynn mcrae,...
TRANSCRIPT
![Page 1: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/1.jpg)
Managing Authorization with Signet and GrouperManaging Authorization with Signet and Grouper
Tom Barton, University of Chicago
Lynn McRae, Stanford University
Tom Barton, University of Chicago
Lynn McRae, Stanford University
![Page 2: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/2.jpg)
2
Groups and Privilege managementGroups and Privilege management
• Groups• Who someone is (identity)• Populations sharing a common characteristic• Institutional role, departmental, personal
• Privileges• What someone can do (permissions)• Involved person, action, resource, context
• Exploring Grouper and Signet…• Groups for eligibility & authorization• Privileges, policy & permissions
![Page 3: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/3.jpg)
3
Stone AgeStone Age
Clark
Leo
George
Lois
Peter
Nick
Ed
AdminAdmin
InputInput
ReportingReporting
ACL
ACL
ACL
ACL
ACL
ACL
ACL
![Page 4: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/4.jpg)
4
Middle AgesMiddle Ages
AdminAdminGeorgeNick
InputInput
ReportingReporting
GeorgeNickClarkLois
GeorgeNickClarkLoisPeterLeoEd
Functional Groups
![Page 5: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/5.jpg)
5
RenaissanceRenaissance
AdminAdminOwnerGeorgeNick
InputInput
ReportingReporting
StaffClarkLois
ClientsPeterLeoEd
“Role” Groups
![Page 6: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/6.jpg)
6
20th century20th century
AdminAdminOwner
InputInput
ReportingReporting
Staff
Client
Staff
Faculty
Enterprise roles, affiliations
Identity Management!
![Page 7: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/7.jpg)
7
Groups ManagementGroups Management
AdminAdminAdmin
InputInput
ReportingReporting
Staff
Client
Admins
Staff
Faculty
Clients
adds user-maintained groups
![Page 8: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/8.jpg)
8
Something still missingSomething still missing
MaintMaintAdmin
InputInput
ReportingReporting
Staff
Client
ViewViewAdmin
UpdateUpdate
DeleteDelete
Staff
Client
Check outCheck out
SubmitSubmit
Staff
Client
Each system …
interprets policy …
separately.
and sets access rules ...
![Page 9: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/9.jpg)
9
Privilege ManagementPrivilege Management
MaintMaint
InputInput
ReportingReporting
AccessManager
ViewView
UpdateUpdate
DeleteDelete
PEP
Check outCheck out
SubmitSubmitAuthor
Admins
Staff
Faculty
Clients
Manage
Read
ReadWrite
Permissions
Individuals
Policy
Reader
![Page 10: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/10.jpg)
10
Identity & Access Management RealityIdentity & Access Management Reality
• Each person’s online activities are shaped by many Sources of Authority (SoAs)• Institutional policy making bodies• Resource managers• Program/activity/project heads• Self
• Management of the information it conveys should be distributed• Hook up all of those SoAs to the middleware
• Common middleware infrastructure should be operated centrally • To not oblige departments/programs/activities to build their own
core middleware
![Page 11: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/11.jpg)
11
Connecting SoAs, Integrating with Existing InfrastructureConnecting SoAs, Integrating with Existing Infrastructure
![Page 12: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/12.jpg)
12
Relative Roles of Signet & GrouperRelative Roles of Signet & Grouper
Grouper Signet
RBAC model• Users are placed into
groups (aka “roles”)
• Privileges are assigned to groups
• Groups can be arranged into hierarchies to effectively bestow privileges
• Grouper manages, well, groups
• Signet manages privileges
• Separates responsibilities for groups & privileges
![Page 13: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/13.jpg)
13
The duck test…The duck test…
Grouper• Binary info – you’re
either in some list or not• Identity- or affiliation-
based access control or distribution
• Identification layer of an encompassing access management scheme
• Locally tweak or combine other groups
Signet• Structured, qualified info –
limits, conditions, scope, …• Oriented to individuals rather
than roles• Human judgment and chain of
authority essential for access decisions
• Enable functional, not just technical, people to manage privileges
• Supports policy control closer to source of authority
• Audit requirements
![Page 14: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/14.jpg)
14
Illustrative Use Cases:Blackboard Collaboration SupportIllustrative Use Cases:Blackboard Collaboration Support
• What• Setup tools to support collaboration for
“organizations” or groups (in addition to classes)
• Grouper function• Registration. Organization liaison given group in
which to maintain organization membership
• Signet function• Manage which tools are enabled for which
organizations• Coordinates services across systems
![Page 15: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/15.jpg)
15
Illustrative Use Cases:Computer Cluster AccessIllustrative Use Cases:Computer Cluster Access
• What• Express complex access policy in LDAP attributes that
condition workstation login
• Grouper function• Group hierarchy based on fine-grained affiliations classifies all
UChicago people according to eligibility policy• Whitelist & blacklist policy exception capability given to cluster
administrators• Cluster admins tweak classifying hierarchy as needed
• Signet function• None at present. Would be used if, for example, departments
were to authorize access to their own computer labs
![Page 16: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/16.jpg)
16
Illustrative Use Cases:Expense Management SystemIllustrative Use Cases:Expense Management System
• What• Import user profile data into an EMS
• Grouper function• Maintain EMS-specific organizational
hierarchy
• Signet function• Assign who gets approval priv for which
parts of the EMS Org Hierarchy
![Page 17: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/17.jpg)
17
Nutshell Description of GrouperNutshell Description of Grouper
• Mix of manual and automation processes manage a common Group Registry• Stored in an RDBMS• Automation processes provision info from the
Group Registry into LDAP, AD, directly into app-specific databases, wherever the value of the info warrants spending the resources to place it there
• Two types of managed objects: groups and namespaces (or “naming stems”)• Groups are created/named within a namespace
• Group management authority is delegatable• By group or by namespace
![Page 18: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/18.jpg)
18
Grouper ArchitectureGrouper Architecture
![Page 19: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/19.jpg)
19
Group AttributesGroup Attributes
![Page 20: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/20.jpg)
20
Grouper GroupsGrouper Groups
• Any “subject” can be a group member or privilegee• Persons, groups, site-defined subject types• Uses Subject API developed by Grouper+Signet
teams
• Subgroups (now), compound groups (v1.0), and aging (v1.1) of groups and memberships
• Privileges• ADMIN, UPDATE, READ, VIEW, OPTIN, OPTOUT
• Group attribute set can be site-extended
![Page 21: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/21.jpg)
21
Namespaces or StemsNamespaces or Stems
![Page 22: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/22.jpg)
22
Grouper NamespacesGrouper Namespaces
• Groups are created within namespaces• Limits the authority to create and name groups• Support distinct activities with own authority
• Namespaces can be arranged hierarchically• Privileges
• STEM• Create subordinate namespaces• Assign privs for this namespace
• CREATE – create groups in this namespace
![Page 23: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/23.jpg)
23
Example: Computer Cluster Access Example: Computer Cluster Access
it:labs:eligible (manual)
it:labs:whitelist (manual)
uc:faculty(auto)
uc:staff(auto)
categories of entitled students (auto)
time dependent student categories (auto)
it:labs:blacklist(manual)
categories of barred students (auto)
it:labs:barred (manual)
Allow access if “eligible” but not “barred”Allow access if “eligible” but not “barred”
![Page 24: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/24.jpg)
24
LDAP
Data Flow & Grouper Roles in Computer Cluster AccessData Flow & Grouper Roles in Computer Cluster Access
uid: jdoeucAffiliation: …isMemberOf: …
SIS
HR
Lab DirectorADMIN
Lab ManagersUPDATE
Loaders
GrouperAPI
PersonRegistry
GroupsRegistry
GrouperUI
GrouperAPI
GrouperAPI
On-site staffREAD
![Page 25: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/25.jpg)
25
Five Ways to Delegate Group ManagementFive Ways to Delegate Group Management
1. Create a group and assign someone to manage its membership (UPDATE)
2. Create a group and assign someone to manage who manages the group’s membership and who can see what about the group (ADMIN)
3. Create a namespace and assign someone to create groups within it (CREATE)
4. Create a namespace and assign someone to manage who can create groups within it (STEM)
5. Allow Self to OPTIN or OPTOUT of membership
![Page 26: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/26.jpg)
26
Signet Privilege Management Signet Privilege Management
• Brings privilege information together in one place -- a “Privilege Registry”
• Provides user access through a common UI, programmatic access through a common API
• Defined independent of specific vendors, systems, releases or technologies
• Provides central reporting, auditing, review
• But distributed management, control
![Page 27: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/27.jpg)
28
Signet OverviewSignet Overview
• Analysts define privileges in Signet in “business terms” and specify associated permissions.
• Signet presents this view in a Web UI where users assign privileges and delegate authority across all areas in which they have authority.
• Signet internally maps assigned privileges into system-specific terms needed by applications.
•
• Privileges are exported, transformed, & provisioned into applications and infrastructure services.
• Signet provides automated lifecycle controls
![Page 28: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/28.jpg)
29
Privileges Building BlocksPrivileges Building Blocks
Business view• Subsystems
• Categories
• Functions
• Scope, Limits
• Prerequisites & Conditions
System view• Permissions
• Subject• Action• Resource
• Analysts define privileges in Signet in “business terms” and specify associated permissions.
![Page 29: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/29.jpg)
30
Signet ComponentsSignet Components
• Define domains of ownership and responsibility
• Reflect real world boundaries
• Can be large or small
Financial systemStudent AdministrationHR systemNetwork access
managementResearch administrationClinical resourcesSubscription servicesSignet (Privilege
Registry)Grouper (Group Registry)
Subsystems
![Page 30: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/30.jpg)
31
Business ViewBusiness View
Subsystems contain…
LimitsQualifiers, constraints for a privilege.
ScopeOrganizational hierarchy governing distributed delegation,
FunctionsThe things a person can do; what they are getting privileges for.
CategoriesProvide useful arrangement of functions within a subsystem; for reporting, ease of use.
![Page 31: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/31.jpg)
32
Business ViewBusiness View
Categories FunctionsSubsystems
Clinical Trial Protocol A Patient Records
Materials Control
Manage Grant
Lab AccessAdmin
Student Admin Course Support
Add/Drop students
Schedule Classes
Process Applicants
Award Scholarships
Manage Accounts
FinancialAid
Limits
Which term
From Fund…
Read/Write
Hours
For school…
For fund…
Which campus
Qty/day
$ constraints
organizing actions
![Page 32: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/32.jpg)
33
Signet User InterfaceSignet User Interface
• Signet presents this view in a Web UI where users assign and delegate authority across all areas in which they have authority.
![Page 33: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/33.jpg)
34
Systems ViewSystems View
Permissions• Atomic units of control that map to specific
access rules in systems.• Includes limits that must be evaluated when
interpreting permissions.
Resources• The target of a specific privilege; things that
have access rules to control their use.
• Signet internally maps assigned privileges into system specific terms needed by applications.
![Page 34: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/34.jpg)
35
Business View PermissionsBusiness View Permissions
Resources/Permissions
Student Admin
Business View
Course Support Add/Drop students
Schedule Classes
Process Applicants
Award Scholarships
Manage Accounts
Financial Aid
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
categories functions
![Page 35: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/35.jpg)
36
Systems IntegrationSystems Integration
• Toolkit interface• Privileges document
• XML representation of privileges for an individual or group.
• Compatible with SAML and XACML representations of Subjects and Access Rules.
• Integration• Site-specific• Provisioning connectors• LDAP access
• Privileges are exported, transformed, and provisioned into integrated systems and infrastructure services.
![Page 36: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/36.jpg)
37
Privileges DocumentPrivileges Document
<Privileges xmlns="http://middleware.internet2.edu/signet">
<subj:Subject id="[email protected]" xmlns:subj="http://middleware.internet2.edu/subject"> <subj:SubjectType>person</subj:SubjectType> <subj:SubjectName>Poole, Jean M.</subj:SubjectName> </subj:Subject>
<Permission subsystem="biomed" id="patient-record-access"> <Limit id="protocol"> <LimitValue>2005-formula-a</LimitValue> <LimitValue>2005-formula-b</LimitValue> </Limit> </Permission>
<Permission subsystem="biomed" id="approve-requisitions"> <Limit id="spending-limit"> <LimitValue>none</LimitValue> </Limit> </Permission>
</Privileges>
![Page 37: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/37.jpg)
38
Provisioning Permissions into Applications (connectors)Provisioning Permissions into Applications (connectors)
<Privileges><Subject><Permission><Permission><Permission>
or
API
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
Calendar
CourseWare
Financials
Reporting
Space Mgmt
Student
![Page 38: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/38.jpg)
39
Provisioning Permissions into Infrastructure (LDAP)Provisioning Permissions into Infrastructure (LDAP)
reserve_time
view_schedules
student_records
applicant_data
view_fund_data
update_fund_data
update_course_data
reserve_room
Calendar
Course
Facilities
Financial
Student
Directory
eduPersonEntitlement Calendar
CourseWare
Financials
Reporting
Space Mgmt
Student
![Page 39: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/39.jpg)
40
Privileges LifecyclePrivileges Lifecycle
Conditions• Provides automatic revocation of privileges• Date controls -- from date, until date• Based on person’s status, affiliation, etc.
e.g., as long as person is at Stanford
Prerequisites• Pre-conditions that must be met to activate
privilegese.g., training
• Signet provides automated lifecycle controls
![Page 40: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/40.jpg)
41
Other featuresOther features
Assignments can be• To an individual• To a Group
With/without ability to further delegate• Distributed delegation using organizational hierarchy• Records “chain of command”
Proxy assignment• Temporary granting of one’s privilege to another
![Page 41: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/41.jpg)
42
Privilege Elements by ExamplePrivilege Elements by Example
By authority of the Dean grantor
principal investigators grantee (group/role)
who have completed training prerequisite
can approve purchases function
in the School of Medicine scope
for research projects resource
up to $100,000 limit
until January 1, 2006as long as a faculty member at…
conditions
Privilege Lifecycle
![Page 42: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/42.jpg)
43
Subject API:Site IAM Integration RequirementsSubject API:Site IAM Integration Requirements
• Subject - a person, group, application, or other type of object whose identity is managed by your IAM system
• Abstract the underlying technology and data model from a relying application
• Enable alternate identifier namespaces to be selected to match application needs• Username vs. opaque registryID vs. …
• Scenarios• Map authenticated user to internal security principal• Reference/search objects within application
![Page 43: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/43.jpg)
44
Subject API:Integration with Site’s IAM Subject API:Integration with Site’s IAM
![Page 44: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/44.jpg)
45
Subject API: More InfoSubject API: More Info
• Subject and Source interface specs are at v0.1 – they may yet change• Searching• Some per-subjectType methods?
• JDBC source adapter is included now, JNDI source adapter will be provided in a subsequent release
• Grouper includes a GroupSourceAdapter that is a provider of ‘group’ subjectTypes from the Groups Registry
• Subject API will not support the Join function
![Page 45: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/45.jpg)
46
Signet & Grouper RoadmapsSignet & Grouper Roadmaps
• Now available• Grouper v0.6. Basic group management, full GUI • Demo release of Signet v0.5 toolkit and UI
• Signet Roadmap• v0.6, early October 2005 – designated drivers, history• v1.0, late November 2005 – lifecycle conditions, XML• v1.x Toolkit / API release
• Grouper Roadmap• v0.9, mid-November 2005 - internal refactoring, some
enhancement• v1.0, mid-January 2006 – compound groups• v1.1, mid-March 2006 – group & membership aging
![Page 46: Managing Authorization with Signet and Grouper Tom Barton, University of Chicago Lynn McRae, Stanford University Tom Barton, University of Chicago Lynn](https://reader034.vdocument.in/reader034/viewer/2022042717/56649cff5503460f949d053b/html5/thumbnails/46.jpg)
47
Resources & ParticipationResources & Participation
• Grouper• team: University of Chicago & University of Bristol• http://middleware.internet2.edu/dir/groups/grouper/
• Signet• team: Stanford University • http://middleware.internet2.edu/signet/
• Internet2 Middleware Initiative• http://middleware.internet2.edu/
• Documents, tarballs, cvs• Details for subscribing to mailing lists
• Conference call agendas & dialing instructions