Grouper Developers Forum

[Emily Eisbruch <>]

*Grouper / Signet WG session at 2008 FMM in New Orleans, 13-Oct-08**

 

Agenda

 

- Administrivia

- Agenda build – topics of interest to attendees

- Privilege Management survey

- MACE’s privilege management program

- Highlights of recent & upcoming releases

- Topics of interest from the group

 

Topics of interest from the group (time permitting) included:

 

• PerMIT (Michael Gettes) (Project to open source MIT’s roles database) (Groups & read access control and FERPA)

• Interaction of Grouper and Active Directory (Greg Roth from Cornell)

• Grouper and other initiatives, such as KIM

• Integration of Signet and Grouper

• Audit, especially in web services

 

Discussion

 

Tom Barton and Mike Olive welcomed the group. 

 

 

Privilege Management Survey

http://middleware.internet2.edu/signet/docs/PrivilegeManagementSurvey_200808.pdf

 

Rob Carter presented preliminary results from the Privilege Management survey.

 

Fifteen responses have been received so far from twelve institutions.  Summary of results so far:

 

·      100% of responding sites employ central IdM

·      83% employ central group management

·      67% use some form of policy automation

·      50% of responding sites employ central privilege mgt.

·      14% believe their current solution will last.

·      43% are not currently satisfied with their solution

·      Privilege assignment and application approaches are all well-represented across responding sites

·      Overall, sites express need for some distributed privilege management tempered with policy

 

Next steps for Privilege Management survey:

 

·      Solicit responses from people on EDUCAUSE IdM list

·      Component analysis

·      Functional & Technical implementation recommendations

 

MACE Privilege Management Program

 

Bob Morgan announced that, due to lack of adoption, the decision has been made to stop funding of Signet at the end of 2008. MACE will continue some kind of privilege management program, to be determined. MACE is open to new approaches moving forward, including the possibility of adding a privilege management component on top of Grouper.

https://mail.internet2.edu/wws/arc/signet-dev/2008-10/msg00005.html

 

Chris Hyzer mentioned that there is some duplication of efforts, trying to get things like web services consistent, so putting some of that work into Grouper instead of externalizing it, could save some money. 

 

Bob: it’s possible having two so separate products was a bad idea.

 

Michael Gettes: it was a good idea to separate the products, but maybe how we conducted the work along the way was the problem. Let’s figure out lessons learned.

 

Bob mentioned Open Role Exchange (http://www.openroleexchange.org/), an organization trying to foster collaboration and to promote interoperability and establish standards in the area of IdM roles.  Bob is not sure if that’s catching any steam.

 

Lessons Learned / Possible Problems with Signet

 

Bob asked the group: “Why are you not running Signet? What have been the inhibitors?”

 

- Didn’t offer an incremental avenue.

- First step was pretty big.  Needed lots of roles already.

- Terminology was not in line with existing practice.

- Signet was researchy, not linked to anything real.

- Should have been deployable and implementable in production environment.

 

- A few institutions were  considering looking at Signet after deploying Grouper. 

People just aren’t there. 

- Signet was ahead of its time. We all need to head to there, but people are trying to get ducks in a row.

- Campuses are not ready for Signet

- Stuck on student life cycle questions.

- Trying to get IdM side in place and deal with how to provide access to services

- Just getting feet wet w Shib and enjoying INCommon.

- Transitioning to Signet would be a major project.

- Grouper succeeded because people were already doing Groups in LDAP, so Grouper offered a better way to manage groups. But there was not a common idea on how to do privileges. 

 

Suggestions for moving forward:

 

- Start with an understandable, low-risk-of failure approach. 

- Provide a "cookbook" and examples.

- Explain how managing permissions is going to make life easier.

- Address how to sell it on the low end, rather than as a total, enterprise level solution.

- Start with a use case where access doesn’t matter much.  (At Georgia Tech. people are comfortable with groups.  But not comfortable w privilege management.

Authorization and provisioning is OK for IT got get into, but access is not OK for IT to get into. )

 

- Suggestion to start with a case of  specifying which groups  could cross a firewall. That’s part of the process of building confidence, lightweight places to start.

 

- Tie Signet to COmanage? This would be tying to it something real and lights might go on, a lightweight introduction to Priv. Mgmt. Downside of this approach is that lots of problems outside of COmanage could benefit from Priv Mgmt and this might not be clear enough if we focus on Priv Mgmt within COmanage.

 

- Kuali Student connection with Priv Mgmt is interesting.

 

 

Audit

 

Some organizations are finding a pressing need for audit capabilities in Grouper, particularly in web services. A history of management actions (adding and removing members from groups) is sufficient for a help desk to diagnose problems, so the help desk can tell people “you opted in then and opted out then.”

But for documentation of fraud, point in time audit capability is needed.

 

Is it enough to preserve essential info, rather than develop a service that supports point-in-time views?

 

Might integration with EDDY (End-to-End Diagnostic Toolkit) (http://www.cmu.edu/eddy/) be a reasonable deployment avenue for campuses? Could send out events to the EDDY infrastructure. EDDY has archival tools, visualizers, and message services  in the diagnostic backplane. 

EDDY was developed around a diagnostic framework; its real value is around audit capability and log files. 

 

Chris noted that moving diagnostics and Audit to EDDY would be more complicated than keeping it within Grouper.

 

Audit is on the roadmap for Grouper Release 1.5:

https://wiki.internet2.edu/confluence/display/i2miCommon/Combined+Roadmap

 

PerMIT

PerMIT  is MIT’s open source roles database. It has been in use for over 10 years.  (Cornell also has a tool called Permit, but with different capitalization.)  A project is underway at MIT to do a direct translation of the existing system into open source tools, such as Oracle and MySQL.  There is not a whole lot of functionality to add to it for the first release.  Michael Gettes wants MIT not to be the only one running this. One of the purposes of this effort is to be Kuali Student student certified. 

 

Interaction of Grouper and Active Directory (Greg from Cornell)

There was not time to discuss interaction of Grouper and Active Directory during the session. However, Tom Barton said that U of Chicago has some experience to share, and he will be happy to talk with interested individuals about this topic.

 

Next Grouper call: Wed 29-Oct-08 Noon EDT.

 

Next Signet call: Fri 24-Oct-08 11 am EDT.