Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] grouper subject attribute security

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] grouper subject attribute security


Chronological Thread 
  • From: Renee Shuey <>
  • To:
  • Subject: Re: [grouper-dev] grouper subject attribute security
  • Date: Fri, 05 Aug 2011 10:31:38 -0400

Chris et All,

Obviously, I find this very interesting.  I am curious why no one responded to this message.  Is it because folks didn't really understand exactly what this might mean for their environment or simply because they know they are not at all interested.  Would be helpful to me to learn more about why folks didn't respond.

Anyone have thoughts they are willing to share?
Thanks,
Renee

On 7/26/11 3:16 PM, Chris Hyzer wrote:

At Penn we are developing similar to what Penn State is working on, user attribute security with SQL data views.  i.e. users (subjects ) have a lot of attributes in our IdM, and we want to preprocess them, and have them available for consumers.  E.g. the various names, emails, affiliations, some source-specific data (title/major), etc.  We have 130 columns in the data view.  These need to be secure at a column and row level (e.g. an application could get access to see employee data, but not student data, and only certain columns e.g. not ssn).  Therefore this is not really conducive to our LDAP deployment.  Right now we are planning on a SQL implementation using Oracle VPD/FGAC.  The permissions will be modeled as Grouper permissions and provisioned into security tables for VPD/FGAC to use.

 

We have a handful of Grouper sources.xml subject attributes available (name, email, netId, etc).  However, I think it would be nice if these extra attributes could be available in the Grouper getSubject (only) web service.  This is optional, and would be dynamic, and protected by Grouper permissions.  This is a very minor tweak, it would be is a Java interface where you could write code to match up the request, and the authenticated subject, and get the data for the response based on security.  Grouper would not store or manage these attributes, just like it is now.  I know Grouper is not an IdM, but I think optional plugins where gaps in institutions’ IdM exist could be useful.  The next step (don’t need this now, but we can discuss later) could be to extend this to the sources.xml subject attributes so that those can be managed a little more closely across the other Grouper operations (getMembers)…

 

What do you think?  J

 

Thanks,

Chris

 





Archive powered by MHonArc 2.6.16.

Top of Page