grouper-users - Automating group memberships (and signet privileges)
Subject: Grouper Users - Open Discussion List
List archive
- From: Bert Bee-Lindgren <>
- To: ,
- Subject: Automating group memberships (and signet privileges)
- Date: Mon, 3 Mar 2008 13:14:45 -0500
[I'm sorry for the barrage of questions. They've been building up, and I've finally taken the time to get them on paper. On the bright side, I think this is the last question for today :)]
I am continually missing something, and the recent grouper dynamic- group thread just made it worse. I'm hoping somebody here can set me straight.
My questions are:
-Is it true that signet relies 100% on groups/grouper to automatically grant people privileges?
-Can signet work from native-ldap groups, or does it only integrate with grouper groups?
-Does grouper have the ability to automatically authorize people (or accounts) for membership?
Here's what I think the answers are. Please correct me:
-Yes, signet relies on groups/grouper to automatically grant people privileges, except for prerequisites that automatically enable manual grants
-Grouper has no ability itself to query LDAP to automatically add/ remove memberships from people
-An external tool is necessary to query LDAP (batched or triggered) and use the grouper APIs to manipulate associated group memberships
-Grouper does not have a temporary-assignment ability of a subject to a group
We've spent some time on our core person register: making it more open (ldap vs custom-rdbms, ldap-change event queue, standard schemas, etc) and more complete (finer-grained & multiple affiliations, course- enrollments, multiple jobs, departmental data, etc). Theoretically, we couldn't be more ready to migrate to grouper, but we're not sure how to proceed..
Here is a sketch of our minimal expectations of automatic group maintenance:
(This list of automatic maintenance intentionally ignores all manners of manual maintenance)
-Define multiple enabling rules for a group, and have peoples' memberships change as their data change
-Use of LDAP to evaluate rules
-Rules' conditions made up of LDAP group-membership or LDAP filters
Any options exist to help get this done?
Making an assumption, let's say we adapt our internal data-to- privilege system to be data-to-grouper-groups system:
-Why is it better to put the results into grouper instead of LDAP groups or LDAP attributes and use a virtual directory to make groups?
Do either of the following components exist in any OSS form? Would either be useful to the community?:
- Fedora Directory Server change-notification system...
LDAP changes (DN, attributes, new values) posted to "event-queue- like" rdbms.
We found the retro-changelog and/or persistent LDAP queries to be too unreliable and ephemeral
Should work with any netscape-derived directory server -- Sun, RedHat, etc
- An LDAP-based filter- and group-matching system that could update grouper memberships, extracted and generalized from our custom policy/ authz system
Ties to that "event queue" above for change notifications & intra-day reevaluations
Thanks yet again,
Bert
- Automating group memberships (and signet privileges), Bert Bee-Lindgren, 03/03/2008
- Re: [signet-users] Automating group memberships (and signet privileges), Dave Donnelly, 03/03/2008
- Re: [signet-users] Automating group memberships (and signet privileges), Bert Bee-Lindgren, 03/03/2008
- Re: [signet-users] Automating group memberships (and signet privileges), Dave Donnelly, 03/03/2008
- Re: [grouper-users] Re: [signet-users] Automating group memberships (and signet privileges), Bert Bee-Lindgren, 03/04/2008
- Re: [signet-users] Automating group memberships (and signet privileges), Dave Donnelly, 03/03/2008
- Re: [signet-users] Automating group memberships (and signet privileges), Bert Bee-Lindgren, 03/03/2008
- Re: [grouper-users] Automating group memberships (and signet privileges), GW Brown, Information Systems and Computing, 03/04/2008
- Re: [signet-users] Automating group memberships (and signet privileges), Dave Donnelly, 03/03/2008
Archive powered by MHonArc 2.6.16.