grouper-users - RE: [grouper-users] Role and Permission attributes
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: "Klug, Lawrence" <>, Tom Barton <>, "" <>
- Subject: RE: [grouper-users] Role and Permission attributes
- Date: Wed, 11 Jul 2012 18:35:29 +0000
- Accept-language: en-US
When you say “one off task”, I think as resources are created in plone that need to be secured, you need to create the resource in grouper. Full exports to systems is not uncommon. The atlassian connector does that with real time updates via xmpp: https://spaces.internet2.edu/display/Grouper/Grouper+Atlassian+connector We also do this in row level database security at Penn: http://www.incommon.org/docs/iamonline/20110914_IAM_Online.pdf Im sure there are other example as well… Chris From: Klug, Lawrence [mailto:]
Chris, Let me see if I can visualize the data flow for this use case. Data flows into grouper 1.
Admin UI – Plone Contexts/roles/permissions are modeled in Grouper as Resources/Roles/Actions (one-off task) 2.
Admin UI – administrator grants access to Plone resources for Persons or Groups 3.
Web Service calls from Plone – administrator manages access from within Plone - synchronize data in Grouper Data flows from Grouper to LDAP Provision Groups/Roles/Perms to the LDAP Enterprise directory via PSP (real time provisioning?)
Custom objectClass holds Plone-specific attributes applied to Persons and Groups Data flows from LDAP to Plone 1.
Shibboleth login – custom attributes are released to Plone and authorization happens. 2.
May require Grouper WS call to Grouper to check that data is in sync The other scenario you mentioned would provision all data to Plone directly from Grouper? How would that work? Are there any other examples aside from the Unix Permissions demo? Thanks, Lawrence From:
On Behalf Of Chris Hyzer I just quickly read this: http://plone.org/documentation/kb/understanding-permissions/permissions-and-roles/ It seems like the “context” in plone, will be resources in Grouper permissions. When someone creates objects in plone, can there be a trigger to create the resource in Grouper in the right place and assign the permission implications (parents
imply children). Note, this is now possible to do in Grouper WS 2.1. The “permissions” in plone (View, Modify) could be “actions” in Grouper on the permission definition for the resources above. These seem like they would be configured one time and not change much. The roles and groups in plone are roles and groups in Grouper. Finally, you need to decide when you will retrieve the user’s permissions. I would suggest either on login or provision all the permissions to plone so plone doesn’t think they are externalized. Similar to this: https://spaces.internet2.edu/display/Grouper/Managing+unix+commands+with+Grouper+permissions+example If you do it on login, it could be from Grouper WS, LDAP (concatenate the action and resource into an attribute), or SAML assertion (might still need to concatenate the action/resource).
My gut feel is that to avoid performance problems and maximize uptime to just provision everything to plone and keep it in sync real time (XMPP? Stomp? Other messaging?). Let us know what you decide to do or if you have more questions
J Chris From:
On Behalf Of Klug, Lawrence Hi Tom, Yes, we are trying to determine how UCLA Service Providers could best leverage Grouper. Will eduMember attributes be sufficiently fine-grained for our applications? If not, how do we approach implementing Grouper
Roles and Permissions? Our pilot project will most likely be the Content Management System. We are using a Zope-based product called “Plone.” What are the steps for moving Plone Roles and Permissions management into Grouper? LDAP delivery via Shibboleth
is an elegant solution, but Roles and Permissions may require another strategy. Thinking this through now could prevent future pain. Thanks, Lawrence From:
[]
On Behalf Of Tom Barton Lawrence, Hi Chris, We are defining our long-term access management strategy with Grouper. We have tested “eduMember” for transmitting membership info through Shibboleth. Roles and Permissions are internal Grouper attributes
that would not live in the Enterprise Directory(?) Trying to focus on exactly how Roles and Permissions attributes can be consumed by a University Web application now and in the future.
Thanks, Lawrence From: Chris Hyzer []
We have two examples where we sync all the permissions to the application since it does DB joins on the assignments, or we dont want grouper as a performance bottleneck or
a runtime dependency. The change log consumer and grouper client handle real time updates (tells it to do a full resync) From:
[]
on behalf of Klug, Lawrence [] We created a simple demo app to consume isMemberOf attribute via Shibboleth and make a few simple Web Service calls. It works fine. What if we want to use Role and Permission attributes? How would they be transmitted to the Client application?
Could they be released as Shibboleth attributes or direct Web Service call? What are other universities doing? Thanks, Lawrence |
- [grouper-users] Role and Permission attributes, Klug, Lawrence, 07/05/2012
- Re: [grouper-users] Role and Permission attributes, Tom Barton, 07/07/2012
- RE: [grouper-users] Role and Permission attributes, Klug, Lawrence, 07/10/2012
- RE: [grouper-users] Role and Permission attributes, Chris Hyzer, 07/10/2012
- RE: [grouper-users] Role and Permission attributes, Klug, Lawrence, 07/11/2012
- RE: [grouper-users] Role and Permission attributes, Chris Hyzer, 07/11/2012
- RE: [grouper-users] Role and Permission attributes, Klug, Lawrence, 07/11/2012
- RE: [grouper-users] Role and Permission attributes, Chris Hyzer, 07/10/2012
- RE: [grouper-users] Role and Permission attributes, Klug, Lawrence, 07/10/2012
- Re: [grouper-users] Role and Permission attributes, Tom Barton, 07/07/2012
Archive powered by MHonArc 2.6.16.