Grouper Users - Open Discussion List

[Tom Poage <>]

Thank you Chris and Tom B.

Your ideas and comments have given me plenty to think about, and what I might 
focus on initially.

Still absorbing (videos, docs, ...),
Tom.

> On Dec 28, 2016, at 9:21 AM, Tom Barton 
> <>
>  wrote:
> 
> Hi Tom P,
> 
> Our design at UChicago for managing privileged access to systems uses a 
> combination of several things, and I wondered if it might help you to think 
> about the role grouper should play in that.
> 
> Grouper groups that contain system or application admins are managed by 
> each team's supervisor/lead. These groups are used to limit user access 
> either to a bastion host or "jump server" with local config that limits to 
> which servers it can connect, or to an admin vpn on which a policy 
> similarly limits the set of servers that users in each group can connect 
> to. Either way, as the server populations change some firewall-ish changes 
> are made on these privileged access devices, and as the sys/app admin 
> population changes the grouper groups are updated. This approach also has 
> some other benefits such as enforcing 2FA and closer monitoring and other 
> security measures for privileged access to systems.
> 
> Tom B
> 
> On 12/28/2016 10:50 AM, Hyzer, Chris wrote:
>> You could model this in grouper permissions.
>> 
>> The people would be groups.
>> The servers would be resources (and can be hierarchical).
>> Do something with actions?  Maybe the group name is the action?  Or maybe 
>> just use "assign"?
>> 
>> To get them into LDAP maybe have a loader job that reads the permissions 
>> and sets up groups for you (then the pspng will take it from there).  This 
>> could run hourly or however often.
>> 
>> This would be pretty straightforward to setup if you need help let me know.
>> 
>> Thanks
>> Chris
>> 
>> -----Original Message-----
>> From: 
>> 
>>  
>> [mailto:]
>>  On Behalf Of Tom Poage
>> Sent: Tuesday, December 27, 2016 4:45 PM
>> To: 
>> 
>> Subject: Re: [grouper-users] Modeling NIS netgroup?
>> 
>> Hi, Michael.
>> 
>> That'd be close.
>> 
>> Something tells me to add one level of indirection, though that may be 
>> because I don't completely understand Grouper capabilities yet.
>> 
>> E.g. let's say I want to restrict ssh access to SIS servers to the set of 
>> sysadmins. Somewhere in there I might want to model a group containing the 
>> pool of servers which come and go over time, and another group of 
>> individuals belonging to the sysadmin group, likewise who come and go.
>> 
>> Maybe the simple thing to do is forget the servers and simply push 
>> (CFEngine, Puppet, ...) the "plussed" NIS group to /etc/password on 
>> subject servers with e.g.
>> 
>> +@sysadmin::0:0:::
>> 
>> making 'sysadmin' membership dynamic (say, Grouper-fed LDAP), and leave it 
>> at that. Not pretty, but perhaps functional.
>> 
>> Thanks.
>> Tom.
>> 
>>> On Dec 27, 2016, at 1:02 PM, Michael R. Gettes 
>>> <>
>>>  wrote:
>>> 
>>> Hi Tom,
>>> 
>>> Would the name of the group having the hostname and the group itself 
>>> being the population do the trick?
>>> 
>>> App:Unix:Netgroup:x.y.edu or something else to your liking?  The 
>>> resulting group could, of course, be the by product of other reference 
>>> groups and include/exclude compositing to support allow/deny scenarios.
>>> 
>>> /mrg
>>> 
>>>> On Dec 27, 2016, at 11:22, Tom Poage 
>>>> <>
>>>>  wrote:
>>>> 
>>>> Morning,
>>>> 
>>>> Grouper newbie.
>>>> 
>>>> Anyone gone to the effort of modeling NIS netgroups in Grouper? I.e.
>>>> 
>>>> name (user,machine,domain) (user,machine,domain) ...
>>>> 
>>>> I think we could do without the domain, so it'd basically be the 
>>>> intersection of groups of machines and groups of users.
>>>> 
>>>> If so, what did the model look like, and did you build an adapter to 
>>>> create the NIS map directly, or e.g. push to LDAP?
>>>> 
>>>> Of course, there are several other ways to accomplish authZ for shell 
>>>> access, such as SSSD w/ PAM, ....
>>>> 
>>>> Thanks.
>>>> Tom.
> 
>