Child pages
  • 23-Oct-2019 Grouper Deployment Guide Community Call
Skip to end of metadata
Go to start of metadata

  

Grouper Deployment Guide Community Call 

 Wed Oct 23, 2019

Audio recording of this call: https://drive.google.com/open?id=19cpT7xqFrADFYwNp3ACwJWwocIhds7eP



Attending

  • Bill Thompson, Lafayette College
  • Chris Hyzer, University of Pennsylvania
  • Jason Peak, Oregon State University
  • Jason Rappaport, Princeton
  • Matt Wolfley, Unicon
  • Danny U of U
  • Shilen Patel, Duke
  • Andrew Morgan
  • Chad Redmon, UNC
  • Bryan
  • Chris Hubing, Internet2
  • Erin Murtha, Internet2
  • Emily Eisbruch, Internet2

Discussion

Link to Grouper Deployment Guide (GDG) on the wiki

Thanks to everyone who has provided feedback and suggestions.


Background:

GDG Feedback Themes

What goes in the GDG?

    1. https://www.divio.com/blog/documentation/
      1. Understanding-oriented
      2. Explains
      3. Provides background and context
      1. Provide context
      2. Discuss alternatives and opinions
      3. Don’t instruct, or provide technical reference
      1. Explanation
      2. Explanations can equally well be described as discussions. They are a chance for the documentation to relax and step back from the software, taking a wider view, illuminating it from a higher level or even from different perspectives. You might imagine a discussion document being read at leisure, rather than over the code.
      3. How to write good explanation

Suggested New Content for the GDG

  1. Attestation patterns - Nick Roy suggested
    1. (CH) Attestation on folders that inherits to groups
    2. (CH) Attestation on reports for a more focused view of authorizations
    3. Comments:
    4. If you don’t want the GDG to be a HOW TO, then talking about specific features is not best approach
    5. Should talk about how to do something generall  in Access Governance Universe -not the exact tooling. 
    6. Such as reviewing policy from time to time, using attestation within Grouper
    7. Would not be step by step, that would be in general Grouper documentation.
    8. Chris: We should use the word Attestation not the word Review
    9. Matt: attestation feature targets membership of a group. Group math .  Attestation on access control policies group math
    10. Attestation on Visualization -- Chris made a JIRA for that  GRP-2372 - Getting issue details... STATUS
    11. End Reference Group and the actual policy
    12. Group math decisions made by different people than membership decisions
    13. Some people need to see who comes and goes in a group, but not involved in business process or policy in Grouper
    14. There are various use cases of where you might need attestation, for example groups for services where you don’t have a good source of institutional record to drive membership.
    15. Chris: we are collecting future tasks for the GDG.  This may not be in scope for this version, given the number of hours allotted for this version of the GDG.
    16. Summary - this  attestation patterns documentation work is for future, after TechEx 

  2. Guidance on courses, students, departments, etc organization/names - Keith Hazelton suggested
    1. There is a general framework on reference groups in current GDG
    2. Lack of details on exactly how to manage organizations, departments, 
    3. Could be part  of GDG in future, or maybe separate from GDG
    4. We should do a survey to find out how organizations are doing this.
    5. So we can document Here is an example of how you might manage departments and visibility into them,  etc., this would help new deployers
    6. How to’s for different sources of data
    7.  If you have a huge list of groups, and the loader can be configured in a certain way to help.  You can do powerful things w the loader, but it’s good to see how others are doing it. GDG could state that there are good examples in the community contributions. Patterns of using Loader jobs for advanced purposes, including privilege management.
    8. Patterns for InCommon Trusted Access Platform
    9. How to handle class rosters
    10. Common patterns for identity life cycle reference groups, 
    11. Would be helpful to do a survey to find out common patterns and guidance
    12. Knowing you can do something is part of the goal of the GDG
    13. Check with KeithH to see if he has some of this data from a previous survey

  3. ABAC, RBAC, and Grouper - Chris Hyzer
    1. perhaps we should add a section that is more explicit about how 800-162 abac model is mapped to the GDG approach? and how that compares to RBAC?
    2. Make it more explicit, and explain how things relate to RBAC
    3. GDG takes spirit of the RBAC and ABAC standards
    4. Suggest that GDG is like RBAC or ABAC, and maybe summarize what is useful from it and how Grouper relates to it
    5. Grouper uses attributes (as explained in RBAC and ABAC), but Grouper does the access policy and Grouper has ad hoc attributes
    6. Use of permissions in Grouper is not exactly like in RBAC and ABAC
    7. Grouper uses hybrid model
    8. Matt: best to talk about natural language constructs versus talking about role or attribute
    9. Deployment model changes whether access control policy or whether its an  attribute
    10. Last mile to the application varies
    11. Something can be attribute to one application and a role to another
    12. Using the RBAC model doesn’t totally fit
    13. Good to mention that Grouper can support the models
    14. Focus on natural language
    15. Bill: good ideas  from RBAC are around unanticipated user, attributes on users change and can update automatically , Grouper does accomplish this
    16. SUMMARY:  GDG should tone down the emphasis on “you must read RBAC”
    17.   in the GDG intro, define ABAC and RBAC and say Grouper is related … then talk about natural language.
  1. Grouper Security Model - Bill Thompson
    1. Priv management is quite complex
      1. 8 priv on groups
      2. 8 on groups
      3. 6 on folders?
      4. Lots of combinations
    2. Grouper team made some decisions around how defaults should work
    3. Grouper Team should be more aware to explain how the default privileges work, perhaps in a separate table
    1. Guide to get someone up and running would be helpful
    2. Tutorial doc for initial deployers or adopters
    3. There is currently lots of Grouper documentation but not enough simple doc for beginning deployers, showing step 1, then step 2
    4. The info is there but there is not organized from mindset of how to get up and running
    1. Related to priv management within Grouper
    2. Call out admin and security groups in GDG
    3. But not much guidance on how to manage
    4. Some work on how to understand what the privileges are  and what is required.
    5. There may be a gap in the reference docs , We may want to add  more in the admin guides
    6. The draft has info that belongs in various buckets,  how to doc, reference doc, conceptual best practice
    7. Table lists all the priv and admin actions, this is good ref doc for the Grouper project
    8. Some Grouper features works only on Groups not on privileges
    9. Oregon  State: this Grouper Security Model draft has good value, would be helpful,  though hard to keep up to date,  
    10. BillT: Survey of the Grouper deployments could help 

    11. Chris: Looking at modules in the future, Grouper team should try to err on side of simplicity
    12. Matt: Good to have advanced features behind an “advanced” button
    13. Chris: we do have a lot in the UI behind the “More” menu
    14. For Grouper 2.6 we may want to simplify the menus in the Grouper UI
    15. Improve Info architecture around menus and tabs
    16. Grouper team should work more on documenting the privileges, folding in Bill’s Security Model draft.
    17. Matt: people learn this material organically
    18. Look from a code level backwards? Share the unit tests?
    19. Bubble up to a user doc set
    20. Jason Rappaport: took training at Madison, but still working to get up a Proof of Concept.
    21. Chris: GDG should help with how to get Grouper up and running and how to get an app up and running w  Grouper
    22. Chris: about to announce configuration in database, which will lead to more Wizards in the UI
    23. Configuration might be an “I want to…” button
    24. “I want to connect to AD”
    25. Matt: in future, perhaps  cross linking the Grouper UI back to the wiki
    26. Link the actual doing to the HOW TO docs
    27. Could have a search box in Grouper UI to search the Grouper wiki
    28. Shilen: the wiki doc assumes an admin is using it, would need to be dumbed down if there is a link to it from the Grouper UI
    29. Could create a more curated wiki area , for in-page help text
    30. Or have better in-page help
    31. Summary: in the future, provide better documentation on how Grouper privileges work:
      Can use as a starting point the  
      Grouper Security Model GDG V2  https://docs.google.com/document/d/1Zgb708hFJjk49kw6SGCfP1ZrcHYEka5i5GRni0z7iyA/edit#
      1. Could be another guide, or an appendix


  1. Expanded examples of ACMs  (Access  Control Models)
    1. Lay out the overall model from theoretical standpoint
    2. Have more concrete examples?
    3. Some of this is in the Grouper training lesson plans
    4. Should we expand further on the ACM sections in the GDG?
    5. Chris: the concrete examples would vary so much depending on the architecture.
    6. Perhaps just plug the training in the GDG?
    7. Have another discussion on this to decide what are the optimal examples
    8. There is a template for allow/deny use case
    9. Descriptions called out at Madison training were useful
    10. Oregon has a plan for big clean up to become consistent w GDG
    11. A description of the models will be helpful 
    12. Chris: we should reach out to survey community to find out most common access control models
    13. Community Contribs could help a lot here and help new adopters. To see actual implementation  of what’s in the GDG. 
    14.  Models are to call out standard patterns of access governance within the community. Common names for the patterns makes it easier to talk about and helps new implementers.  Models are targeted to IAM analyst. 
    15. Comment: the names for Access Control patterns have been helpful
    16. Summary: more discussion needed, possibly a survey


Everything discussed above is for the future, after TechEx.

 

Updated Content for GDG

  1. Updated front matter, welcome message, etc - Emily Eisbruch
    1. Good ideas, will do
  2. Index of new Features - Carey Black
    1. Good idea, but does not belong in GDG
    2. Get the roadmap more digestible and link to that
    3. Or add a new Grouper features page
  3. Provisioning and Integration Carey Black
    1. If the GDG is going to begin to talk about specific "integrations" then all of these would be targets too.  (https://spaces.at.internet2.edu/display/Grouper/Provisioning+and+Integration ) Note: Midpoint and Banner are not yet on that list.
    2. Yes , need to update the GDG for new developments in the Provisioning and Integration landscape, could be too big a lift for before Tech Ex in Dec.
    3. Add some links
  4. More complete composite examples - Shilen Patel
    1. There is more flexibility around composites than the GDG presents
    2. Such as adding composites to another composite
    3. Composite NG rule
    4. Depends on the use case
    5. Should this be appendix to get into the weeds more?
    6. Chris: Show more options on the composite page of the UI? Use Wizards..
    7. Summary: For the GDG Add some overview and link to reference doc on composites
  5. Add Grouper Client to Grouper Daemon and Loader Jobs section - Cary Black
    1. Grouper Client is  a deep backend thing
    2. helps with  more advanced accessed management
    3. Maybe no space for Grouper Client in GDG
    4. But if people knew it existed they would experiment w Grouper in different ways
    5. State a few use cases for how to give someone the Grouper Client and how they would use it.
    6. Related to the Authentication for the Grouper deployment
    7. BillT: not sure how central an idea Grouper Client is for most deployers
    8. Matt: it helps get away from writing code…
    9. It’s about Other ways to get data into Grouper, aside from Loader jobs, it’s more self services and distributes
    10. Chad: also web services should be emphasized in same context
    11. Chris: Grouper Client is 99% a web services client
    12. Matt: Users at OSU are excited to see this capability
    13. Chris: Give example of setting this up with a CRON
    14. Summary: Good to bring Grouper Client to the foreground




STOPPED HERE at the Oct 23, 2019 call
Next steps from the Oct 23, 2019 call:


  •  send these notes to the Grouper users list? DONE
  • Goal is to get feedback, figure out future work past TechEx
  • Bill:  Suggestion eventually to send a summary of plans, easily consumable
  • Next call?
    • Next call will be needed  to finish the agenda,
    •  Bill not available on Wed Nov 6
    • Emily will set up a doodle poll for a 90 min call, update: set for Wed Nov 20 at  11:30am


START HERE at the Wed. Nov. 20, 2019 GDG community call 

  1. Guidance on when to use the test: folder - Chris Hyzer
  2. ACM model references - missing PIP, no ABAC discussion - Michael Gettes
  3. On-demand querying of membership vis WS a provisioning category? - Chad Redman
  4. Operational Considerations needs love - Shilen Patel


Format

  1. In general, as we all probably know, things that were OK in the PDF format need to be lightened up a bit for the wiki, by using more boxes, more headings, shorter sentences, more bullets… - Emily Eisbruch
  2. Previous/Next links on the left or the right - Chris Hyzer

Discussion

  1. AWS Roles and ACM3 - Chris Hubing
    1. I put a user in Grouper groups so they can get into a couple different AWS accounts, the IDP takes those memberships and sends attributes to the AWS SP (those attributes are called “AWSRoles”)
    2. https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html
  2. Bundle vs ref and privilege management - Carey Black
    1. I can also see an approach that would just collapse this into the general ":ref" folder too. I think the only real advantage to having it separated is a separate space for grouper ACL's to let others ( outside of the grouper service team ) publish/maintain the "computed parts" based on the :ref  which I expect would be mostly or completely (maintained by the grouper service team )
  3. Reference groups vs security groups (grouper privilege policy) - Julio Polo
    1. definition of reference group is too broad.  Almost anything that needs to be used in a policy group becomes a reference group.  Any group anywhere in Grouper that is used by a policy group is essentially a reference group. If you don't have a ref group for your departments application's exceptions (e.g. include the administrators), then do you use the existing org:compsci:etc:compsci_admin or do you create a new org:compsci:app:ref:admins that encloses the prior.  This example also illustrates the need to simplify the relationship between the ref, app and org folders.
  4. Consolidate app: and org: folders - Julio Polo
    1. I think we should consolidate app and org.  It gets confusing when you have to decide whether to create a group under app or under org.  The confusion gets worse when you have to think about whether a reference group is under ref or as a subfolder under either app or org.   We reserve the top-level ref for institutional reference groups curated by the IAM team. We only have an org folder. All enterprise apps just go under the organization that owns it.  Any policy group can make use of any org group as a reference group long as it has been granted access to do so. We don't force creating ref subfolders for org groups just because they're being referenced by a policy group.
  5. GDG content and versioning
    1. https://spaces.at.internet2.edu/display/TI/Trust+and+Identity+Document+Stewardship
      1. Note that any software documentation for developers and end users that is related to a specific release of the software, and is distributed with software, is vetted as part of the quality assurance process for the software release and is out of scope for Trust and Identity Document Stewardship. “ 
    2. Update front matter with note about this and links to old doc.
    1. Only maintain one publishing and one in-progress/editing version (can we do this in wiki?
    2. Removed from Trust and Identity Document Stewardship
    3. Maintain curated content vs open wiki content
    4. Balance between standalone doc vs wiki content
    5. Major revision/refresh/review with major Grouper release (next one would be 2.5)
    6. Minor revisions directly to released version as needed
    7. New content added as available
  • No labels