Date: Thu, 28 Mar 2024 17:19:28 +0000 (UTC) Message-ID: <439059279.6700.1711646368518@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6699_600152582.1711646368516" ------=_Part_6699_600152582.1711646368516 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Grouper uses the Internet2 =E2=80=9CSubject API=E2= =80=9D which used to be used by Signet and Grouper when signet was a thing.= I have used it in a couple of other projects, but in general it is a= grouper thing at this point. Basically it allows for various subject= sources.
Subject sources have:
Subjects managed by the source are identified by:
It used = to be that to identity a subject you needed the sourceId, the subjectId, and the type (e.g. person, group, system, etc), but we migrated away f= rom that and now subjects are identified by sourceId and subjectId. I= don=E2=80=99t think we have a standard way of determining if a subject is = a person or a system or group except by looking at which source it originat= ed from, and we don=E2=80=99t really care anyways [1].
Grouper can manage what we call =E2=80=9Clocal entities=E2= =80=9D which are things on the grouper namespace that don=E2=80=99t have me= mbers (like groups do), but can we assign as members of groups or have perm= issions. Or you could have a simple SQL query or LDAP filter to manag= e your external entities or non person entities.
A little more info=E2=80=A6 subjects can be looked up by = =E2=80=9CsubjectIdentifier=E2=80=9D which is something that uniquely identi= fies the subject but which could change. i.e. don=E2=80=99t store thi= s in your database since it can change.
At Penn we have these subject sources:
Thanks,
Chris
[1] i.e. if the authentication system returned an entity (p= erson or system), and we go to grouper and ask if that entity has access to= something, we don=E2=80=99t care what type of entity it is. .