Understanding Grouper

Overview

An identity and access management program based on InCommon Trusted Access Platform deploys Grouper as a strategic component of its institutional role and access management solution. Grouper is at the center of all group and access policy management. Managing access with Grouper results in access to target systems being automatically kept in sync with policy as subject attributes change in underlying systems of record (e.g. ERP, SIS, etc). This overall mechanism coupled with powerful distributed management capabilities is what makes Grouper a core component of the InCommon Trusted Access Platform.

The Grouper project maintains three introductory videos that are a bit dated, but are still very relevant. The first one, Intro to Grouper: Access Management & Grouper, provides project background and the rationale for the project's approach to access management. The second in the series, Intro to Grouper: Grouper’s Core Access Management Capabilities, explores specific Grouper concepts and capabilities, and how they come together in a specific case for managing access to a VPN service. The third, and final in the series, Intro to Grouper: Grouper Toolkit Components, describes the various product components and capabilities, and options for integrating with existing campus IAM architecture.

The University of Chicago VPN example described in the Intro to Grouper series, provides a great overview of how a variety of Grouper’s capabilities come together to implement powerful access control management, and illustrates a common pattern that can be applied in many situations.:

1. Leverage institutional data to create meaningful cohorts (staff, student, etc)
2. Enable distributed management of exceptions and ad-hoc groups (Institutional Review Board Membership, account locked by CISO (Chief Information Security Officer))
3. Use composite groups to define access policy (allow - deny)
4. Reflect access control decisions to target systems (app:vpn:vpn_authorized)

Let’s consider the access policy “Staff, student, postdocs, and members of the IRB office are authorized to use the VPN unless their account is in the process of being closed (closure) or has been administratively locked by the Information Security Office.” This is what NIST 800-162 calls the “natural language policy” (NLP). Figure 1 shows how the NLP is translated into digital policy (DP) in Grouper.

Figure 1: University of Chicago VPN Access Policy

The policy calls out number of different cohorts which we call reference groups. These are groups of subjects that share some characteristic, such as being a student, a postdoc or a member of the IRB office. Reference groups can be kept in sync automatically with institution data or manually when a data source is not available. The IRB office reference group is kept up to date by directly adding or removing members via the Grouper UI. Reference groups are institutional meaningful concepts and represent the best known “truth” about a subject at any given moment.

Once the required reference groups are available, an access policy group app:vpn:vpn_authorized is created and configured to reflect the NLP. An allow group app:vpn:vpn_authorized_allow includes reference groups ref:student:all_students, ref:faculty:postdocs, and ref:employee:all_staff. This captures the first part of the NLP. Additionally, a deny group app:vpn:vpn_authorized_deny is created and includes an identity lifecycle group representing a deprovisioning state, ref:iam:closure, and a security control group ref:security:locked_by_ciso. Combining the allow and the deny group in vpn_authorized yields the appropriate digital policy and is kept up to date as the underlying reference groups change.

Converting natural language policy into executable digital policy with a combination of reference groups and access policy groups is a fundamental Grouper pattern and objective. Grouper provides a single point of management, enables groups to be defined once and reused across multiple applications, and empowers the right people to manage access. This example also demonstrates a key objective of TIER based Grouper deployment, which is that access policy should be easily discoverable and verified.

Figure 2: Enterprise Access Management with Grouper

The rest of this section will introduce core Grouper concepts and primitives which includes:

• Folders, Groups, and Membership
• Composite Groups
• Folder and Group Privileges
• Grouper Daemon/Loader Jobs

Folders, Groups, and Membership

Grouper is organized around three main concepts; folders, groups, and memberships. A folder is a container for other folders, groups, and other objects. It provides a namespace and a security context for the objects it contains. A group is the list of entities (other groups or subjects) that have membership in the group, along with other attributes that define the group, such as group name and description.

Membership in group can be direct or indirect and describes a relationship between a subject or group and a group of interest. A subject or group is a direct member of a group if the subject or group has been added to the group’s membership list. A subject is an indirect member of a group, if the group contains a subgroup for which the subject is member, or as the result of a composite group. Any membership that is not direct is called indirect. All indirect memberships are automatically updated as the underlying direct memberships change.

Figure 3: Group and Folder Structure

Composite Groups

Grouper allows you to use two existing groups to define a third group. The third group called a composite group of the other two factor groups. Groups can be combined as an intersection or complement. Complement includes subjects that belong to the primary “left” factor group who are not also members of the secondary “right” factor group (i.e. “left” minus “right”). Complement is the primary method used to create composite groups for access policy. The “left” group would be the allow group, and the “right” group would be the deny group..

An intersection includes entities that belong to both of the original factor groups, and produces a composite "members-in-common". Intersection groups are often used when creating reference groups from basis groups. For instance, one might intersect part-time employees with an “active” status to yield “presently working part-time employees”. This composite could then be added to the “employees” group to ensure only people who are actually presently working have their access enabled.

As membership changes in factor groups they are automatically reflected in composite groups.

Folder and Group Privileges

Folders and groups have privileges that can be assigned to subjects or groups within Grouper. The privilege assignments control who can take what action on a folder or group. Each folder and group has its own privilege assignments which enables fine-grained control and delegation of authority. The Access Privileges definition in the Grouper glossary provides further details on what each privilege provides.

Figure 4: Grouper Privileges and Delegation

The combination of folder hierarchy, administrative groups, and Grouper Rules are used to manage folder and group privileges. Groups and folders created within a parent folder can be configured to inherit privileges from the parent folder. How to design groups provides examples of setting up folder structures and configuring privileges. Grouper rules privileges inheritance on UI provides details on managing inherited privileges in the Grouper UI.

Grouper Daemon and Loader Jobs

The Grouper daemon is a background process required for a number of key Grouper features including the Grouper loader. The Grouper Loader allows you to automatically manage group memberships based on a data source. Out of the box supported data sources include SQL and LDAP. Details about the various types of loader jobs and examples are maintained in the Grouper loader wiki page. Grouper Training Admin Loader Part 1 and Grouper Training Admin Loader Part 2 training videos also go into more details about loader job options and configuration, and operation.

Figure 5: Grouper Loader Jobs