- Created by Bill Thompson (lafayette.edu), last modified on Aug 05, 2019
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 4 Next »
Overview
The overall approach to access management with Grouper is to create and maintain institutional meaningful cohorts (reference groups), which in turn are used to drive access policy groups. The access policy groups then provide subject attributes (role names or entitlements) that are mapped to coarse or fine-grained permission sets at the target service.
How the fine-grained application permission sets are managed is usually specific and local to the target service. In some cases, the privilege to use a particular service (a set of rights to specific resources) can be mapped to a subject attribute representing an entitlement (i.e. subject is entitled/authorized to access the service). In these cases, a membership assignment in an access policy group can drive an eduPersonEntitlement value that is often consumed by the target service via a SAML assertion. In other cases, group membership must be provisioned to the target service to effectively control access.
How application permission sets are managed, membership assignments are communicated, and access policy is enforced can vary quite considerably depending on the security needs and capabilities of the target service. However, the overall approach to access management with Grouper remains consistent. The following sections use terminology and models from NIST SP 800-162 and XACML to demonstrate a variety of models leveraging this approach.
ACM1 Grouper Subject Attributes
In this model, Grouper is used to master subject attributes that represent some type of affiliation or status at the institution. Actual access policy is completely local to the service, and the availability of an agreed upon subject attribute is sufficient to make a policy decision. The subject attribute policy is a group configured in Grouper and built up with reference groups similar to an access policy group, but with no particular service in mind.
PAP, PDP, and PEP are all at the target service:
- A subject attribute like eduPersonAffiliation is mastered in Grouper and reflected into an LDAP based enterprise directory.
- The subject attribute is either passed to the target service via SAML or queried via LDAP after authentication.
- PAP: Access control policy is configured at the target service
- PDP, PEP: Policy decision point and the policy enforcement point are all done at the target service
Figure 7: Access Control Model 1 - Grouper Subject Attributes
This model is useful for cases when there is an informal relationship between the institution and the service provider, and a locally defined notion of the subject attribute like eduPersonAffiliation is sufficient for access control. However, the model breaks down quickly if a more exact notion of the subject attribute is required or if it needs to be different across services. It is important to remember that cohorts (affiliations, status, class year, etc) are not access policy. Do not be tempted to create service specific versions of cohorts. If you need service specific policy, consider using access policy groups and the access control model described in ACM2 Grouper as PAP and PDP.
ACM2 Grouper as PAP and PDP
ACM3 RBAC User to Role Mapping
ACM4 WebSSO Short-circuit
Distributed Access Control Management
Application Permissions Management - RBAC with Grouper
On this page
Related content
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
-
Page:
Get help
Can't find what you are looking for?
- No labels