Grouper Training
Developers and Architects
How to Design Permissions
Shilen Patel
Duke University
This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
Contents
•
•
•
•
•
•
•
•
•
Introduction
Permission definitions
Permission names
Actions
Roles
Permission assignments
Limits
Inheritance
Application integration
2
Introduction
Attributes
Roles
Role inheritance
Permissions
Attribute definition
Permission definition
Delegation
model extends
that for Groups
3
Permission Definitions
• Type of attribute definition where the type
of attribute is permission.
• Typically have one definition for a set of
permission names (resources) and
actions.
• Also contain security information.
• Who can create permission assignments
using a given definition?
• Who can see permission assignments?
4
Permission Names
• Permission names are the “resource” in
the permission triple.
• Typically have more than one per
permission definition.
5
Actions
• Each permission definition can have a set
of actions that can be used to form
permissions using that definition.
• Actions are free form strings (e.g. “read”,
“write”, “admin”)
6
Roles
• Special type of groups.
• Unlike regular groups, roles can be
associated directly with permission
assignments.
• Roles can also have permission
inheritance.
7
Permission Assignments
• Contain the triple
• Subject (role or a specific subject within a
role)
• Action
• Resource (the permission name)
• Start and end dates
• Permission will start on a future date.
• Permission will end on a future date.
8
Permission Assignments (continued)
• Allowed versus disallowed permissions
• Permission processor will resolve conflicts
when performing permission queries (e.g.
PermissionFinder.hasPermission())
• Direct assignments trump inherited assignments
• A lower depth inherited assignment trumps a higher
depth inherited assignment (on the directed graph of
inheritance)
• Inherited ALLOW assignments (of equal depth)
trump inherited NOT_ALLOW assignments
9
Limits
• Runtime constraints on permissions
assignments.
• There are many built-in limits (such as
Weekday 9 to 5).
• When querying permissions using the
permission processor, you can supply limit
values (e.g. current time).
• Can only apply to permissions that are allowed
(not disallowed).
10
Inheritance
• Role inheritance – One role inherits
permissions of another role (e.g. senior
manager inherits permissions assigned to
a manager.)
• Resource inheritance – Permission on one
resource implies permission on another.
Useful in hierarchies (e.g. read access on
the OIT resource within an application
implies read access on OIT:IDM)
11
Inheritance (continued)
• Action inheritance – One action implies
another (e.g. admin implies read).
• Group membership – Adding a group as a
member of a role.
12
Application Integration
• Using the Grouper change log to propagate
permissions to an external application.
• Change log events occur when permissions
are added or dropped.
• Change log will tell you which roles have
permission changes.
• Change log category is “permission” and
change log action is
“permissionChangeOnRole”
13
Application Integration (continued)
• Application can look up permissions using
Grouper Web Services.
• Possible approach for custom applications.
• Need to consider caching especially if
permissions are fine-grained.
• Can also send limit values in permission
queries and simply get a boolean response for
whether the user has the permission.
14
Application Integration (continued)
• Grouper views
• Useful for read-only queries when the permission processor is not
needed.
• grouper_perms_assigned_role_v – shows all permissions
assigned to roles.
• grouper_perms_role_v – shows all permissions assigned to users
due to the users being in a role, and the role being assigned the
permission.
• grouper_perms_role_subject_v - shows all permissions assigned
to users directly while in a role.
• grouper_perms_all_v – Union of grouper_perms_role_v and
grouper_perms_role_subject_v.
• Grouper API
15
Quiz
Click on the quiz link in the video
description to reinforce your knowledge of
this topic.
16
Thanks!
Further information:
•
Infosheets, mailing lists, wiki, downloads, etc.:
www.internet2.edu/grouper
•
Grouper demo server:
grouperdemo.internet2.edu/
•
Grouper Online Training Home:
spaces.internet2.edu/x/IIGfAQ
This work licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License.
17