Skip to main content
more options

Intro

Project Goal

The goal of this project is to provide a new Central Authorization System for Cornell University. The work will be organized into two phases.  Phase one will focus on replacing Cornell’s proprietary Permit Server with a system which is modern and easy to maintain. Phase Two will add privilege management and delegation features which are unavailable with the current service.

The fundamental assumption is that Signet and Grouper, two software tools being developed by the Internet2 Middleware Group, can meet the needs outlined above. Cornell’s Identity Management team has been working closely with the Signet and Grouper development teams to validate this assumption and the results to date have been promising.

As described in the PIP, we plan to work with the appropriate stakeholders, gather requirements, validate our initial assumptions, carefully communicate our plans to the campus community, assess and manage any risks associated with the work, and migrate to the new service in a way that causes little interruption and inconvenience to campus customers.

Grouper Phase 1: May 2008, Update and Scope Change

  • This is a status update on the I2 Grouper Project
  • Audience: Project Sponsors and Steering Committee
  • Change in Scope: see below

Grouper Phase 1: What?

  • Replacement of Cornell’s Permit Server with I2 Grouper application.
  • Providing modern group management functionality for use by campus systems.
  • Laying the foundation for a role-based central authorization system for the University.

Grouper Phase 1: Why?

  • Central Authorization at Cornell is generically handled by a Permit Server which was developed at Cornell and has been in use for over a decade.
  • The current system has a number of limitations. Among them:
    1. AdminUI designed for the 1990s
    2. No limitations, expirations
    3. Limited delegation features
    4. Users can’t see what permits they have
    5. No group math or negative authorizations
    6. No self-enrollment options
    7. Limited error checking
    8. Cumbersome to maintain
  • I2 Grouper application provides:
    1. Distributed group management
    2. Composite groups and group math
    3. Traceback of indirect membership
    4. Aging of groups and memberships
    5. Self enrollment and un-enrollment
    6. Users can easily see what groups they are members of
    7. Users can create and manage their own groups
    8. Uses existing repositories for subject sources
    9. Clearer ownership hence more accountability
    10. Better administration tools
    11. Good LDAP integration
    12. Delegated model of control

Grouper, Phase 1: Initial Scope

  • The Identity Management Team is planning to roll out this new campus-wide system with no interruption to current services by doing a transparent cutover to Grouper
  • The technical work for Phase One of this project is complete:
    1. A Permit Shim has been built and tested which will provide for a transparent cutover from the Permit Server to Grouper
    2. Load testing largely finished, and with good results.
    3. Migration scripts ready to go
    4. Cornell-specific Grouper UI and style sheet done
    5. Initial namespace defined
  • Phase One launch of Grouper would be largely transparent to campus end users; initially, system owners and application developers wouldn’t have to change anything - current permits would be migrated and would simply keep working.
  • A new, more intuitive Grouper UI would be provided for creating and managing groups.
  • Documentation will be provided for both system users and administrators.

Grouper Phase 1: Scope Change, Rollout with Additional Features

  • After much study and discussion, the Project Sponsors have requested that Grouper be launched with a full complement of automatically maintained reference groups representing the key campus communities.
  • While this represents a scope change for Phase One of the project, this additional work will move the campus significantly forward on its longer-term goals for central authorization by providing:
    1. A meaningful framework of fully populated reference groups that plays well with current campus systems.
    2. A means of delegating control of group management to the respective departmental units after first establishing primary administrators who have the authority to name other administrators within the unit.
    3. A shorter path to future roll and rule-based authorization mechanisms for campus.
    4. A better foundation on which to deploy privilege-management mechanisms such as I2 Signet.
  • Initial investigations into the scope of this work are nearing completion and the results are captured in a Reference Groups Analysis Document. For those who have access, the latest version of this document is maintained in SourceForge at Latest Version, Reference Groups Analysis Document
  • Requirements gathering and design have begun.
  • A revised schedule and rollout plan will be completed.
  • Meanwhile, work on the core I2 Grouper application continues with new releases and features planned. The team will continue this testing, UI development, and documentation work in parallel.
  • Go-live with a much larger population of groups and most likely with a future release of Grouper (as opposed to the current I2 release will require additions to the current test plans and continued testing.
  • Additional work is anticipated to better understand and plan for the ongoing IdM administration and support requirements for the first 6-12 months after launch, and beyond.

When: Current Scheduling Goals, Subject to Results of Current Investigation

  • June 1, 2008 –Grouper, Phase One work complete
  • June 31, 2008 – Pre-populated reference groups, investigation complete
  • August 01, 2008 – Design
  • September 15, 2008 – Build
  • October 01, 2008 – Test
  • October 15, 2008 – Rollout

Who:

  • Executive Sponsor:
    • Polley McClure
  • Project Sponsors/Directors
    • Rick Banks
    • Andrea Beesing
    • Dan Dwyer
    • Lyman Flahive
    • David Koehler
    • Jim Lombardi
    • Steve Lutter
    • Rick MacDonald
    • Mark Mara
    • Steve Schuster
    • Dave Vernon
    • Mike Whalen
    • David Yeh
  • Project Steering Committee
    • Rob Bandler rwb7@cornell.edu
    • Steve Barrett smb1@cornell.edu
    • Andrea Beesing amb3@cornell.edu
    • J.P. Brannan jpb1@cornell.edu
    • Laurie Collinsworth ljc1@cornell.edu
    • Ron DiNapoli rd29@cornell.edu
    • Daniel Elswit de21@cornell.edu
    • Lyman Flahive lf13@cornell.edu
    • Debra Howell dlh19@cornell.edu
    • Tom Parker jtp5@cornell.edu
    • Jason Woodward jdw5@cornell.edu
    • Jolene Scaglione jrs8@cornell.edu
    • Joy Veronneau jv11@cornell.edu
    • Kevin Baradet kb15@cornell.edu
    • Adam Chandler alc28@cornell.edu

Communications

  • Update to SRM and Project Steering Committee (this)
  • Updates to Campus Developer community
  • Launch/rollout communication plan with C&O
  • CIT web page documentation for end users
  • Technical documentation via Confluence/ Wiki
  • Revise Identity Management departmental websites

Liner Notes

  • New rounds of testing are anticipated

 

Contact Tom Parker, jtp5@cornell.edu, if you have any questions.