GRS & BuzzAPI IAM Users Group Overview

In this overview, explore the GRS & BuzzAPI IAM Users Group for September 2016. Covering topics like GRS concepts, roles, folders, rules, people vs. accounts, and getting started with GRS. Understand the automated rules, filters, entitlements, access control, and more within this system.

• GRS
• BuzzAPI
• IAM
• Users
• Overview

caldeira_t Follow

Uploaded on Feb 22, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. GRS & BuzzAPI IAM Users Group Sept 2016

2. Agenda Bash GRS Overview & Concepts Getting Started Gotchas BuzzAPI Overview Usage

3. GRS Overview GRS: GT Role System Role: A label put on People (or accounts) Automated Rules GTED Filters Adding & Removing People Manual Additions Automated Cleanup Reads and updates GTED Entitlements GTED Entitlements feeds: GTED Posix Groups GTAD Groups Data Warehouse

4. GRS Concepts: Roles & Folders Folders created (By IAM) for Departments & Services Subfolders created as needed Access-control: Roles have X access to Folder Full Control, Edit, Override, Read, View Role Path & Name (Determines Entitlement value) Description (Automated data dictionary in FY2017) Type: People or Accounts (more later) Rules Overrides

5. GRS Concepts: Rules Match People GTED Filter GTED Group (Sympa Lists) Another Role Affect Memberships Enabling (Add to Role) Filtering out (Simple subtraction) Disabling (Exceptional Subtraction) Prerequisite (Requirement in addition to other Rules)

6. GRS Concepts: People vs Accounts People have multiple accounts Same person: Alt Primary, Secondary Diff Person: Service & Guest Recommend People Roles except: High Security Abundance of Service Accounts with siblings Resource ownership is per-account and is critical Account Selection Overall Primary: gtAccountCategory=overall-primary- account Employee Account: gtAccountCategory=primary- account:e

7. GRS: Getting Started Need GRS account Need Folder and/or Permissions Zork Client: ssh roles.iam.gatech.edu Person-Centric: Status, Override, History Role-Centric: Everything else Role Navigating Role/Folder Creation Role Editing Rule Viewing & Editing Overrides Steps: Find Person, Find Account (Optional), Set Duration/Condition

8. GRS: Zork Client Tricks First, the client is painful Tricks Use the defaults Everything is case insensitive Find roles with =prefix or =.*substring

9. GRS: Performance & APIs Performance Overrides: <<10 minutes, faster with BuzzApi New rules: Small ~10 minutes Large: Up to an hour Data changes: Up to a day APIs https://roles.iam.gatech.edu/grs_api_v2/ [Yes, I know the certificate is bad] BuzzApi central.iam.grs.overrides

10. GRS: Gotchas Things that could be better Confusing AccountSearch > Person > Account Selection Changing GTED Branch Bad LDAP Filters People vs Accounts Deleting large rules: Call IAM Team Following/Documenting cascading IAM Team has grs-rules script to make this easier

11. GRS: Questions?? ?

12. BuzzApi: Agenda Background Idea & Motivation Goals Available Services Access Control Using BuzzApi

13. BuzzApi: Overview Motivation History of independent API implementations More APIs and More Access (inc Students) Modularity and Simpler integrations Idea API Broker with deep functions Loosely coupled providers (polyglot, multiple owners) Common sandbox, Direct Client-Provider communication

14. BuzzApi: Features Consistent details, implemented as few times as possible Hostnames, Firewalls, etc Authentication: Username/Password, CAS Proxy Authorization Parameter names Operations (Create, Read, Update, Delete, Ping, Documentation, Provide) Logging Metadata Documentation Discovery Monitoring Redundancy

15. BuzzApi: Services IAM (Public): People-searching, GTED, GRS, GTAD, Duo, Password Info, GTAccount creation, Service Roles, User-personal groups, Event Queues, Guests, Logs (Mage, Passport, GRS, CAS, Duo), Grouper Email: Email Aliases & Primary Addresses, Sympa Lists, Destination Preferences, Office365 Exchange PeopleSoft: Ethics Compliance, Holidays, Banner: Course Catalog, Seat Counts, Instructors, Deposits, Charges BuzzCard: Issuance Info, Photos App Specific: Touchnet, Symplicity, Udacity, GTPE, Student Orgs Internal: Message Queues, WebServers, Diagnostics IAM (Private): Vetting Q&A, Splunk, RBAC

16. BuzzApi: Usage Using BuzzApi Access Control Coarse Grained: Resources & Operations Fine Grained: Checks on Apps, Users, and Parameters URLs: api.gatech.edu, test.api.gatech.edu iat.gatech.edu Authentication App [Always] User [Sometimes] Parameters: URL, JSON Body or Both Request Modes: Async [Default], Sync: api_request_mode=sync

17. BuzzApi: Results Result data Always get back a significant response envelope Info on request Backend info & logs Result Success (api_result_data), Failure (api_error_info), Timeout (neither)

18. BuzzApi: Questions Docs https://svn.oit.gatech.edu/gted/gt-iam/gt- messaging-api/trunk/docs/ Doc for client: Buzzapi-AccessingResources