...
- Privileges can be granted to Groups rather than just individuals.
- Great data model
- Easy to use Java API
- Grouper web service API is adequate
- Open source, free
- Can be extended to include resources in the Authz model (i.e. does user X have access to function y over objects 1,2 and 3 within limits a,b,c etc)
- You can delegate administration of subtrees of groups and privileges to different people (however the technical way of doing this is limited, see cons below regarding no GUI)
- An audit trail history is kept for actions of assigning privileges in Signet
- You can model multiple hierarchies/scopes as subtrees in Signet
- They have plugins to provision an LDAP repository with privileges and groups
...
- Can a user extend Group inherited privileges?
- How could this integrate with SAML / Shibboleth?
- Are audit logs purely a transaction log, could you easily derive what person X had on date Y?