Child pages
  • Grouper Face to Face Meeting 01-Oct-2012
Skip to end of metadata
Go to start of metadata

Minutes, Grouper Working Group Face-to-Face

at 2012 Internet2 Fall Member Meeting in Philadelphia

Monday, 1-Oct-2012

Tom Barton, Chair of Grouper Working Group, welcomed the group.

Recent Developments

- Grouper 2.1.2 release is coming soon.

- Grouper Online Training is now available at
- Tom Zeller, Grouper developer for past few years, has left the Grouper development team.
- Thanks to TomZ for his contributions, including in the area of provisioning of Grouper data
- New Grouper developer sought

Introduction to Grouper

See Tom Barton's slides including a brief Intro to Grouper:

- Grouper started out focusing on groups
- included features many Security and Delegation features
- Grouper has expanded into other kinds of privilege management areas
 - including roles and permissions
- there is an attribute framework, a metadata management capability
- permission can be delegated for distributed administration across campus

- Simple delegation example from University of Chicago and VPN
(see slide #7)
- Central IT runs the basic infrastructure and delegates out authority

Discussion on Delegated Authority

Q: How are other campuses approaching delegated authority use cases?

Stanford has a homegrown system
- is looking at/ learning from Grouper

CMU is using a homegrown system
- has an active Grouper deployment project

Northwestern has customized their commercial IDM system
will be looking at new approaches
either Grouper + new IdMS system
or just a new IdMS system

- homegrown solution at USC
- issue: there are apps that don't want to externalize the authorization decision
- these applications say "give us everyone/let everyone have access and we'll decide who should get access"
- perpetual thorn

- some of the apps that are worst at externalizing authorization are the systems of record

- True that many applications do not allow externalized authorization
- But  U. Chicago has found that there are many potential applications where there is a win

-SP manager's perspective
- much of the info that applications receive is not granular enough
- want to have trust relationship about what roles an individual has
- would like an Open API

Indiana U:
- if a vendor or service does not want to integrate,
- just go on to another vendor  or service

- one of the push-backs in talking about Grouper is that
- the users want to stay in the environment they are operating in
- trying to create a way to compose UIs in some way so you can plug into Grouper
- would be good to have Grouper support for web widgets "WC3 Web Components"
- ScottyL, Stanford, may be a resource on this topic

- other organizations, with a focus on supporting researchers, echo this need

University of California
- starting to bring up Grouper at UC
- each campus has doc on delegated admin
- request for better Grouper doc on delegated administration models

LIGO project
- we are refactoring Grouper
- would like to have a different group structure than the one set up initially
- want to separate the organizational chart part of Grouper
- interested in best practices documentation and templates

Q: Could LIGO and UC share their experiences for future Grouper deployers?
A: Yes, with coordination from the Grouper project

Naming convention documentation currently on the wiki:

- See wiki page on group and folder design ideas:

- See training video that talks about folder structure:


Grouper UI

Grouper Version 2.2 will focus on the UI
- Currently Grouper has an admin UI and also has Lite (single purpose) UIs
- We have engaged a user experience expert from University of Chicago to help with the new Grouper UI


Grouper Deployment at NYU

Gary Chapman:
- NYU is still fairly early in Grouper deployment
- lots of groups being created in a production environment
- feed class info from SIS system is being moved into Grouper in an automated way
-  feeding things off to LDAP

- scaling up
- controlling permissions across Grouper and LDAP
- want people to see things on a "need to know" basis
- have some performance and scalability concerns

- NYU is re-architecting IdM applications
- how does Grouper fit with new and better registry and with NYU's new provisioning tool?
- how do the various pieces of architecture integrate with each other?

Pennsylvania State University has similar size
- TomZ worked closely with PSU staff and reduced provisioning time

Grouper at Duke

Shilen Patel
- Presented on and AD use case at 2010 Internet2 Fall member meeting session called
- "Delegated Access Control in AD Using Grouper"
- See those slides at:

Use case summary:
- enhanced the AD delegation
- Duke previously had a Novel environment
- needed to get IdM info into the central AD without removing the established authority
- IT administrators across the campus must manage objects in the AD
- these objects are sometimes users in their dept but sometimes in other depts.
- sometimes must create objects for non-Duke students
- The model is that not all attributes are to be maintained by central IDM
- departments themselves will manage (and delegate access for) those attributes that only that dept needs
- used Grouper to manage permissions
- fine-grained permissions in Grouper can sync into AD
- Duke created a UI around this to allow managers to delegate the permissions

results/progress to date:
- has been in production for about a year
- positive results
- about 1,000 individual permissions have been created by managers
- used by about 10 depts
- have gone thru two internal audits and the auditors liked the solution
- because with Grouper's auditing capabilities you can know who had access to what and when

- IT administrators no longer have domain access rights
- instead, managers can delegate access
- permissions are role based
- so a user loses permissions when he leaves the university
- this reduces the IT staff's load

Q: How much time went into the custom UI  at Duke?

A: Shilen:
-took a week or so
-this custom UI was developed before Grouper had a UI to manage permissions
- might not need to do this custom work today

Rob Carter did work of looking at the empty security descriptor attribute and figuring out what to put in there

- takes the security descriptor, decodes it, brings it into a java context, makes changes, and puts it back out
- Rob is willing to share the Java code for this work
- it is not well documented, but Rob can explain it
- TomB: we might want to share that work done by Rob more broadly


Q: is Kill - 9 the only method to start and stop Grouper?

A: Chris: we have been talking about moving the loader into the web service or some web application so you could control it like Tomcat.

Chris: On the wiki for the managing UNIX permissions w Grouper
there is a UNIX service wrapper
so can use service start and service stop

Q: Is configuration externalization on the road map

A: Yes, this is addressed in Grouper 2.2



Grouper website:
Grouper wiki:

Please share your Grouper story and documents on the Grouper Community Contributions page at:

Other Grouper Resources from Fall Member Meeting and Advance CAMP:

Fall Member Meeting Session on
 "Grouper After Groups - Enabling NET+ Services with PAP, PEP and PDP, Oh My!,"

Advance CAMP session on "Transitioning From a Homegrown Approach to Grouper"

  • No labels