Minutes, Grouper Working Group Face-to-Face
at 2012 Internet2 Fall Member Meeting in Philadelphia
Tom Barton, Chair of Grouper Working Group, welcomed the group.
- Grouper 2.1.2 release is coming soon.
- Grouper Online Training is now available athttps://spaces.internet2.edu/display/groupertrain/Grouper+Training
- Tom Zeller, Grouper developer for past few years, has left the Grouper development team.
- Thanks to TomZ for his contributions, including in the area of provisioning of Grouper data
- New Grouper developer sought
Introduction to Grouper
See Tom Barton's slides including a brief Intro to Grouper:http://www.internet2.edu/presentations/fall12/20121001-barton-grouperwg.pdf
- Grouper started out focusing on groups
- included features many Security and Delegation features
- Grouper has expanded into other kinds of privilege management areas
- including roles and permissions
- there is an attribute framework, a metadata management capability
- permission can be delegated for distributed administration across campus
- Simple delegation example from University of Chicago and VPNhttp://www.internet2.edu/presentations/fall12/20121001-barton-grouperwg.pdf
(see slide #7)
- Central IT runs the basic infrastructure and delegates out authority
Discussion on Delegated Authority
Q: How are other campuses approaching delegated authority use cases?
Stanford has a homegrown system
- is looking at/ learning from Grouper
CMU is using a homegrown system
- has an active Grouper deployment project
Northwestern has customized their commercial IDM system
will be looking at new approaches
either Grouper + new IdMS system
or just a new IdMS system
- homegrown solution at USC
- issue: there are apps that don't want to externalize the authorization decision
- these applications say "give us everyone/let everyone have access and we'll decide who should get access"
- perpetual thorn
- some of the apps that are worst at externalizing authorization are the systems of record
- True that many applications do not allow externalized authorization
- But U. Chicago has found that there are many potential applications where there is a win
-SP manager's perspective
- much of the info that applications receive is not granular enough
- want to have trust relationship about what roles an individual has
- would like an Open API
- if a vendor or service does not want to integrate,
- just go on to another vendor or service
- one of the push-backs in talking about Grouper is that
- the users want to stay in the environment they are operating in
- trying to create a way to compose UIs in some way so you can plug into Grouper
- would be good to have Grouper support for web widgets "WC3 Web Components"
- ScottyL, Stanford, may be a resource on this topic
- other organizations, with a focus on supporting researchers, echo this need
University of California
- starting to bring up Grouper at UC
- each campus has doc on delegated admin
- request for better Grouper doc on delegated administration models
- we are refactoring Grouper
- would like to have a different group structure than the one set up initially
- want to separate the organizational chart part of Grouper
- interested in best practices documentation and templates
Q: Could LIGO and UC share their experiences for future Grouper deployers?
A: Yes, with coordination from the Grouper project
Naming convention documentation currently on the wiki:
- See wiki page on group and folder design ideas:https://spaces.internet2.edu/display/Grouper/Group+and+folder+design+ideas
- See training video that talks about folder structure:http://www.youtube.com/watch?v=pbPxO227f0c
Grouper Version 2.2 will focus on the UI
- Currently Grouper has an admin UI and also has Lite (single purpose) UIs
- We have engaged a user experience expert from University of Chicago to help with the new Grouper UI
Grouper Deployment at NYU
- NYU is still fairly early in Grouper deployment
- lots of groups being created in a production environment
- feed class info from SIS system is being moved into Grouper in an automated way
- feeding things off to LDAP
- scaling up
- controlling permissions across Grouper and LDAP
- want people to see things on a "need to know" basis
- have some performance and scalability concerns
- NYU is re-architecting IdM applications
- how does Grouper fit with new and better registry and with NYU's new provisioning tool?
- how do the various pieces of architecture integrate with each other?
Pennsylvania State University has similar size
- TomZ worked closely with PSU staff and reduced provisioning time
Grouper at Duke
- Presented on and AD use case at 2010 Internet2 Fall member meeting session called
- "Delegated Access Control in AD Using Grouper"
- See those slides at:http://www.internet2.edu/presentations/fall10/20101102-ad_grouper-carter.pdf
Use case summary:
- enhanced the AD delegation
- Duke previously had a Novel environment
- needed to get IdM info into the central AD without removing the established authority
- IT administrators across the campus must manage objects in the AD
- these objects are sometimes users in their dept but sometimes in other depts.
- sometimes must create objects for non-Duke students
- The model is that not all attributes are to be maintained by central IDM
- departments themselves will manage (and delegate access for) those attributes that only that dept needs
- used Grouper to manage permissions
- fine-grained permissions in Grouper can sync into AD
- Duke created a UI around this to allow managers to delegate the permissions
results/progress to date:
- has been in production for about a year
- positive results
- about 1,000 individual permissions have been created by managers
- used by about 10 depts
- have gone thru two internal audits and the auditors liked the solution
- because with Grouper's auditing capabilities you can know who had access to what and when
- IT administrators no longer have domain access rights
- instead, managers can delegate access
- permissions are role based
- so a user loses permissions when he leaves the university
- this reduces the IT staff's load
Q: How much time went into the custom UI at Duke?
-took a week or so
-this custom UI was developed before Grouper had a UI to manage permissions
- might not need to do this custom work today
Rob Carter did work of looking at the empty security descriptor attribute and figuring out what to put in there
- takes the security descriptor, decodes it, brings it into a java context, makes changes, and puts it back out
- Rob is willing to share the Java code for this work
- it is not well documented, but Rob can explain it
- TomB: we might want to share that work done by Rob more broadly
Q: is Kill - 9 the only method to start and stop Grouper?
A: Chris: we have been talking about moving the loader into the web service or some web application so you could control it like Tomcat.
Chris: On the wiki for the managing UNIX permissions w Grouper
there is a UNIX service wrapper
so can use service start and service stop
Q: Is configuration externalization on the road map
A: Yes, this is addressed in Grouper 2.2https://spaces.internet2.edu/display/Grouper/Grouper+configuration+overlay
Grouper website: http://www.internet2.edu/grouper/
Grouper wiki: https://spaces.internet2.edu/display/Grouper/Grouper+Wiki+Home
Please share your Grouper story and documents on the Grouper Community Contributions page at: https://spaces.internet2.edu/display/Grouper/Community+Contributions
Other Grouper Resources from Fall Member Meeting and Advance CAMP:
Fall Member Meeting Session on
"Grouper After Groups - Enabling NET+ Services with PAP, PEP and PDP, Oh My!,"
Advance CAMP session on "Transitioning From a Homegrown Approach to Grouper"