Grouper Working Group Face-to-Face Session
Internet2 Spring Member Meeting, Arlington, VA
Tom Barton, working group chair, welcomed the attendees.
- Internet2 Intellectual Property Rights
- Agenda bash, topics of interest
- Duke: Delegating AD directory administration with grouper (Rob Carter, Shilen Patel)
- What's new in Grouper v1.6 (Chris Hyzer, Tom Zeller)
- Roadmap (Tom Barton)
Topics suggested by attendees:
- Globally unique group identifiers
- Permissions mgmt
Delegating AD Directory Administration with Grouper
Shilen Patel and Rob Carter presented a Duke use case on Using Grouper to manage Active Directory permissions. The use case involved:
- Big Picture: Duke has a campus-wide Active Directory forest into which departmental administrators wish to migrate departmental forest assets and ZenWorks assets
- There are IdM-maintained user identities with "mix ins" by departments
- There are departmentally-maintained resources and ad hoc affiliates
- It's important to be able to provision high privilege for admins and managers and constrained privileges for users
- In Grouper, implemented some global groups (maintained by IT) and some dept-specific groups (maintained at the dept. level)
- Developed resources to map Active Directory Organizational Units (OUs) permissions into Grouper permissionSets
- The Grouper "Actions qualifier" was used.
- Managers can modify persmissions on their OUs.
- Includes and Excludes are used where there is a need to provision access to someone outside of the group.
Shilen and Rob successfully walked thru a demo in their test environment.
Q: How would you handle groups already established in Active Directory OUs that you want to import into Grouper?
A: This is not yet been built. In the future, we would like to be able to consume groups out of Active Directory into Grouper.
It was commented that Northwestern University has some similar challenges to Duke, with 20+ Active Directory forests.
What's New in Grouper 1.6
New Features in Grouper 1.6 include:
- XMPP Integration (messaging for "real time" updates)
- Kuali Rice Integration
- richer group model
- allows addition of workflow to Grouper
- Quickstart integration to Identity Management
- SQL server support
- Flattened memberships
- Virtual subject attributes
- Read-only mode for Grouper (for upgrades and data migrations)
- New import/export
- Web Services Enhancements
- new central permissions management module
- can assign or unassign attributes and permissions
- UI Enhancements
- Grouper ESB Connector (contributed by Cardiff University)
- Cardiff use case involves using Mule and Drools
- Events are synchronized between Grouper and LDAP (or other systems) via the ESB
- Events are packaged as JSON and dispatched over appropriate interface - HTTP(S) or XMPP
- The interface is defined in grouper-‐loader.properties
- accepts input from Grouper or from Shib Data Connector
- input passes throught the Shibboleth Attribute Resolver
- features a generic LDAP
- uses SPML to write to target
- target can be LDAP or RDBMS
- currently in batch mode; in future it will be real-time web service
- U. Memphis will be an early userhttp://www.internet2.edu/presentations/spring10/20100426-grouper-Zeller.pdf
Q: What was the problem we were trying to solve with the new Grouper permissions capabilities?
A: As one example, there is a use case at U. Chicago. There will be a portlet that allows people to view billing statements -- the ability to view will be scoped by where someone is in the accounting authority hierarchy.
Q: Are any organizations currently using Grouper to define their assets?
A: That is planned down the road.
Chris Hyper presented several demos illustrating new features in Grouper 1.6: