Date: Thu, 28 Mar 2024 09:25:52 +0000 (UTC) Message-ID: <1801764973.5837.1711617952626@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_5836_1771807497.1711617952624" ------=_Part_5836_1771807497.1711617952624 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
University of Colorado Boulder presented a lightning talk at 2015 Intern= et2 Technology Exchange on Grouper and Exchange / Office 365. See slides here (PDF format)<= /p>
CU Boulder migrated from on-premise Exchange to Office 365 (O365) in Jun= e 2015. Here is a quick overview of the Active Directory environment releva= nt to Exchange and groups:
Overall, for our Grouper environment, we opted for not using the PSP= that came with Grouper. Instead, we implemented a solution that used a mes= saging bus from which connectors could be developed to provision to our res= ources.
Grouper Setup
For an overview of our Grouper setup, please refer to slides 3 and 5 of = this presentation= p>
The details of getting the distribution list management to be managed th= rough Grouper are explained int the following sections. The tasks can split= into two major categories: the initial bulk load and the ongoing day to da= y post-bulk load.
Explicit Paths
= span>Most of our mail distribution list groups were also used as access/secur= ity groups. There were instances were some applications may have had explic= it paths hard-coded to reference a group. These application are almost impo= ssible to identify and would usually break. Luckily for us, there were just= a few instances of those and we were notified by the application owners qu= ickly.
First, establishing a Grouper root session, setting up some variable= s relating to access privileges and creating the necessary stem structure= p>
Grouper= Session.startRootSession(); readers =3D AccessPrivilege.READ; updaters =3D AccessPrivilege.UPDATE; admins =3D AccessPrivilege.ADMIN; viewers =3D AccessPrivilege.VIEW; optins =3D AccessPrivilege.OPTIN; optouts =3D AccessPrivilege.OPTOUT; addRootStem("myRootStem","myRootStem"); addStem("myRootStem","Messaging"); addStem("myRootStem:Messaging","Office365");
Then, the commands would convert the AD DN's to Grouper paths, creat= e all the groups, and set the group type to IncludeExclude
addGrou= p("myRootStem:Messaging:Office365","myTestDL1","myTestDL1"); groupAddType("myRootStem:Messaging:Office365:myTestDL1", "addIncludeExclude= "); addGroup("myRootStem:Messaging:Office365","myTestDL2","myTestDL2"); groupAddType("myRootStem:Messaging:Office365:myTestDL2", "addIncludeExclude= "); ...... ......
For every group, another group would be created and named "<= em>groupName_GROUP-ADMINS" e.g: MyTestGroup1234_GROUP-A= DMINS .
addGrou= p("myRootStem:Messaging:Office365","myTestDL1_GROUP-ADMINS", "myTestDL1_GRO= UP-ADMINS"); addGroup("myRootStem:Messaging:Office365","myTestDL2_GROUP-ADMINS", "myTest= DL2_GROUP-ADMINS"); ...... ......
For every group, the "groupName_GROUP-ADMI= NS" group was given the "READ" and "UPDATE" privileges. Since the groups we= re of type "IncludeExclude", the privs were assigned to the overall group a= s well as the sub groups that make it up.
grantPr= iv("myRootStem:Messaging:Office365:myTestDL1", "myRootStem:Messaging:Office= 365:myTestDL1_GROUP-ADMINS", readers); grantPriv("myRootStem:Messaging:Office365:myTestDL1", "myRootStem:Messaging= :Office365:myTestDL1_GROUP-ADMINS", updaters); grantPriv("myRootStem:Messaging:Office365:myTestDL1_includes", "myRootStem:= Messaging:Office365:myTestDL1_GROUP-ADMINS", readers); grantPriv("myRootStem:Messaging:Office365:myTestDL1_includes", "myRootStem:= Messaging:Office365:myTestDL1_GROUP-ADMINS", updaters); grantPriv("myRootStem:Messaging:Office365:myTestDL1_excludes", "myRootStem:= Messaging:Office365:myTestDL1_GROUP-ADMINS", readers); grantPriv("myRootStem:Messaging:Office365:myTestDL1_excludes", "myRootStem:= Messaging:Office365:myTestDL1_GROUP-ADMINS", updaters); grantPriv("myRootStem:Messaging:Office365:myTestDL1_systemOfRecord", "myRoo= tStem:Messaging:Office365:myTestDL1_GROUP-ADMINS", readers); grantPriv("myRootStem:Messaging:Office365:myTestDL1_systemOfRecord", "myRoo= tStem:Messaging:Office365:myTestDL1_GROUP-ADMINS", updaters); ..... .....
For every "groupName_GROUP-ADMINS" group, = members were given "READ" and "UPDATE" privileges on the group itself. ie, = groupName_GROUP-ADMINS members could update and r= ead the membership information of the admin group itself.
grantPr= iv("myRootStem:Messaging:Office365:myTestDL1_GROUP-ADMINS", "myRootStem:Mes= saging:Office365:myTestDL1_GROUP-ADMINS", readers); grantPriv("myRootStem:Messaging:Office365:myTestDL1_GROUP-ADMINS", "myRootS= tem:Messaging:Office365:myTestDL1_GROUP-ADMINS", updaters) ..... .....
For every group, OIT's Messaging and Collaboration team (M&C) gr= oup was given "ADMIN" privileges
grantPr= iv("myRootStem:Messaging:Office365:myTestDL1", "myRootStem:Messaging:OIT-MC= -GROUPERADMINS", admins); grantPriv("myRootStem:Messaging:Office365:myTestDL1_includes", "myRootStem:= Messaging:OIT-MC-GROUPERADMINS", admins); grantPriv("myRootStem:Messaging:Office365:myTestDL1_excludes", "myRootStem:= Messaging:OIT-MC-GROUPERADMINS", admins); grantPriv("myRootStem:Messaging:Office365:myTestDL1_systemOfRecord", "myRoo= tStem:Messaging:OIT-MC-GROUPERADMINS", admins); grantPriv("myRootStem:Messaging:Office365:myTestDL1_GROUP-ADMINS", "myRootS= tem:Messaging:OIT-MC-GROUPERADMINS", admins); ..... .....
For every group, the members (subjects) were added one a time to the= "groupName_includes" group
addMemb= er("myRootStem:Messaging:Office365:myTestDL1_includes", "testaccount1"); addMember("myRootStem:Messaging:Office365:myTestDL1_includes", "testaccount= 2"); ..... .....
For every "groupName_GROUP-ADMINS", the ad= min members (subjects) were added one a time.
addMemb= er("myRootStem:Messaging:Office365:myTestDL1_GROUP-ADMINS", "testmanageracc= ount1"); addMember("myRootStem:Messaging:Office365:myTestDL1_GROUP-ADMINS", "testman= ageraccount2"); ..... .....
The actual initial load was then performed
$GROUPE= R_HOME/bin/gsh.sh /path/to/file_containing_all_gsh_commands.gsh
See Also
https://oit.colorado.= edu/services/identity-access-management/enterprise-access-management