Grouper Provisioning Plugin
The Grouper Provisioning Plugin provisions groups and memberships in groups to an Internet2 Grouper instance using the Grouper web services interface.
Operations
Registry CO Person Transaction | Grouper Action |
|---|---|
Add | None |
Edit | Synchronize CO Person CO Group memberships with Grouper |
Enter Grace Period | None |
Expiration / Becomes Inactive | Synchronize CO Person CO Group memberships with Grouper |
Unexpire / Becomes Active | Synchronize CO Person CO Group memberships with Grouper |
Delete | De-provision CO Person CO Group memberships from Grouper |
Manual Provision | Synchronize CO Person CO Group memberships with Grouper |
| Petition Provision | Provision CO Person CO Group memberships to Grouper |
| Pipeline Provision | Provision CO Person CO Group memberships to Grouper |
Registry CO Group Transaction | Grouper Action |
|---|---|
Add | Provision CO Group record (including memberships) to Grouper |
Edit | Provision CO Group record (including memberships) to Grouper |
Delete | Delete CO Group record (and memberships) to Grouper |
Manual Provision | Provision CO Group record (including memberships) to Grouper |
Provisioning of groups from Registry into Grouper is per CO with all groups for a CO provisioned under a single (configurable) stem or folder in Grouper. All groups in Registry, with the exception of the 'admin' and 'members' groups for COUs, are provisioned directly under the configured stem or folder for the CO. The 'admin' and 'members' groups for COUs are provisioned into a stem or folder hierarchy that mirrors the COU parent-child relationship (if any) in Registry.
How the Grouper Provisioner chooses and provisions the identifier for Grouper to use for the subject (ie. the user or member) has changed as of version 1.1.0 of COmanage Registry. A legacy mode configuration is available for deployments that wish to upgrade to version 1.1.0 without changing the Grouper Provisioner configuration, but the legacy mode is deprecated and will be removed in a later release. Please see the documentation on configuration and consult with the COmanage developers if you have questions.
If you plan for users to access the Grouper UI and for that access to be managed using COmanage Registry, we recommend you create a CO unique identifier and use it as the expected identifier that the Grouper UI will see and map to subjects (Grouper users).
A change in the COU hierarchy in Registry, such as changing a parent-child COU relationship or deleting a COU parent, will not be reflected in Grouper. At this time the Grouper web services component does not support moving stems or folders. A request to the Grouper team to implement such a feature for the web services component has been made (CO-1043). We do not recommend changing the COU parent-child relationships once established when using the Grouper Provisioner. Renaming COUs and deleting COUs (with no children or roles) is supported.
Configuration
We recommend that before configuring a Grouper Provisioner for a CO you have already enrolled or onboarded at least one user to create a CO Person record with an active status.
We include details for deploying Grouper itself. You may wish to skip some items below if you will be using a Grouper instance that is already deployed.
- Prepare your database for Grouper.
- Prepare Java.
- Prepare Apache HTTP Server.
- Prepare the Tomcat container.
- Prepare for Grouper installation.
- Install Grouper.
- Complete post configuration steps.
- Test the Grouper Shell GSH.
- Test the Grouper UI.
- Test the Grouper WS.
- Grant CREATE VIEW to Registry database user.
- Configure the Grouper Provisioner Plugin.
- Configure Grouper subject source.
- Intial Reconciliation and Testing.
- Configure SSO access to the Grouper UI for users.
- Configure Grouper PSP to provision to LDAP.