Grouper Pilot Use Case: VPN access group population
Employees at Lafayette are able to access the College's network remotely via VPN. Some contractors and students are also granted ad-hoc access based on work requirements, faculty sponsorship, etc.
Pre-Grouper Access Management for VPN Authorization
VPN access was controlled via LDAP group membership. Employee membership in this group was handled automatically by custom provisioning and deprovisioning processes. Temporary employees, contractors, and students were not covered by these processes, and those requests were routed through the College's IAM team within ITS.
Leveraging Grouper and Its Benefits for VPN Access Management
Lafayette College's IAM team created data-driven groups in Grouper. These groups will be populated based on employee class codes that are maintained in Banner. These reference groups are included in a composite group that is used to provision the LDAP group used to control VPN access.
Two additional ad-hoc groups for contractors and students factor into the Grouper pilot use case. These groups will eventually be managed by end users that are authorized to grant VPN access to those cohorts.
Nothing will change in the way that authorization to the VPN happens. Grouper will write memberships to the VPN LDAP group which will still be used for the control group. The improvement will be that decision makers will now have direct control over VPN access rather than having to route all requests through the IAM team.
Architecture
Grouper at Lafayette College is deployed as 2 components-- the Grouper UI and the Grouper API (aka Grouper Daemon). The Grouper UI is deployed in a manner consistent with other web-based deployments at Lafayette. The Grouper API components require elevated access to alter LDAP data, so they are deployed in a hardened network. Banner reference data is exported to LDAP on a nightly basis, and the Grouper Loader service is used to sync that data into Grouper on a nightly schedule. A separate instance of the Grouper Shell runs as a change log consumer. It monitors membership changes in Grouper and reports them to an LDAP provisioning process. The LDAP provisioning process accumulates membership changes and writes them in batches to the Lafayette College LDAP DIT at 30 second intervals.