You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »


Wiki Home

Grouper Release Announcements

Grouper Guides

Grouper Deployment Guide

Community Contributions

Internal Developer Resources

Lafeyette College began the process (Oct. 2014)  of a Grouper Pilot using a test use case of VPN group management. 

Grouper Pilot Use Case: VPN access group population

Employees at Lafayette are able to access the College's network remotely via VPN.  Some contractors and students are also granted ad-hoc access based on work requirements, faculty sponsorship, etc.

Pre-Grouper Access Management for VPN Authorization

VPN access was controlled via LDAP group membership. Employee membership in this group was handled automatically by custom provisioning and deprovisioning processes.  Temporary employees, contractors, and students were not covered by these processes, and those requests were routed through the College's IAM team within ITS.

 

Leveraging Grouper and Its Benefits for VPN Access Management

Lafayette College's IAM team created data-driven groups in Grouper. Those groups are populated based on employee class codes that are maintained in Banner.  Those reference groups are included in a composite group which in turn is used to provision the LDAP group used to control VPN access.

Two additional ad-hoc groups for contractors and students factored into the Grouper pilot use case. Those groups will eventually be managed by end users that are authorized to grant VPN access to those cohorts.

Nothing changed with respect to the way in which authorization to the VPN happened at a technical level. Grouper writes memberships to the VPN LDAP group which is still used for the control group.  A major improvement that Grouper bring to the process is that decision makers now have direct control over VPN access rather than having to route requests through the IAM team.

Architecture

Grouper at Lafayette College is deployed as 2 components-- the Grouper UI and the Grouper API (aka Grouper Daemon).  The Grouper UI is deployed in a manner consistent with other web-based deployments at Lafayette.  The Grouper API components require elevated access to alter LDAP data, so they are deployed in a hardened network.  Banner reference data is exported to LDAP on a nightly basis, and the Grouper Loader service is used to sync that data into Grouper on a nightly schedule.  A separate instance of the Grouper Shell runs as a change log consumer.  It monitors membership changes in Grouper and reports them to an LDAP provisioning process.  The LDAP provisioning process accumulates membership changes and writes them in batches to the Lafayette College LDAP DIT at 30 second intervals.

 

 

  • No labels