Grouper Provisioning Plugin
The Grouper Provisioning Plugin provisions groups and memberships in groups to an Internet2 Grouper instance using the Grouper web services interface.
Operations
Registry CO Person Transaction | Grouper Action |
|---|---|
Add | None, provisioning is for CO Group records and memberships only |
Edit | None, provisioning is for CO Group records and memberships only |
Enter Grace Period | None, provisioning is for CO Group records and memberships only |
Expiration / Becomes Inactive | None, provisioning is for CO Group records and memberships only |
Unexpire / Becomes Active | None, provisioning is for CO Group records and memberships only |
Delete | None, provisioning is for CO Group records and memberships only |
Manual Provision | None, provisioning is for CO Group records and memberships only |
Registry CO Group Transaction | Changelog Action |
|---|---|
Add | Provision CO Group record (including memberships) to Grouper |
Edit | Provision CO Group record (including memberships) to Grouper |
Delete | Delete CO Group record (and memberships) to Grouper |
Manual Provision | Provision CO Group record (including memberships) to Grouper |
Provisioning of groups from Registry into Grouper is per CO with all groups for a CO provisioned under a single (configurable) stem or folder in Grouper. All groups in Registry, with the exception of the 'admin' and 'members' groups for COUs, are provisioned directly under the configured stem or folder for the CO. The 'admin' and 'members' groups for COUs are provisioned into a stem or folder hierarchy that mirrors the COU parent-child relationship (if any) in Registry.
A change in the COU hierarchy in Registry, such as changing a parent-child COU relationship or deleting a COU parent, will not be reflected in Grouper. At this time the Grouper web services component does not support moving stems or folders. A request to the Grouper team to implement such a feature for the web services component has been made (CO-1043). We do not recommend changing the COU parent-child relationships once established when using the Grouper Provisioner. Renaming COUs and deleting COUs (with no children or roles) is supported.
Configuration
Prerequisites
Before configuring a Grouper Provisioner for a CO the Grouper deployment must be operational. Specifically you will need:
- Grouper web services (WS) deployed. The Grouper Provisioner invokes web service calls to provision to Grouper.
- A Grouper user that can authenticate to Grouper WS using basic authentication (a login and password). The authenticated Grouper user should have the necessary Grouper privileges to create folders, groups, and memberships in the stem or folder assigned for the CO. A common deployment pattern is to use the GrouperSystem user.
- Access to the Grouper configuration files in order to configure a COmanage Registry database view(s) as a Grouper subject source(s).
- Administrator access to the COmanage Registry database in order to create and then grant SQL SELECT privileges to a user that Grouper can use to query the Registry database view(s) supplying the Grouper subject source(s).