grouper-dev - [grouper-dev] Minutes, Grouper Working Group Face-to-Face at 2012 FMM in Philadelphia
Subject: Grouper Developers Forum
List archive
[grouper-dev] Minutes, Grouper Working Group Face-to-Face at 2012 FMM in Philadelphia
Chronological Thread
- From: Emily Eisbruch <>
- To: Grouper Dev <>,
- Subject: [grouper-dev] Minutes, Grouper Working Group Face-to-Face at 2012 FMM in Philadelphia
- Date: Mon, 22 Oct 2012 14:36:07 -0400
Minutes, Grouper Working Group Face-to-Face at 2012 Internet2 Fall Member Meeting in Philadelphia Tom Barton, Chair of Grouper Working Group, welcomed the group. Recent Developments - Grouper 2.1.2 release is coming soon. - Grouper Online Training is now available at - Tom Zeller, Grouper developer for past few years, has left the Grouper development team. - Thanks to TomZ for his contributions, including in the area of provisioning of Grouper data - New Grouper developer sought Introduction to Grouper See Tom Barton's slides including a brief Intro to Grouper: - Grouper started out focusing on groups - included features many Security and Delegation features - Grouper has expanded into other kinds of privilege management areas - including roles and permissions - there is an attribute framework, a metadata management capability - permission can be delegated for distributed administration across campus - Simple delegation example from University of Chicago and VPN (see slide #7) - Central IT runs the basic infrastructure and delegates out authority Discussion on Delegated Authority Q: How are other campuses approaching delegated authority use cases? Stanford has a homegrown system - is looking at/ learning from Grouper CMU is using a homegrown system - has an active Grouper deployment project Northwestern has customized their commercial IDM system will be looking at new approaches either Grouper + new IdMS system or just a new IdMS system USC - homegrown solution at USC - issue: there are apps that don't want to externalize the authorization decision - these applications say "give us everyone/let everyone have access and we'll decide who should get access" - perpetual thorn comment: - some of the apps that are worst at externalizing authorization are the systems of record TomB: - True that many applications do not allow externalized authorization - But U. Chicago has found that there are many potential applications where there is a win -SP manager's perspective - much of the info that applications receive is not granular enough - want to have trust relationship about what roles an individual has - would like an Open API Indiana U: - if a vendor or service does not want to integrate, - just go on to another vendor or service OSU: - one of the push-backs in talking about Grouper is that - the users want to stay in the environment they are operating in - trying to create a way to compose UIs in some way so you can plug into Grouper - would be good to have Grouper support for web widgets "WC3 Web Components" - ScottyL, Stanford, may be a resource on this topic - other organizations, with a focus on supporting researchers, echo this need University of California - starting to bring up Grouper at UC - each campus has doc on delegated admin - request for better Grouper doc on delegated administration models LIGO project - we are refactoring Grouper - would like to have a different group structure than the one set up initially - want to separate the organizational chart part of Grouper - interested in best practices documentation and templates Q: Could LIGO and UC share their experiences for future Grouper deployers? A: Yes, with coordination from the Grouper project Naming convention documentation currently on the wiki: - See wiki page on group and folder design ideas: https://spaces.internet2.edu/display/Grouper/Group+and+folder+design+ideas - See training video that talks about folder structure: http://www.youtube.com/watch?v=pbPxO227f0c ======= Grouper UI Grouper Version 2.2 will focus on the UI - Currently Grouper has an admin UI and also has Lite (single purpose) UIs - We have engaged a user experience expert from University of Chicago to help with the new Grouper UI ======= Grouper Deployment at NYU Gary Chapman: - NYU is still fairly early in Grouper deployment - lots of groups being created in a production environment - feed class info from SIS system is being moved into Grouper in an automated way - feeding things off to LDAP Challenges: - scaling up - controlling permissions across Grouper and LDAP - want people to see things on a "need to know" basis - have some performance and scalability concerns - NYU is re-architecting IdM applications - how does Grouper fit with new and better registry and with NYU's new provisioning tool? - how do the various pieces of architecture integrate with each other? Pennsylvania State University has similar size - TomZ worked closely with PSU staff and reduced provisioning time Grouper at Duke Shilen Patel - Presented on and AD use case at 2010 Internet2 Fall member meeting session called - "Delegated Access Control in AD Using Grouper" - See those slides at: Use case summary: - enhanced the AD delegation - Duke previously had a Novel environment - needed to get IdM info into the central AD without removing the established authority - IT administrators across the campus must manage objects in the AD - these objects are sometimes users in their dept but sometimes in other depts. - sometimes must create objects for non-Duke students - The model is that not all attributes are to be maintained by central IDM - departments themselves will manage (and delegate access for) those attributes that only that dept needs - used Grouper to manage permissions - fine-grained permissions in Grouper can sync into AD - Duke created a UI around this to allow managers to delegate the permissions results/progress to date: - has been in production for about a year - positive results - about 1,000 individual permissions have been created by managers - used by about 10 depts - have gone thru two internal audits and the auditors liked the solution - because with Grouper's auditing capabilities you can know who had access to what and when - IT administrators no longer have domain access rights - instead, managers can delegate access - permissions are role based - so a user loses permissions when he leaves the university - this reduces the IT staff's load Q: How much time went into the custom UI at Duke? A: Shilen: -took a week or so -this custom UI was developed before Grouper had a UI to manage permissions - might not need to do this custom work today Rob Carter did work of looking at the empty security descriptor attribute and figuring out what to put in there - takes the security descriptor, decodes it, brings it into a java context, makes changes, and puts it back out - Rob is willing to share the Java code for this work - it is not well documented, but Rob can explain it - TomB: we might want to share that work done by Rob more broadly Q&A Q: is Kill - 9 the only method to start and stop Grouper? A: Chris: we have been talking about moving the loader into the web service or some web application so you could control it like Tomcat. Chris: On the wiki for the managing UNIX permissions w Grouper there is a UNIX service wrapper so can use service start and service stop see: https://spaces.internet2.edu/display/Grouper/Managing+unix+commands+with+Grouper+permissions+example Q: Is configuration externalization on the road map A: Yes, this is addressed in Grouper 2.2 ======= Links: Grouper website: http://www.internet2.edu/grouper/ Please share your Grouper story and documents on the Grouper Community Contributions page at: https://spaces.internet2.edu/display/Grouper/Community+Contributions Other Grouper Resources from Fall Member Meeting and Advance CAMP: Fall Member Meeting Session on "Grouper After Groups - Enabling NET+ Services with PAP, PEP and PDP, Oh My!," Advance CAMP session on "Transitioning From a Homegrown Approach to Grouper" Emily Eisbruch, Technology Transfer Analyst Internet2 office: +1-734-352-4996 | mobile +1-734-730-5749 Visit our website: www.internet2.edu Follow us on Twitter: www.twitter.com/internet2 Become a Fan on Facebook: www.internet2.edu/facebook |
- [grouper-dev] Minutes, Grouper Working Group Face-to-Face at 2012 FMM in Philadelphia, Emily Eisbruch, 10/22/2012
Archive powered by MHonArc 2.6.16.