Skip to Content.
Sympa Menu

grouper-study - Re: U-M's TIER CSP Grouper Project Plan

Subject: grouper-study

List archive

Re: U-M's TIER CSP Grouper Project Plan


Chronological Thread 
  • From: thompsow <>
  • To: Aimee Lahann <>
  • Cc: Keith Hazelton <>, "" <>, "Waldbieser, Carl" <>
  • Subject: Re: U-M's TIER CSP Grouper Project Plan
  • Date: Tue, 9 Jan 2018 16:56:29 -0500
  • Ironport-phdr: 9a23:oYqnYhe9JwqGyZknN6VzxtAflGMj4u6mDksu8pMizoh2WeGdxcW7ZR7h7PlgxGXEQZ/co6odzbaO6ua4ASQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTahfL9+Ngm6oRnMvcQKnIVuLbo8xAHUqXVSYeRWwm1oJVOXnxni48q74YBu/SdNtf8/7sBMSar1cbg2QrxeFzQmLns65Nb3uhnZTAuA/WUTX2MLmRdVGQfF7RX6XpDssivms+d2xSeXMdHqQb0yRD+v9LlgRgP2hygbNj456GDXhdJ2jKJHuxKquhhzz5fJbI2JKPZye6XQctQHS2pcRcZRTzJODZ+gb4UBCOoBOPxXr4j7p1ATqRezCg2hCObpxzRVhHH5wLc63vwhHw/FwAMvEM8AvnrWo9vrOqccVvu4w7PUwTXGdf5W2Svx5YrOfxs8of+MR7Vwcc/JxEkzFwPFiVCQqZT+PzOS2OUGrm+W7/ZgVeKojm4nsxpxoj+hx8o3jonGnIwVxUrE9Cpn3IY1OcO3RFRlbtG5DZtdrieXPJZ4TMMlRmFnoic6yrsetJ60eygKz5snxxrBZPCdb4eI5RfjWP6eITd5mHJleK+/iA2o/Ue8ze38U9G40VhLripejtbArG4C2AHO6sWBV/Bz/V+h1C6S2w3d7uxIO104mKXZJpI737I8i4AfvVnDEyPrgEn6kaGbe0E+9uS15OnqYK/qq56AO4NujgzzMKIjkdGlD+siKAgBRW2b9Py81LL9+U35R61HjvgqkqbDv53WP8AbqbS3AwBP0ocs9Qq/Dyu439gCg3YIMU9FdAqGj4jvJV7OPOj1Aeqxjlmoijtn2v/LM7/7DpnQM3TPiqrtcLZg50JEzQo819Ff55ZaCrEbJ/LzX1f8tMDYDh8+Ngy02/3nCNJz144FXWKAGKGZP7nSsFCW+uIvP/eDaJULtzngNvgp/+TugmMhmV8BYamp2oMaaH+iHvRhPkWZeWTjgs0YHWcRogo+UfHliV2ZXD5XZnayRL485iolBI68DIfDQJytj6Kb3Ce9AJJWen5KBkqSHnj1aoXXE8sLPQuTJ8Js2hgNVbGnTcd13BCruQL+xr9PM+/V8S1euJ7+gotb/erWwA0y8jlsFMOCmzWRT2ZxhngPWBcy1a52sEFh1lrF3KRl1a8LXedP7u9EB19pfaXXyPZ3XpWvAw8=

Happy New Year!

Let’s start with the hour call. If we need to do follow-ups we certainly can.

We’ve got holds on our calendar for:
* Wed, Jan 17 10am - 3pm ET
* Thu, Jan 18 10am - 1pm ET

Best,
Bill


On Jan 9, 2018, at 4:19 PM, Aimee Lahann <> wrote:

Hi, Bill.

Happy 2018!

We are going to take you up on your generous offer to review your use of reference groups and your current approach to Grouper security. Liam mentioned a teaser at the last Campus Bi-Weekly Work Session before the holiday.

Would you please send a few dates and times that would work well for you in the near future? I will pull together a Doodle poll and then send invites to set up a virtual meeting with folks who express interest. (I know Keith is in.) Do you think a one hour long session will be enough time?

Thanks for your help!
Aimee






On Tue, Dec 19, 2017 at 2:49 PM, Aimee Lahann <> wrote:
Great!

We will mention we are pulling something together to the larger TIER group on the call today.
I will send out a doodle poll to the grouper-study group for dates in January.

I'll take you up on the scribe help as well. thx!


On Tue, Dec 19, 2017 at 2:41 PM, Keith Hazelton <> wrote:

If possible, I’d like to sit in on this call. I can offer to help with scribing meeting notes.   --Keith

___________________________________

email & jabber:

calendar: http://go.wisc.edu/i6zxx0

 

From: <> on behalf of Aimee Lahann <>
Date: Tuesday, December 19, 2017 at 13:29
To: Bill Thompson <>
Cc: "" <>, "Waldbieser, Carl" <>
Subject: Re: U-M's TIER CSP Grouper Project Plan

 

Okay - will do!

 

Have fun!!

 

On Tue, Dec 19, 2017 at 2:20 PM, thompsow <> wrote:

Sounds good. We can’t be all the call today (holiday parties!), but if you want to propose and host, we will definitely particpate.

 

Best,

Bill

 



On Dec 19, 2017, at 2:12 PM, Aimee Lahann <> wrote:

 

Thanks again, Bill.

 

Super helpful.  

 

We would welcome hearing about your reference groups and current approach to grouper security.  How about a breakout session call targeted to all those interested in the topic instead of using the time with the whole TIER group?  I would be happy to organize the call and provide any notes back to the larger TIER Group if you would present on the topic. :)

 

Aimee

 

On Tue, Dec 19, 2017 at 10:00 AM, thompsow <> wrote:

Great questions! :)

 

I don’t have any docs handy to share with you, but we’d be happy to review our reference groups and current approach to grouper security, perhaps on a tier call sometime soon. Access to our implementation is fairly limited at the moment, and mostly consists of the IAM team and small cohort in central IT. Though we do have some users, who are not in IT, maintaining reference groups and exceptions via the Grouper UI. 

 

Generally we let the access policy requirements drive what reference groups we have. I should also point out that broadly we have two types of reference groups based on scope (institutional and application specific). So far there has been ample need/requests from central IT to make this mostly an IAM team driven process.

 

Carl maintains a set of python scripts we use to help maintain our security model, folder structures, etc. He’s published those to GitHub here: https://github.com/cwaldbieser/grouper_jython_scripts.  These only work if you install the Shell Wrappers for Grouper. Perhaps if there’s enough demand we could get the project to include support for jython scripts and possibly include these in the base install.

 

We’ve also started to sketch out a TIER security model chapter for the next revision of the development guide. Feel free to comment on that doc and add your questions/thoughts.

 

Best,

Bill

 



On Dec 7, 2017, at 3:52 PM, Aimee Lahann <> wrote:

 

Thanks, Bill. Your feedback is helpful.  

 

Do you have any documentation about your approach to Grouper security?  We are interested in learning about security in the context of limiting who can see which group members - especially in the case of course groups due to FERPA regulations. Security concerns are one of the reasons we are first exploring only departmental groups with staff members. We would be interested in helping to refine the security piece of the Deployment Guide.

 

How are you receiving your use cases/ policy requirements?  Are administrators in departments and/or application owners contacting you/your staff directly with requests?  Do you create the reference groups, build groups from them according to end-user requirements and then provide end-users an interface to include or exclude members to the group?  What are some of your use cases?  How did you begin? Could we talk to you more about this?

 

We would like to provide data-driven groups that are useful to users to create access control groups. Somehow we are a little stuck analyzing what reference groups are useful and how to offer groups to whom.  

 

Now you have opened the floodgates...

 

Thanks for your help!

Aimee

 

 

 

On Wed, Dec 6, 2017 at 4:32 PM, thompsow <> wrote:

HI Aimee,

 

The workstreams look reasonable. Our original implementation took about 3 months calendar time to implement a very specific use case (VPN access).  Since then, we have let our use cases/policy requirements drive any additional basis/ref groups that we have added.

 

I wouldn’t worry too much about getting all the basis/ref groups right at the start. These are fairly easily to refactor in Grouper. Recommend focusing on a specific access policy and start with that.

 

One thing you'll want to give some thought to is the security model for Grouper itself. This isn’t discussed much in the Grouper Deployment Guide. Might be an opportunity for us to refine that and include something in the next revision.

 

Best,

Bill

 



On Dec 6, 2017, at 3:19 PM, Aimee Lahann <> wrote:

 

Hi.

 

We would like to share U-M's plan for our CSP Grouper project with the Grouper cohort for feedback.  The Google document, TIER CSP Grouper Project Plan -DRAFT is currently a list of workstreams with milestones/tasks. Our original intent was to focus on identifying the work involved. Dependencies and order of operation are not yet noted. However, we have made time estimates for each workstream.

 

We would love to see others' Grouper project plans so we can learn how to improve our own.

 

(I apologize if you already received this email already.  I realized I originally sent it to the umich grouper study email group instead of the more recent Internet2 group email.)

 

Thanks!

 

Aimee Lahann

ERP Business Systems Analyst Senior

Identity and Access Management Team

University of Michigan



 



 

--

Aimee Lahann

ERP Business Systems Analyst Senior

Identity and Access Management Team

University of Michigan



 



 

--

Aimee Lahann

ERP Business Systems Analyst Senior

Identity and Access Management Team

University of Michigan



 



 

--

Aimee Lahann

ERP Business Systems Analyst Senior

Identity and Access Management Team

University of Michigan

(734) 764-5641






--
Aimee Lahann
ERP Business Systems Analyst Senior
Identity and Access Management Team
University of Michigan




--
Aimee Lahann
Senior Business Systems Analyst
Identity and Access Management Team
University of Michigan
(734) 764-5641





Archive powered by MHonArc 2.6.19.

Top of Page