grouper-users - Re: [grouper-users] who is in your subject source?
Subject: Grouper Users - Open Discussion List
List archive
- From: Paul Engle <>
- To: Grouper Users Mailing List <>
- Subject: Re: [grouper-users] who is in your subject source?
- Date: Mon, 20 Apr 2009 15:00:40 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --On Monday, April 20, 2009 2:04 PM -0400 Chris Hyzer
<>
wrote:
> Hey,
>
> At Penn we have a subject source which has active Penn people.
>
> Though it seems like apps need more than this (temp employees who still
> need access, managers who need to gracefully transition away when they
> leave their job, researchers who aren't at Penn anymore, but still need
> access to some resources to work with colleagues).
>
> How do other schools define your subject source for people at your
> institution? Only actives? Everyone in your system even if they were
> inactivated 10 years ago? Active people, and people who were recently
> inactivated?
>
> Im not sure what the pros and cons of these are. There was an extra
> security benefit to inactives becoming unresolvable, but it seems like it
> is not something that should be relied on. Also, it would be hard to
> find people if there are hundreds more John Smiths in there... other than
> that, I don't see a huge downside to opening up the subject source.
At Rice we never drop people out of the LDAP directory (the benefits of a
small population), and that is used as the main subject source. As people
go inactive per our systems of record, their directory entry gets flagged
as such. Our ACIs are structured to allow virtually no access to any entry
flagged inactive. The bind credential used by Grouper is one of those few
exceptions because having unresolvable subjects in the groups was not
acceptable. At some point, I'd like to put together some sort of reporting
tool to scrape through the groups and let group admins know what inactives
are currently members of their groups. But we're not really concerned about
them being there.
Plus, we're starting to hear more talk about certain subsets of the
community retaining access to some services after
graduation/retirement/termination, etc. So, while the systems of record may
have them marked 'inactive', they may still be members of some groups. The
binary world of active/inactive isn't going to cut it for much longer, I
think.
-paul
- --
Paul D. Engle | Rice University
Sr. Systems Administrator, RHCE | Information Technology - MS119
(713)348-4702 | PO Box 1892
| Houston, TX 77252-1892
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFJ7NRoCpkISWtyHNsRAudtAJ49A9sopUQOxpyana8OrnQA9A3I8wCgrLWt
bxmeHCR1f9A6peME3/gnl8o=
=hbIc
-----END PGP SIGNATURE-----
- who is in your subject source?, Chris Hyzer, 04/20/2009
- RE: [grouper-users] who is in your subject source?, Cramton, James, 04/20/2009
- Re: [grouper-users] who is in your subject source?, Tom Zeller, 04/20/2009
- Re: [grouper-users] who is in your subject source?, Paul Engle, 04/20/2009
- Re: [grouper-users] who is in your subject source?, Scott Koranda, 04/23/2009
Archive powered by MHonArc 2.6.16.