Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] who is in your subject source?

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] who is in your subject source?

Chronological Thread 
  • From: Paul Engle <>
  • To: Grouper Users Mailing List <>
  • Subject: Re: [grouper-users] who is in your subject source?
  • Date: Mon, 20 Apr 2009 15:00:40 -0500

Hash: SHA1

- --On Monday, April 20, 2009 2:04 PM -0400 Chris Hyzer

> Hey,
> At Penn we have a subject source which has active Penn people.
> Though it seems like apps need more than this (temp employees who still
> need access, managers who need to gracefully transition away when they
> leave their job, researchers who aren't at Penn anymore, but still need
> access to some resources to work with colleagues).
> How do other schools define your subject source for people at your
> institution? Only actives? Everyone in your system even if they were
> inactivated 10 years ago? Active people, and people who were recently
> inactivated?
> Im not sure what the pros and cons of these are. There was an extra
> security benefit to inactives becoming unresolvable, but it seems like it
> is not something that should be relied on. Also, it would be hard to
> find people if there are hundreds more John Smiths in there... other than
> that, I don't see a huge downside to opening up the subject source.

At Rice we never drop people out of the LDAP directory (the benefits of a
small population), and that is used as the main subject source. As people
go inactive per our systems of record, their directory entry gets flagged
as such. Our ACIs are structured to allow virtually no access to any entry
flagged inactive. The bind credential used by Grouper is one of those few
exceptions because having unresolvable subjects in the groups was not
acceptable. At some point, I'd like to put together some sort of reporting
tool to scrape through the groups and let group admins know what inactives
are currently members of their groups. But we're not really concerned about
them being there.
Plus, we're starting to hear more talk about certain subsets of the
community retaining access to some services after
graduation/retirement/termination, etc. So, while the systems of record may
have them marked 'inactive', they may still be members of some groups. The
binary world of active/inactive isn't going to cut it for much longer, I


- --
Paul D. Engle | Rice University
Sr. Systems Administrator, RHCE | Information Technology - MS119
(713)348-4702 | PO Box 1892

| Houston, TX 77252-1892
Version: GnuPG v1.4.7 (MingW32)


Archive powered by MHonArc 2.6.16.

Top of Page