Grouper Users - Open Discussion List

[Scott Koranda <>]

> Hey,
> 
> At Penn we have a subject source which has active Penn
> people.
> 
> Though it seems like apps need more than this (temp
> employees who still need access, managers who need to
> gracefully transition away when they leave their job,
> researchers who aren't at Penn anymore, but still need
> access to some resources to work with colleagues).
> 
> How do other schools define your subject source for people
> at your institution?  Only actives?  Everyone in your system
> even if they were inactivated 10 years ago?  Active people,
> and people who were recently inactivated?

For what it is worth...

Our Grouper deployment is not based on a single institution.
We are an international collaboration focused on a particular
science goal. We have roughly 900 active members spread across
roughly 100 institutions.

We already had a relational database that records membership
in the collaboration, both active and inactive. We decided,
however, for various non-technical reasons to not use the
database as our subject source for Grouper.

Instead active membership in the collaboration gets reflected
into our LDAP server network and we use the master LDAP server
as the subject source for Grouper. When a subject leaves the
collaboration he is removed from all Grouper groups and then
removed from the LDAP.

> 
> Im not sure what the pros and cons of these are.  

Initially we are doing some simple types of authorizations
based solely on the existence in the LDAP, so we only want
active subjects in Grouper (though we could and probably will
later put non-active members into a Grouper group(s) that is
not provisioned into LDAP). 

We will also later start to do more sophisticated
authorization and mere existence in the LDAP will not be
enough to authorize much of anything.

> There was
> an extra security benefit to inactives becoming
> unresolvable, but it seems like it is not something that
> should be relied on.  

Agreed.

> Also, it would be hard to find people
> if there are hundreds more John Smiths in there... 

I doubt our collaboration will grow much beyond 1000 subjects
and we are unlikely to have hundreds of any similar identity.

>  other
> than that, I don't see a huge downside to opening up the
> subject source.

Are there any FERPA or similar issues you might have to be concerned
about?

I guess I would also be worried about active Grouper users
with ADMIN or UPDATE privileges managing the wrong subject
membership just because of the extra available subject
information, but that could certainly be avoided easily with
the right UI.

Cheers,

Scott