Grouper Users - Open Discussion List

[Richard James <>]

Hi,

With reference to the structuring of groups within Grouper, we at Newcastle 
University, structure our groups into 3 main stems.

"Corporate Data" - this is where we load in Corporate data. These structures 
are non-editable and are loaded in with either the use of the Grouper Loader 
or other data integration tools such as Talend. All users of Grouper have 
read only access to these groups.

This stem allows us to represent key Institutional data from the University's 
HR systems, for example 
*       Organisational Structure
*       Mapping students to their modules
*       Mapping module leaders/lecturers/contributors to their modules

We are always investigating which Institutional data to represent within 
Grouper, and have came across scenarios where we did not believe it was 
worthwhile. As part of a new room booking system, we decided against creating 
a structure of mapping staff members to the buildings/rooms where they 
reside, instead we have approached this differently with the use of user 
created groups. By making this institutional data available we are able to 
provide administrators of systems more flexibility to delegate access to 
applications, whilst removing some administrative burden by providing 
pre-populated groups. 

"User Groups" - this area is for groups of users or departments to create 
their own group structure. By default a new stem is set up for the user where 
they are provided with privileges to create groups/stems within that working 
area. They are able to then delegate privileges to other users to administer 
their created groups. They are able to assign memberships on a individual 
basis or more ideally make use of the groups within the Corporate Data stem. 

This stem is particularly important for representing groups of users which 
are not represented within our HR systems. For example we do not have a data 
feed available which says who the members of a particular research group are, 
and similarly with University societies. In these cases user managed groups 
can be created with the members of these lists being manually administered, 
and then subsequently used to provide access control to applications 
represented within the "Applications" stem.

"Applications" - Groups within this stem make use of the groups created in 
the preceding stems to delegate access to different systems. They provide 
access lists for applications and resources such as our wiki service, site 
manager etc. An example for this would be with wikis, we are able to provide 
access to all of Computing Science by using source group from Org_Structure, 
and also a research group created and managed within the user group stem.

The above structure has provided a good starting point for us to allow 
delegation of access control with a combination of pre-loaded and user 
managed groups, yet it is something we are always monitoring to see if we can 
improve it. We are currently working on a project which is interested in the 
structuring of groups to enable more effective delegation of access control. 
As part of this we have made available a couple of use case documents which 
discuss how we have approached some scenarios, with relevance to how we have 
structured our access groups and made use of the above core stems. They can 
be found on our project website at http://research.ncl.ac.uk/grand/, we'll be 
adding more over the coming months as further use cases are indentified. 

Regards to LDAP, we don't currently provision our groups into LDAP, but this 
is something we are hoping to be able to do as part of the GRAND project.

I hope the above is of some help to you, and provides a good starting point 
for planning the structuring of your groups.

Regards

Richard James
ISS Middleware Team
Newcastle University

>-----Original Message-----
>From: Imholz, John J. 
>[mailto:]
>Sent: 18 May 2010 12:51
>To: 
>''
>Subject: [grouper-users] Example Groups
>
>We're just getting started with Grouper here.  We've had a server up and
>running a few weeks, and we've actually loaded some groups with loader.
>
>What I'm looking for is more examples of how different institutions are
>coming up with their group structure, names and lessons learned (maybe
>I'm making this harder than I need to.)
>
>The second request would be for some more examples of groups with
>entitlement strings (how they look in both Grouper and LDIF)
>
>Does anyone consider this sensitive info?
>
>jji