Grouper Users - Open Discussion List

[Richard James <>]

Hi All,

It's been a while since we posted on the list, so we thought it would be a 
good idea as the year comes to a close to share some of the work that we have 
been doing with Grouper at Newcastle University this year. 

One of the main developments has been provisioning of groups from Grouper 
into our Active Directory. Up until the start of this year, we only 
provisioned a select number of groups to the AD on a case by case basis. In 
April the decision was made to provision all groups that reside in our 
Application stem within Grouper into the AD. There were a number of reasons 
for doing this, first of all to improve the resilience of Shibboleth querying 
group memberships from Grouper (previously Shibboleth queried the Grouper 
database directly). The second reason was to extend the use of groups past 
controlling just web resources, so now a group could be setup which 
controlled access to a wiki, blog, filestore and so on.

We now provision over 6000 groups into the AD, made up of over 150,000 
memberships and these numbers are continually increasing as new use cases are 
identified. 

One of the main projects this year at the University has been the 
restructuring of the University's filestore service and how access to the 
filestores is controlled. Previously administration for filestores involved 
administrators manually updating access groups membership lists, which often 
meant that as staff moved departments on indeed left, their access was not 
updated. With the use of Grouper this has now changed, access to the 
filestores is now based on departmental Grouper groups, with membership of 
these groups being automated based on the University's corporate data. This 
means as staff join/leave or move around the University they are 
automatically granted the correct access to filestores, dramatically 
decreasing the amount of administration required. The delegation of 
administration for these groups has now been passed on to the University's IT 
service desk, desktop support teams and in some instances individuals outside 
of the IT department through the use of the Grouper lite UI. This allows the 
end users to take control of who should have access to the resources, and 
allows IT resources to be channelled into development of new services rather 
than having to worry about maintaining group memberships. Access to over 400 
network shares are now managed by Grouper groups. 

Another project which has incorporated the use of the Grouper is work around 
"hot desking" and ensuring staff members have access to the applications they 
require wherever they work. Our application support team have created over 40 
groups representing different applications such as Skype, Filezilla, with 
departments/individuals assigned membership to these groups. These groups are 
provisioned into the Active directory so that they can be used with the 
deployment of Microsoft's App-v and RDS so that applications follow the user. 

One final recent development is that Grouper is now being used to manage 
access to Microsoft Dreamspark premium. Previously a manual administration 
process was required to allow 700 members to access Dreamspark. Now with the 
use of Grouper 14,000 users will be able to access Dreamspark with minimal 
administration.

In 2013 we hope to be able to upgrade Grouper up to a more recent version 
(currently we are stuck on 1.6), and with this we hope to take advantage of 
PSP to allow for real time provisioning to our AD. We are also keeping a keen 
eye on the development of a new Grouper UI, the wireframes that I have seen 
so far look very promising.

As we do more work with Grouper next year, we'll make sure to share our 
experiences.

I hope that everyone has a great Christmas, and all the best for the new year!

Richie
Infrastructure Systems Administrator
ISS Systems Architecture
Newcastle University