Grouper Users - Open Discussion List

[Tom Barton <>]

Thanks for that update, Richie. I'm really glad to hear how Newcastle continues to increase its 
return on investment in a distributed access management approach.

Happy Holidays everyone!
Tom

On 12/21/2012 9:28 AM, Richard James wrote:
> Hi All,
>
> It's been a while since we posted on the list, so we thought it would be a 
> good idea as the year comes to a close to share some of the work that we have 
> been doing with Grouper at Newcastle University this year.
>
> One of the main developments has been provisioning of groups from Grouper 
> into our Active Directory. Up until the start of this year, we only 
> provisioned a select number of groups to the AD on a case by case basis. In 
> April the decision was made to provision all groups that reside in our 
> Application stem within Grouper into the AD. There were a number of reasons 
> for doing this, first of all to improve the resilience of Shibboleth querying 
> group memberships from Grouper (previously Shibboleth queried the Grouper 
> database directly). The second reason was to extend the use of groups past 
> controlling just web resources, so now a group could be setup which 
> controlled access to a wiki, blog, filestore and so on.
>
> We now provision over 6000 groups into the AD, made up of over 150,000 
> memberships and these numbers are continually increasing as new use cases are 
> identified.
>
> One of the main projects this year at the University has been the 
> restructuring of the University's filestore service and how access to the 
> filestores is controlled. Previously administration for filestores involved 
> administrators manually updating access groups membership lists, which often 
> meant that as staff moved departments on indeed left, their access was not 
> updated. With the use of Grouper this has now changed, access to the 
> filestores is now based on departmental Grouper groups, with membership of 
> these groups being automated based on the University's corporate data. This 
> means as staff join/leave or move around the University they are 
> automatically granted the correct access to filestores, dramatically 
> decreasing the amount of administration required. The delegation of 
> administration for these groups has now been passed on to the University's IT 
> service desk, desktop support teams and in some instances individuals outside 
> of the IT department through the use of the Grouper lite UI. This allows the 
> end users to take control of who should have access to the resources, and 
> allows IT resources to be channelled into development of new services rather 
> than having to worry about maintaining group memberships. Access to over 400 
> network shares are now managed by Grouper groups.
>
> Another project which has incorporated the use of the Grouper is work around "hot 
> desking" and ensuring staff members have access to the applications they require 
> wherever they work. Our application support team have created over 40 groups 
> representing different applications such as Skype, Filezilla, with 
> departments/individuals assigned membership to these groups. These groups are 
> provisioned into the Active directory so that they can be used with the deployment of 
> Microsoft's App-v and RDS so that applications follow the user.
>
> One final recent development is that Grouper is now being used to manage 
> access to Microsoft Dreamspark premium. Previously a manual administration 
> process was required to allow 700 members to access Dreamspark. Now with the 
> use of Grouper 14,000 users will be able to access Dreamspark with minimal 
> administration.
>
> In 2013 we hope to be able to upgrade Grouper up to a more recent version 
> (currently we are stuck on 1.6), and with this we hope to take advantage of 
> PSP to allow for real time provisioning to our AD. We are also keeping a keen 
> eye on the development of a new Grouper UI, the wireframes that I have seen 
> so far look very promising.
>
> As we do more work with Grouper next year, we'll make sure to share our 
> experiences.
>
> I hope that everyone has a great Christmas, and all the best for the new year!
>
> Richie
> Infrastructure Systems Administrator
> ISS Systems Architecture
> Newcastle University