Grouper Users - Open Discussion List

[Rob Gorrell <>]

Thanks Chris, I'm gonna spend some time digesting that, but it seems to be the sorta principle I'm after. To the point of why create this up front, I guess I'm thinking towards a distributed access model, where each department controlled its own stem... being able to pre-provision the include/exclude/composite groups ahead of time would give a common language for distributed admins and consumers to be become accustom to and not require us to intervene everytime someone needed an exception to their systemOfRecord.

One sort of variation to the question... say you had loader configurations building two systemOfRecord groups for each department, one containing full-time employees and one containing student workers. how would I "load" a composite group of these two automatically since this breaks the addIncludeExclude type you mentioned? what that be a loader object looking back at the grouper db as the system of record rather than an external db?

Thanks again,

-Rob

On Fri, Oct 4, 2013 at 10:31 AM, Chris Hyzer <> wrote:

If you have includeExclude enabled in the config, then there is a “type” that when applied to the group will create these structures.  Users can do that in the UI.  It’s a little more confusing with the loader since the loader is loading group names, and if you change to system of record later, then all groups need to be changed.  Know what I mean?  So you can have the loader assign types to the groups, and it could be the include exclude type, and that will make all the structures.  We do this for orgs.  In my experience the includes are far more important than the excludes. So really you might only need a system of record group, and an overall group (that could have other members too).  I think you could do that with two loader jobs, or we could add another type that only does that instead of making 5 groups.

 

This is an example:

 

https://spaces.internet2.edu/display/Grouper/Grouper+loader+classlist+example+from+Penn

thanks,

Chris

 

 

 

 

From: [mailto:] On Behalf Of Rob Gorrell
Sent: Friday, October 04, 2013 10:12 AM
To:
Subject: [grouper-users] creating a flexible grouper structure

 

I've spent some time looking at others grouper environments and it seems a fairly common design principle is to create these composite groups consisting of systemofRecord and include/exclude groups. for example, the ITS department = ITS_systemofRecord + ITS_include - ITS_exclude. I've spend some time playing with the grouper loader to build the ITS_systemofRecord group, as well as do so on a one-to-many scale (like say across 200 departments with one loader object), but as to staging the empty include and exclude group objects and the composite group representing all of ITS department, I was wondering the best way to go about and sustain it on a mass scale? even though grouper loader can create group objects, i gather it would not be used in this sense... is there a typical way of approaching this in an efficient manner? would you look to just typical batch/shell commands with gsh? I was hoping for a way that when grouper loader made a new dept_sysofRecord group, the other pieces that go along with it could also automatically appear? curious if anyone has a clever way of dealing with this?

-Rob

--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954

--

Robert W. Gorrell
Middleware Engineer, Identity and Access Management

University of NC at Greensboro
336-334-5954