Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] what is a group authorized to do ?

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] what is a group authorized to do ?

Chronological Thread 
  • From: "Waldbieser, Carl" <>
  • To: Dave Churchley <>
  • Cc: Julio Polo <>, Steven Carmody <>, Grouper-Users <>
  • Subject: Re: [grouper-users] what is a group authorized to do ?
  • Date: Thu, 2 Mar 2017 09:29:02 -0500 (EST)
  • Ironport-phdr: 9a23:HYUqcRU4BPkR6xRujeZij5VFF/fV8LGtZVwlr6E/grcLSJyIuqrYbRaGt8tkgFKBZ4jH8fUM07OQ6PG9Hzdaqsjc+Fk5M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe71/IRG2oAnLuMQan4RuJ6cxxxDUvnZGZuNayH9yK1mOhRj8/MCw/JBi8yRUpf0s8tNLXLv5caolU7FWFSwqPG8p6sLlsxnDVhaP6WAHUmoKiBpIAhPK4w/8U5zsryb1rOt92C2dPc3rUbA5XCmp4ql3RBP0jioMKiU0+3/LhMNukK1boQqhpx1hzI7SfIGVL+d1cqfEcd8HWWZNQsNdWipcCY2+coQPFfIMM+hYoYfjpFUBrxW+CxSjC+zzxTFIh3j43bEh3uQ9EwzJwBAsEsgSvHnWqtj+KaccUfqyzKnN1TjPYfNZ1i356IfVaR8hoO+DXalufsrL0UUkCh3IgU+KqYzhMT+ey+MAsmaB4OpkSO2gkG8npB9trTW0wscjkIfJiZgVy1/a6SV53Jg6KcemR0FmfN6pCZ1dvDyUOYtxR8MtWWBouCAix70ApZG7eDIGx447yBLFdvyHcI6F6Q/gWuaJOTp0mXxodbalixqv/kWtyPfwWtSp3FpQsyZIksTAumgQ2xHd7sWLUOZx80ij1DqVygze6vtILV4omabGM5It37A9m54JvUjeESL7ml/6gLKLekk+5+Sl5frrb7P7rZGGLYB0kBvxMqE2l8y/H+s4Ng8OUnCe+eSgzrLu8lf1QLFQgf04iKbYsI7VJdgHpqGnGQNazJss6wunAzen1tQXg2UHIUpYdB+Ji4XlIUzCLf/6APulnligjS1ny+3GM7H8GpnNK2LMkLblfbZz8U5czw8zwMhR5p1ODrEOPen8Wk7vu9PEFRI5Nxa7w+j9B9R9yIweRX6PDbGDPKzMrFCI+/ojI/OQa48NpDb9N/8l6ubhjX8jnl8dYLGp0oUNaHyhA/RmOFuWYWD3gtoaFWcKvxE+TPDxiFGcSzJTZnCyX74i6TEhDoKpE5vDSp63jLOfwSi7A84eWmcTJlmSHD/Dd5ieUPcIZTPaduNojDFCfri8UYQh0Ry/nAn31LFuNfbQ92sRvtT+144myffUkER4yjVwA86c3nqAVSU8tWoSQ3V+iL92pUB3y1qI+axxjfVJGMBP6rVEXhpsZs2U9PBzF92nAlGJRdyOUlvzB4z+WTw=

We are also doing this at Lafayette. Bill Thompson is actually documenting
an organizational strategy for Grouper in his "Grouper Deployment Guide", and
we are attempting to align our own Grouper organization with that.

To that end, every service has its own stem in our "app" folder. Each
service may have one or more policy groups, each of which is a composite of
corresponding "allow" and "deny" policy groups.
Reference groups from our "ref" stem can be used to create policies.

We've also noticed that there are some cohorts that tend to get the same
access to multiple services. For these, we create what we are calling
"bundles" in our "bundle" stem. Each bundle gets its own stem with "include"
and "exclude" groups for the cohort.

What differentiates a bundle from a reference group is that reference groups
represent a fact. You *are* an employee of the College, or you're not.
Bundles are a cohort that have access to similar services. An "Employee
Services" bundle would naturally include the employees reference group, but
it may also include long term contractors, interns, etc. This bundle can
then be used to form access policies for services. To answer the question,
"What services does this bundle provide access to?", you can simply choose
the "This group's membership in other groups" option and see all the "allow"
policies of which the bundle is a member.

Carl Waldbieser
ITS Identity Management
Lafayette College

----- Original Message -----
From: "Dave Churchley"
To: "Julio Polo"
"Steven Carmody"
Cc: "Grouper-Users"
Sent: Thursday, March 2, 2017 3:54:41 AM
Subject: RE: [grouper-users] what is a group authorized to do ?

Yes, this is the method we use. We only have one of our base stems
provisioned to AD. Groups under that stem are (supposed to be) names uniquely
according to their purpose. Department groups and the like can be included as
members of these application groups. I think this works quite well. It is, in
fact, one of my seven principles of Grouper group administration



On Behalf Of Julio Polo
Sent: 01 March 2017 21:09
To: Steven Carmody
Cc: Grouper-Users
Subject: Re: [grouper-users] what is a group authorized to do ?

I would advocate creating a group for each application/service (for each
authz need). Each of those application groups can include the same
officially-sanctioned group for the desired department, but each group can
have its own exceptions (inclusions and exclusions). To help track all such
groups, you can create a special attribute to identify them or you could just
put them all under one folder.

On Wed, Mar 1, 2017 at 9:41 AM, Steven Carmody

We've got a growing community of dept-based people taking advantage of
delegated management of group membership. And we've got a growing community
of service owners managing the membership of their service eligibility
groups. They sometimes include dept-based-groups in their eligibility groups.

We now have some dept-based group managers asking "before I add a person to
group X, how can I find out the set of permissions and services are granted
to that group?". A perfectly reasonable question.

I can see that using service management groups might help to develop an
answer -- I'm wondering if other sites have yet encountered this question,
and what tools they are providing to users who want an answer ?

thanks !

Archive powered by MHonArc 2.6.19.

Top of Page