Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Web app environment-specific groups?

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Web app environment-specific groups?

Chronological Thread 
  • From: "Black, Carey M." <>
  • To: "" <>
  • Subject: RE: [grouper-users] Web app environment-specific groups?
  • Date: Fri, 8 Dec 2017 20:07:10 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=pass action=none;
  • Ironport-phdr: 9a23:2KgIxBazXl03RWm0nIWNuib/LSx+4OfEezUN459isYplN5qZrs65bnLW6fgltlLVR4KTs6sC0LuG9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQtFiT6+bL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjmk8qxlSgLniD0fOjA57m/Zl9BwgqxYrhKvpRN/wpLbb46OOfVkYq/QeckXSXZdUstTUSFKH4Oyb5EID+oEJetUoZTwp18UohSiBgmgHP7kxyFSiX/sw6I70/kqHwbc0AAuAtkDt2/brNHvO6gOUuC51rTEwSvNYv5N3jf985XIfgo/rv6RQLJ9aMzcwlQhGQPCi1Wfs43lPzWN2+QMtWib8/RvVfipi2E5twF9vCKjydkxhYnUgI8e11PK9T1hzYooOdG1R1R3bNGmHZdKuSyXOJF6T8c8T21wuis3xacKtYO0cSQW0pgqyQDTZ+aDfoSW+h7jWvieLDRkiH9gfb+yhwq9/lSuyuD5SMW531dHoTdAn9TDtn0A1RLe582bRfRm5UiuwzCC3B3J5O5eO0A7j6/bJoYhwrEukpoTtlzOEDfqlUvxkKOaa1wo9/Wq5Oj5e7nmoYSTOJFuhgH5L6QuhtewAeMlMggIQmeX4/y81Kfk/U3lXrpFkuE2kqjesJDcP8gbobO5AxNR0oYk7Ba/DC2q38gfnXkCNF5FeRSHgJb1O1zWPfz0Efiyj06jnTpp3fzLMLLsDo/JI3TdiLvheKxy609YyAo919Bf4JdUB6kaL/L3QED+qN/YAgUkPwCqzevqE9J91pgDWW6VHKCWLb7SvUeS5u0zO+mMeJMVuDHlJvgq/f7uimI5mUcDcqmzxJcXdWu4Eep8I0WCenfshtYBEXwWvgolUuDmklyCUThPZ3msRaI84C80CJ64AYvZWI+inaGBj2+HGcgcaXpBF0iBCzL1bIieQN8Nbj6fOMlsjmZCWLS8Acd12gupqRf30f96NefO4QUZs47uzt54+7eVmB0vo29aFcOYhiunS2h/nSdAbDYs0bE3hAo3ggOJ1aFzgLoBT4d74OhUFAo2KMiPnKRBF9nuV1eZLZ+yQ1G8T4D+DA==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

REF: Grouper Deployment Guide Work -TIER Program


section 5.2.5 app:

                Not a lot of detail about what you should/”should not” do for the application Access Control Model. ( Because it likely greatly depends on the application and how it works with it’s ACLs.)


                I however think it is wise, when you are planning how to setup the data in grouper, to also consider the questions of:

                                Who will be controlling the ACL?

                                How will the ACL’s be used? ( Just by this one app? Shared among multiple apps? Etc…)

                                What does the infrastructure look like?

                                                Do you have completely parallel, independent infrastructure for dev, test, prod?

                                                Or do you really only have one: “Grouper”, “LDAP”,  “SOR’s”, “applications”?


                If you will only have one Grouper services ( used for Dev, Test, and Prod environments)  then a folder structure seems reasonable.

                If you will have three independent Grouper services ( used for Only one of Dev, Test, and Prod environments)  then a folder structure would not seem reasonable.


                Also consider if you are publishing the Grouper data to an LDAP, 2 LDAP (Dev, Prod), or 3 LDAP servers ( Dev, Test, Prod). [ Same for RDBMS publishing. ]

                Will the application be exposed to the full path or just some portion of it?

                                AKA :app:WebApp:Dev:Users    vs “Users”. “Dev:Users”, or “WebApp:Dev:Users”

                                Maybe the “Dev/Test/Prod” part should be above the app folder?

                                                AKA :app:Dev:WebApp:Users    vs “WebApp:Users”, or “Dev:WebApp:Users”

                                Would it be possible for an environment (of the application) to honor the wrong environment data from Grouper?

                                Will the internal workings of the app always work the same way based on your choices as you move your code through the environments?


                Lots of things to consider that are hard to make a “general plan that would work for everyone”.



In the deployment guide lingo….

                It looks like your {APP}Owners, {APP}Developers, {APP}Testers would be considered “application specific reference groups”( So they would be better in a sub folder by themselves …:ref ).

                The {APP}-DEV, {APP}-QA, {APP}-PROD would be the access control policies (ACP’s). (Which you may or may not want in separate folders at the same level as “:ref”. )

                You may also want to use the “…:etc” folder to help control the Grouper ACL’s to the Apps ACLs. J


So maybe with “one grouper to rule them all”….
















                Use more than one Grouper and just have this on both instances




                Well you get the idea. J


Hope that helps.



Carey Matthew


From: [mailto:] On Behalf Of Peter DiCamillo
Sent: Friday, December 8, 2017 1:20 PM
To: Tomo O'BRIEN <>;
Subject: Re: [grouper-users] Web app environment-specific groups?


When we've done that, we've used folders for the different environments. The APP folder would contain PROD, QA, and DEV folders (or whatever environments you require.) In each environment folder there would be individual role groups, such as Owners, Developers, and Testers as you mentioned. So one group might be APP:QA:Testers. I don't know that there's any Grouper best practice for this. I'd like to know about it if there is.


On 12/8/17 12:49 PM, Tomo O'BRIEN wrote:

Hi folks,


We're interested in environment-specific groups like {APP}-Dev, {APP}-QA, {APP}-UAT, {APP}-Prod so we can have appropriate permission groups for each environment. 


I haven't seen this pattern described on the wiki but maybe I'm just not looking in the right places?  Has anyone developed a naming/composite structure for this situation?


I'm thinking about something like:


{APP}Owners (functional owners)




{APP}-DEV (union of Owners + Developers or maybe just Developers)

{APP}-QA (union of Owners + Testers)

{APP}-PROD (just Owners)


At some point we'd also have an intersection with our Employees + include - exclude group -- not sure where this is best positioned - after the ad hoc owners/developers/tests group or after the union of owners+testers or developers


Any thoughts or suggestions would be appreciated!




Tom O'Brien 




Archive powered by MHonArc 2.6.19.

Top of Page