Grouper Users - Open Discussion List

["William G. Thompson, Jr." <>]

John,

Great questions!  Some answers below...

On Thu, Feb 22, 2018 at 1:39 AM, John Gasper 
<>
 wrote:
> Hello all,
>
>
>
> I’m working with Stanford University to help them determine if Grouper is a
> good replacement for their homegrown group management application. They are
> hoping to get some questions answered from other organizations. I know of
> the profiles on the Grouper Confluence site, but in most cases that info is
> old and doesn’t necessarily answer the questions we are looking for. Would
> you please take a few minutes and provide some feedback about your
> organization’s use of Grouper?

There are many ways one could use Grouper.  However, if they are
interested in TIER, they should review the TIER Grouper Deployment
Guide to see how that fits in with what they are currently doing, and
perhaps more importantly where they think they are going.

I'll take a stab at the questions below for Lafayette...

>
>
>
> What usage scenarios are you using Grouper to solve?

* subject attribute management (for the purposes of access control)
* centralized authorization/account policy management (currently 48
services under grouper policy management)
* automated provisioning/deprovisioning driven by subject attribute
based access policy (ABAC)
* distributed access control lists and exceptions to access policy
* mandatory mailing list policy (really just a special case of authz policy)

> How does Grouper fit into your environment? Do you also run another
> authorization management app? Did Grouper displace an existing centralized
> authorization management application?

Grouper is a cornerstone of our TIER based IAM architecture, and our
only centralized authorization/policy management service. Grouper
filled a need that was largely going unmet. It has replaced or avoided
additional ad-hoc, project driven, platform/language de jour, costly,
one-off custom integrations.

>
> What integrations have been integrated with Grouper?

We run a rabbitMQ based provisioning engine (RPE).  Grouper -> RPE ->
*many services (LDAP, REST, shell, etc)

>
> What customizations to Grouper have you applied? Custom UI?

None. We haven't needed to do this. We also do not have any in-house
Java expertise.

>
> What EFT is used to maintain? What’s the EFT’s skillset to run/maintain
> Grouper?

.25 maybe of a system programmer and iam analyst.  The work includes
evolving reference groups (subject attribute management) in the face
of new and changing access policy requirements, working with
application owners to translate natural language access policy to
grouper policy groups, and in our case configuring/creating new
provisioners from time to time.

Skillset: IAM concepts, sql, python, grouper, rabbitmq, modest
sysadmin, linux, tomcat

>
> How long do you retain your audit/point in time tables? What is your current
> database size?

In production for ~3 years. Currently retain all data. Not sure on the db 
size.

Best,
Bill


>
>
>
> Feel free to reply directly to me or back to the list (probably preferable
> so others can benefit, but understandable if you choose not to).
>
>
>
> Thanks very much,
>
> John
>
>
>
> --
>
> John Gasper
> IAM Consultant
> Unicon, Inc.
> PGP/GPG Key: 0xbafee3ef
>
>