Subject: Grouper Users - Open Discussion List
- From: Richard Frovarp <>
- To: " Mailing List" <>
- Subject: [grouper-users] Advanced Grouper usage
- Date: Wed, 26 Jun 2019 15:29:19 +0000
I have a bunch of questions surrounding Grouper usage. We have the
basics up and running, and are looking to add in some more advanced
operations. We have a pretty full featured custom engineered IAM
solution that we are using Grouper in part to replace. The grouping part
of Grouper is better than our custom solution, I'm just trying to figure
out how to do some similar operations to what we have now elsewhere in
First, what are group types? To me they just seem like labels? What are
they used for? Is it for external applications, or can you use them in
the rule engine? I feel like understanding this would help us out.
Imagine we have something like this:
-College of Science and Math
Those would be loaded via a loader. There are a few other things we
could have under departments such as the programs they have. Is there a
way to automatically (possibly with rules?) to create groups of those
groups? So all students in Physics, or all Sophomores in the college of
science and math? We could populate them by hand, but if departments
move / rename, or new programs are added, we would have to be notified.
I could see doing this with the API and crawling the tree and updating,
I am just wondering if there is a better way.
Is there a way to use attributes to drive a loader? I saw something
about how the data could be synced between DBs now? Maybe do something
with that? Ideally we'd have attributes on groups to set the semester(s)
they should be looking at for the loader where clause. Different
processes on campus look at different semesters at different times. So I
can't do anything central.
Then we have a couple of other things that our current system does, that
I'm looking for ideas how to implement in Grouper. We are using RabbitMQ
in the current solution, and we plan to use it with Grouper. Our current
system can enforce order of operation when provisioning access. The easy
example is that you can't be added to an AD Group until you are in AD.
So our current system keeps track of state of the account. Is it being
provisioned, has it been provisioned, is it locked, or is it in a state
to be deleted. So what is a good way of tracking that in Grouper? The
current solution communicates back after each operation to indicate that
the provisioning request has been performed. So maybe keep track of
status in part via attributes? Can we make it so that removal from one
group populates the user into another group? So if they are removed from
the active AD group, they are then put into the locked AD group? Any
I can think of ways to brute force most of this through the API, but
seems like there should be easier / more Grouper native ways. So any
ideas would be greatly appreciated.
- [grouper-users] Advanced Grouper usage, Richard Frovarp, 06/26/2019
- RE: [grouper-users] Advanced Grouper usage, Hyzer, Chris, 06/27/2019
Archive powered by MHonArc 2.6.19.