Grouper Users - Open Discussion List

[Richard Frovarp <>]

I have a bunch of questions surrounding Grouper usage. We have the 
basics up and running, and are looking to add in some more advanced 
operations. We have a pretty full featured custom engineered IAM 
solution that we are using Grouper in part to replace. The grouping part 
of Grouper is better than our custom solution, I'm just trying to figure 
out how to do some similar operations to what we have now elsewhere in 
Grouper.

First, what are group types? To me they just seem like labels? What are 
they used for? Is it for external applications, or can you use them in 
the rule engine? I feel like understanding this would help us out.

Imagine we have something like this:

-College of Science and Math

-- Mathematics

--- Freshmen

--- Sophomores

-- Physics

--- Freshmen

--- Sophomores


Those would be loaded via a loader. There are a few other things we 
could have under departments such as the programs they have. Is there a 
way to automatically (possibly with rules?) to create groups of those 
groups? So all students in Physics, or all Sophomores in the college of 
science and math? We could populate them by hand, but if departments 
move / rename, or new programs are added, we would have to be notified. 
I could see doing this with the API and crawling the tree and updating, 
I am just wondering if there is a better way.

Is there a way to use attributes to drive a loader? I saw something 
about how the data could be synced between DBs now? Maybe do something 
with that? Ideally we'd have attributes on groups to set the semester(s) 
they should be looking at for the loader where clause. Different 
processes on campus look at different semesters at different times. So I 
can't do anything central.


Then we have a couple of other things that our current system does, that 
I'm looking for ideas how to implement in Grouper. We are using RabbitMQ 
in the current solution, and we plan to use it with Grouper. Our current 
system can enforce order of operation when provisioning access. The easy 
example is that you can't be added to an AD Group until you are in AD. 
So our current system keeps track of state of the account. Is it being 
provisioned, has it been provisioned, is it locked, or is it in a state 
to be deleted. So what is a good way of tracking that in Grouper? The 
current solution communicates back after each operation to indicate that 
the provisioning request has been performed. So maybe keep track of 
status in part via attributes? Can we make it so that removal from one 
group populates the user into another group? So if they are removed from 
the active AD group, they are then put into the locked AD group? Any 
other ideas?

I can think of ways to brute force most of this through the API, but 
seems like there should be easier / more Grouper native ways. So any 
ideas would be greatly appreciated.

Thanks,

Richard