Grouper Users - Open Discussion List

["Hyzer, Chris" <>]

> I have a bunch of questions surrounding Grouper usage. We have the 
> basics up and running, and are looking to add in some more advanced 
> operations. We have a pretty full featured custom engineered IAM 
> solution that we are using Grouper in part to replace. The grouping part 
> of Grouper is better than our custom solution, I'm just trying to figure 
> out how to do some similar operations to what we have now elsewhere in 
> Grouper.
> 
> First, what are group types? 

They are like labels

> To me they just seem like labels? 

Yes

> What are they used for? Is it for external applications, or can you use 
> them in 
> the rule engine? I feel like understanding this would help us out.

We are using them to mark groups as certain types to help out in using the UI 
and groups (e.g. ref groups should be added to policy groups).  We are 
looking for other uses for them 😊  Currently there are only built in "types", 
not sure if that is the future.  Currently if you want to add a label you can 
make an attribute and add it.

> 
> Imagine we have something like this:
> 
> -College of Science and Math
> 
> -- Mathematics
> 
> --- Freshmen
> 
> --- Sophomores
> 
> -- Physics
> 
> --- Freshmen
> 
> --- Sophomores
> 
> 
> Those would be loaded via a loader. There are a few other things we 
> could have under departments such as the programs they have. Is there a 
> way to automatically (possibly with rules?) to create groups of those 
> groups? So all students in Physics, or all Sophomores in the college of 
> science and math? We could populate them by hand, but if departments 
> move / rename, or new programs are added, we would have to be notified. 
> I could see doing this with the API and crawling the tree and updating, 
> I am just wondering if there is a better way.

Yes, you can do this with the loader.  Here are some simple and complicated 
examples:

https://docs.google.com/presentation/d/1Dd3yHjlmSivB7GsDtt0GLDGYN4n0kv3vj7D09E4C_2M/edit?usp=sharing

https://spaces.at.internet2.edu/display/Grouper/Grouper+Loader+classlist+example+from+Penn

https://spaces.at.internet2.edu/display/Grouper/Organization+hierarchies+via+the+grouper+loader


> 
> Is there a way to use attributes to drive a loader? I saw something 
> about how the data could be synced between DBs now? Maybe do something 
> with that? Ideally we'd have attributes on groups to set the semester(s) 
> they should be looking at for the loader where clause. Different 
> processes on campus look at different semesters at different times. So I 
> can't do anything central.

You want to assign an attribute value, and use a loader to load groups based 
on those values?  Yes you can do that

> 
> 
> Then we have a couple of other things that our current system does, that 
> I'm looking for ideas how to implement in Grouper. We are using RabbitMQ 
> in the current solution, and we plan to use it with Grouper. Our current 
> system can enforce order of operation when provisioning access. The easy 
> example is that you can't be added to an AD Group until you are in AD. 
> So our current system keeps track of state of the account. Is it being 
> provisioned, has it been provisioned, is it locked, or is it in a state 
> to be deleted. So what is a good way of tracking that in Grouper? 

> The 
> current solution communicates back after each operation to indicate that 
> the provisioning request has been performed. So maybe keep track of 
> status in part via attributes? 

Sounds reasonable.  Send a rabbitmq that an account is available so load 
everything for that user?   Not sure but you could open a jira and we could 
look at it.  I believe the PSPNG assumes accounts are in LDAP/AD if it is 
provisioning, and it should skip it if there is an error.  But confirm with 
Bert. 

> Can we make it so that removal from one 
> group populates the user into another group? 

Yes

> So if they are removed from 
> the active AD group, they are then put into the locked AD group? Any 
> other ideas?
> 
> I can think of ways to brute force most of this through the API, but 
> seems like there should be easier / more Grouper native ways. So any 
> ideas would be greatly appreciated.
> 
>

-----Original Message-----
From:  
<> On Behalf Of Richard Frovarp
Sent: Wednesday, June 26, 2019 11:29 AM
To:  Mailing List <>
Subject: [grouper-users] Advanced Grouper usage

I have a bunch of questions surrounding Grouper usage. We have the 
basics up and running, and are looking to add in some more advanced 
operations. We have a pretty full featured custom engineered IAM 
solution that we are using Grouper in part to replace. The grouping part 
of Grouper is better than our custom solution, I'm just trying to figure 
out how to do some similar operations to what we have now elsewhere in 
Grouper.

First, what are group types? To me they just seem like labels? What are 
they used for? Is it for external applications, or can you use them in 
the rule engine? I feel like understanding this would help us out.

Imagine we have something like this:

-College of Science and Math

-- Mathematics

--- Freshmen

--- Sophomores

-- Physics

--- Freshmen

--- Sophomores


Those would be loaded via a loader. There are a few other things we 
could have under departments such as the programs they have. Is there a 
way to automatically (possibly with rules?) to create groups of those 
groups? So all students in Physics, or all Sophomores in the college of 
science and math? We could populate them by hand, but if departments 
move / rename, or new programs are added, we would have to be notified. 
I could see doing this with the API and crawling the tree and updating, 
I am just wondering if there is a better way.

Is there a way to use attributes to drive a loader? I saw something 
about how the data could be synced between DBs now? Maybe do something 
with that? Ideally we'd have attributes on groups to set the semester(s) 
they should be looking at for the loader where clause. Different 
processes on campus look at different semesters at different times. So I 
can't do anything central.


Then we have a couple of other things that our current system does, that 
I'm looking for ideas how to implement in Grouper. We are using RabbitMQ 
in the current solution, and we plan to use it with Grouper. Our current 
system can enforce order of operation when provisioning access. The easy 
example is that you can't be added to an AD Group until you are in AD. 
So our current system keeps track of state of the account. Is it being 
provisioned, has it been provisioned, is it locked, or is it in a state 
to be deleted. So what is a good way of tracking that in Grouper? The 
current solution communicates back after each operation to indicate that 
the provisioning request has been performed. So maybe keep track of 
status in part via attributes? Can we make it so that removal from one 
group populates the user into another group? So if they are removed from 
the active AD group, they are then put into the locked AD group? Any 
other ideas?

I can think of ways to brute force most of this through the API, but 
seems like there should be easier / more Grouper native ways. So any 
ideas would be greatly appreciated.

Thanks,

Richard