Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Advanced Grouper usage

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Advanced Grouper usage


Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: Richard Frovarp <>, " Mailing List" <>
  • Subject: RE: [grouper-users] Advanced Grouper usage
  • Date: Thu, 27 Jun 2019 03:46:23 +0000

> I have a bunch of questions surrounding Grouper usage. We have the
> basics up and running, and are looking to add in some more advanced
> operations. We have a pretty full featured custom engineered IAM
> solution that we are using Grouper in part to replace. The grouping part
> of Grouper is better than our custom solution, I'm just trying to figure
> out how to do some similar operations to what we have now elsewhere in
> Grouper.
>
> First, what are group types?

They are like labels

> To me they just seem like labels?

Yes

> What are they used for? Is it for external applications, or can you use
> them in
> the rule engine? I feel like understanding this would help us out.

We are using them to mark groups as certain types to help out in using the UI
and groups (e.g. ref groups should be added to policy groups). We are
looking for other uses for them 😊 Currently there are only built in "types",
not sure if that is the future. Currently if you want to add a label you can
make an attribute and add it.

>
> Imagine we have something like this:
>
> -College of Science and Math
>
> -- Mathematics
>
> --- Freshmen
>
> --- Sophomores
>
> -- Physics
>
> --- Freshmen
>
> --- Sophomores
>
>
> Those would be loaded via a loader. There are a few other things we
> could have under departments such as the programs they have. Is there a
> way to automatically (possibly with rules?) to create groups of those
> groups? So all students in Physics, or all Sophomores in the college of
> science and math? We could populate them by hand, but if departments
> move / rename, or new programs are added, we would have to be notified.
> I could see doing this with the API and crawling the tree and updating,
> I am just wondering if there is a better way.

Yes, you can do this with the loader. Here are some simple and complicated
examples:

https://docs.google.com/presentation/d/1Dd3yHjlmSivB7GsDtt0GLDGYN4n0kv3vj7D09E4C_2M/edit?usp=sharing

https://spaces.at.internet2.edu/display/Grouper/Grouper+Loader+classlist+example+from+Penn

https://spaces.at.internet2.edu/display/Grouper/Organization+hierarchies+via+the+grouper+loader


>
> Is there a way to use attributes to drive a loader? I saw something
> about how the data could be synced between DBs now? Maybe do something
> with that? Ideally we'd have attributes on groups to set the semester(s)
> they should be looking at for the loader where clause. Different
> processes on campus look at different semesters at different times. So I
> can't do anything central.

You want to assign an attribute value, and use a loader to load groups based
on those values? Yes you can do that

>
>
> Then we have a couple of other things that our current system does, that
> I'm looking for ideas how to implement in Grouper. We are using RabbitMQ
> in the current solution, and we plan to use it with Grouper. Our current
> system can enforce order of operation when provisioning access. The easy
> example is that you can't be added to an AD Group until you are in AD.
> So our current system keeps track of state of the account. Is it being
> provisioned, has it been provisioned, is it locked, or is it in a state
> to be deleted. So what is a good way of tracking that in Grouper?

> The
> current solution communicates back after each operation to indicate that
> the provisioning request has been performed. So maybe keep track of
> status in part via attributes?

Sounds reasonable. Send a rabbitmq that an account is available so load
everything for that user? Not sure but you could open a jira and we could
look at it. I believe the PSPNG assumes accounts are in LDAP/AD if it is
provisioning, and it should skip it if there is an error. But confirm with
Bert.

> Can we make it so that removal from one
> group populates the user into another group?

Yes

> So if they are removed from
> the active AD group, they are then put into the locked AD group? Any
> other ideas?
>
> I can think of ways to brute force most of this through the API, but
> seems like there should be easier / more Grouper native ways. So any
> ideas would be greatly appreciated.
>
>

-----Original Message-----
From:
<> On Behalf Of Richard Frovarp
Sent: Wednesday, June 26, 2019 11:29 AM
To: Mailing List <>
Subject: [grouper-users] Advanced Grouper usage

I have a bunch of questions surrounding Grouper usage. We have the
basics up and running, and are looking to add in some more advanced
operations. We have a pretty full featured custom engineered IAM
solution that we are using Grouper in part to replace. The grouping part
of Grouper is better than our custom solution, I'm just trying to figure
out how to do some similar operations to what we have now elsewhere in
Grouper.

First, what are group types? To me they just seem like labels? What are
they used for? Is it for external applications, or can you use them in
the rule engine? I feel like understanding this would help us out.

Imagine we have something like this:

-College of Science and Math

-- Mathematics

--- Freshmen

--- Sophomores

-- Physics

--- Freshmen

--- Sophomores


Those would be loaded via a loader. There are a few other things we
could have under departments such as the programs they have. Is there a
way to automatically (possibly with rules?) to create groups of those
groups? So all students in Physics, or all Sophomores in the college of
science and math? We could populate them by hand, but if departments
move / rename, or new programs are added, we would have to be notified.
I could see doing this with the API and crawling the tree and updating,
I am just wondering if there is a better way.

Is there a way to use attributes to drive a loader? I saw something
about how the data could be synced between DBs now? Maybe do something
with that? Ideally we'd have attributes on groups to set the semester(s)
they should be looking at for the loader where clause. Different
processes on campus look at different semesters at different times. So I
can't do anything central.


Then we have a couple of other things that our current system does, that
I'm looking for ideas how to implement in Grouper. We are using RabbitMQ
in the current solution, and we plan to use it with Grouper. Our current
system can enforce order of operation when provisioning access. The easy
example is that you can't be added to an AD Group until you are in AD.
So our current system keeps track of state of the account. Is it being
provisioned, has it been provisioned, is it locked, or is it in a state
to be deleted. So what is a good way of tracking that in Grouper? The
current solution communicates back after each operation to indicate that
the provisioning request has been performed. So maybe keep track of
status in part via attributes? Can we make it so that removal from one
group populates the user into another group? So if they are removed from
the active AD group, they are then put into the locked AD group? Any
other ideas?

I can think of ways to brute force most of this through the API, but
seems like there should be easier / more Grouper native ways. So any
ideas would be greatly appreciated.

Thanks,

Richard



Archive powered by MHonArc 2.6.19.

Top of Page