In this Q&A, ITS Identity Management Manager Celeste Copeland discusses the Grouper groups-management tool, its use, reasons for its growth and its future. This post is part of a continuing series about ITS Identity Management.
What is Grouper?Grouper is a groups-management utility that enables you to create individual groups through its user interface and either put people in place manually, or add them dynamically based on Lightweight Directory Access Protocol (LDAP) attribute values. For instance, you may request a group be populated based on department number so that people are automatically added to or removed from the group as they move into or out of a particular department. Group math allows even more complex automatic population, based on the union or intersection of groups. For instance, you may ask that group C be comprised of people who are members of both group A and group B.
Group membership information can be pushed to Active Directory (AD) and LDAP and can also be passed as user information when an application uses Web Single Sign-On.
Explain how the University uses Grouper.Grouper enables applications across campus to grant access to certain users based on their group memberships and to display different features to users based on what their group memberships are. For instance, if I am a member of a superuser group, I may have more access to a specific web utility than someone who is not a member of that group.
Can you make this tool’s functionality more tangible by describing a hypothetical user and use of Grouper?Let’s say I am a curator for a specific collection within the UNC Libraries. I may want to grant read-only access to the online materials for this collection to a specific set of users and more powerful access to make changes to the collection for another set of users. Also, I may want a specific department to automatically have read-only access as soon as they become a member of the department. I would request to have administrative rights to four groups: The “read” group would have two sub-groups, one of which would be a manual group where I as the curator would manually add people, and the other of which was automatically populated by having the specific department number on their LDAP record. The “read/write” group would also be a manual department where I would add specific people individually. Then, within the library application, it would need to be configured to recognize those group memberships and behave correctly according to who was logged into the site and what group memberships they had.
Where did Grouper come from and how long has the University been using it?Grouper is an Internet2 community project, which has been around since circa 2004, and is actively developed by many of our peer institutions, including Duke University, University of Chicago, University of Pennsylvania, University of Washington, University of Memphis and University of Bristol (UK). It is intended as a solution for the enterprise access-management space. You can learn more about the Grouper collaboration on the Internet2 website.
Grouper is also a major participant in the TIER initiative. This is important as TIER is an effort that we will be paying close attention to in order to be in alignment with what other universities and research institutions are doing in the Identity Management space. You can read about TIER on the Internet2 website.
ITS began using Grouper around 2009. Many other groups around campus are also major users of Grouper, including the library and the School of Medicine, among others. Use of Grouper has steadily grown since that time.
In January, Identity Management upgraded to the most recent Grouper version, and Chad Redman has been actively contributing code and bug fixes to this open-source Internet2 effort.
Is this new version significantly better? If so, how?The new version has a much-improved user interface, which was one of the biggest pain points of Grouper previously. Also, the new version has significantly reduced the amount of custom code we needed to add on to the Grouper code base in order to interact with our campus LDAP and AD instances, since the newest version has configurable data syncers that did not exist in previous versions.
We also have some new functionality that may become useful, in that it has web services that can be used by external applications to directly add groups and group memberships to the Grouper database without having to go through the UI.
Is the campus demand for Grouper increasing?We get more requests for Grouper groups from new departments and applications on a weekly basis.
It’s a good idea to use centralized groups since there is the potential for significant cross-over between applications that need to cater to similar populations.
Our next significant effort with Grouper will be to create course-based groups, including roles within each course for instructor, teaching assistant and student. We are discussing those ideas with ITS Teaching & Learning and hope to have something implemented in FY 2017-2018. This will enable course-based access to things like Office 365 work spaces.