Page tree
Skip to end of metadata
Go to start of metadata

Grouper Provisioning Plugin

The Grouper Provisioning Plugin provisions groups and memberships in groups to an Internet2 Grouper instance using the Grouper web services interface.

Operations

Registry CO Person Transaction

Grouper Action

Add

None

Edit

Synchronize CO Person CO Group memberships with Grouper

Enter Grace Period

None

Expiration / Becomes Inactive

Synchronize CO Person CO Group memberships with Grouper

Unexpire / Becomes Active

Synchronize CO Person CO Group memberships with Grouper

Delete

De-provision CO Person CO Group memberships from Grouper

Manual Provision

Synchronize CO Person CO Group memberships with Grouper

Petition ProvisionProvision CO Person CO Group memberships to Grouper
Pipeline ProvisionProvision CO Person CO Group memberships to Grouper

Registry CO Group Transaction

Grouper Action

Add

Provision CO Group record (including memberships) to Grouper

Edit

Provision CO Group record (including memberships) to Grouper

Delete

Delete CO Group record (and memberships) to Grouper

Manual Provision

Provision CO Group record (including memberships) to Grouper

Provisioning of groups from Registry into Grouper is per CO with all groups for a CO provisioned under a single (configurable) stem or folder in Grouper. All groups in Registry, with the exception of the 'admin' and 'members' groups for COUs, are provisioned directly under the configured stem or folder for the CO. The 'admin' and 'members' groups for COUs are provisioned into a stem or folder hierarchy that mirrors the COU parent-child relationship (if any) in Registry.


How the Grouper Provisioner chooses and provisions the identifier for Grouper to use for the subject (ie. the user or member) has changed as of version 1.1.0 of COmanage Registry. A legacy mode configuration is available for deployments that wish to upgrade to version 1.1.0 without changing the Grouper Provisioner configuration, but the legacy mode is deprecated and will be removed in a later release. Please see the documentation on configuration and consult with the COmanage developers if you have questions.

If you plan for users to access the Grouper UI and for that access to be managed using COmanage Registry, we recommend you create a CO unique identifier and use it as the expected identifier that the Grouper UI will see and map to subjects (Grouper users).

A change in the COU hierarchy in Registry, such as changing a parent-child COU relationship or deleting a COU parent, will not be reflected in Grouper. At this time the Grouper web services component does not support moving stems or folders. A request to the Grouper team to implement such a feature for the web services component has been made (CO-1043). We do not recommend changing the COU parent-child relationships once established when using the Grouper Provisioner. Renaming COUs and deleting COUs (with no children or roles) is supported.

Configuration

We recommend that before configuring a Grouper Provisioner for a CO you have already enrolled or onboarded at least one user to create a CO Person record with an active status.

We include details for deploying Grouper itself. You may wish to skip some items below if you will be using a Grouper instance that is already deployed.

  1. Prepare your database for Grouper.
  2. Prepare Java.
  3. Prepare Apache HTTP Server.
  4. Prepare the Tomcat container.
  5. Prepare for Grouper installation.
  6. Install Grouper.
  7. Complete post configuration steps.
  8. Test the Grouper Shell GSH.
  9. Test the Grouper UI.
  10. Test the Grouper WS.
  11. Grant CREATE VIEW to Registry database user.
  12. Configure the Grouper Provisioner Plugin.
  13. Configure Grouper subject source.
  14. Intial Reconciliation and Testing.
  15. Configure SSO access to the Grouper UI for users.
  16. Configure Grouper PSP to provision to LDAP.



  • No labels