Grouper Groups Management Toolkit
\Internet2’s Grouper Groups Management Toolkit enables project managers, departments, institutions, and end-users to create and manage institutional and personal groups. It puts the control of a group in the hands of its steward and enables the person to manage the membership and what resources it can access.
Why Should I Use Groups
in my IAM Infrastructure?
Using groups in the Identity and Access Management infrastructure adds important contextual information about an individual’s formal and informal affiliations with the institution. Separate applications may use groups to track who is in what role for instance, and if an individual is in a particular group, the person is authorized to access the resource.
But because the implementation of a group is often managed separately in each application, keeping the membership roster consistent across these services becomes very difficult. If a member leaves a project, for example, the group’s email list, wiki space, calendar, research database, and other shared resources need to be updated separately to reflect this.
Keeping a group’s membership in sync contributes to
- Substantially reduced security risks (Sally shouldn’t have access as of today, and she doesn’t).
- Increased productivity (Sally has timely access to what she should).
- Decreased number of help-desk trouble tickets (Sally accesses the resources without help-desk assistance).
As the number and size of groups in the organization increase, ensuring group memberships are up to date across applications becomes an even more pressing need. A group management tool like Grouper allows you to scale the process.
The Grouper Advantage
Manages it All in One Place
By consolidating group information in Grouper and creating a single point of management, changes of membership are done once and then provisioned to the applications.
Grouper holds information not only about the membership, but also the hierarchy of authority regarding who may create, update, and delete it. It enables the group owner to define membership, create a group structure within their domain, or delegate all of this to someone else.
To make this possible, the toolkit functions as an extension of the identity management system, enabling applications to use the group information by provisioning it where it needs to go or directly by using web services. To keep it all running smoothly, Grouper also includes several system management tools.
With Grouper, individuals across campus manage the memberships of the groups they steward. Grouper keeps the group membership decisions in the hands of the business/group owners, access control in the hands of the application owners, and the technology management in the hands of the technologists.
Schools, departments and even project leads and students can use an institutionally-tailored interface to manage their groups using plain language they understand. Individuals can use the system to review what groups they are members of as well. Grouper provides a consistent view and application of institution groups across all campus systems it serves.
This data is then supplied to the identity management system and used by applications and services. This relieves IT administrators from the burden of implementing the day to day group changes and increases the overall integrity of the policy and technology interaction.
Helps Collaboration Happen
In the past, collaborating on a document and shared schedules meant that the sender would email the current draft or proposed schedule to the project group. It was easy and implied a notion of access control, since the recipient group would be the only ones to receive it. Or would they? In actuality, the sender must trust the recipient not to forward the document on. It’s a little better today, since we have an emerging set of collaboration tools (wikis, shared calendars, etc.) that are more useful in their specific functions. However, they are still too cumbersome for the individual in managing access for their team (e.g., call the help desk when a new member joins) and for the institution in managing all the groups across all the collaborative applications when a group changes (e.g., update the membership in each application).
The solution is to set up a group in one spot that is leveraged by multiple tools and doesn’t require technical skills to create, change, or delete. In Grouper, for example, a researcher might create a “my-research-project” group and enable the members to participate on an email list, calendar group, web site, and so on. Alternatively, students could use Grouper to set up and manage “my-business-course-cohorts” to enable similar applications in support of doing their case work or collaborate on a portfolio. The software enables group management from the institution to the individual level and empowers people to use more secure, robust, and responsive methods to control access to their resources.
Eases Staff Support Load
Grouper separates the management of the groups from the technical system, so a change in technology details does not affect those using it. After integrating Grouper with your identity management system, you’ll have a way to manage the membership of roles and other functions that individuals have with the institution. Further, automatic change or revocation of service can be accomplished based on group membership changes. Removing IT from the middle of managing groups will help ease your helpdesk headaches as well. And Grouper’s benefits accrue as more and more systems use it.
What Do I Need to Have in Place?
To implement Grouper, you need to have
- An institutional identity management system and a model for how access management fits in.
- A good relationship with key stakeholders across campus to develop the policy and business rules associated with groups and related authority issues.
- The resources to implement and support the model.
How Do I Get Started?
To learn more about the Grouper Groups Management Toolkit, visit the Grouper website (grouper.internet2.edu) and join the community by participating on the email lists and attending the workshops and presentations offered around the country.
About the Internet2 Middleware Initiative
Led by the Middleware Architecture Committee for Education (MACE), the Internet2 Middleware Initiative comprises a number of projects that address challenges in the middleware and identity services space. For more information, visit middleware.internet2.edu.
Development of this software was supported with funding from Internet2, the University of Chicago, the University of Bristol, the NSF Middleware Initiative (NSF 02-028, Grant No. OCI-0330626, OCI-0721896), and JISC.
QUOTE IN BOX
Grouper has made a tremendous difference in our ability to support both departmental needs and central services, while simultaneously creating a more integrated and robust authorization and collaboration infrastructure.
— Tracy Futhey
CIO, Duke University