The access control models described in this guide all assume some mechanism to communicate Grouper group and membership changes to target services or an intermediary like an LDAP based enterprise directory service. Provisioning may be set up to keep various groups in sync with target systems, translate a group membership to an eduPersonEntitlement value, or create and keep remote identity records up to date.
Grouper provisioning mechanisms broadly fall into several categories:
- “Direct from Grouper to target service” covers Grouper specific components and plugins for various targets such as AD/LDAP, Duo, etc. Grouper contains a change log for loosely coupled connections to external systems.
- “Message queue based delivery” relies on a message queue infrastructure to communicate changes to appropriate provisioning components. In this model the logic for communicating with the external system would not be executed / managed / monitored / audited inside of Grouper
- External systems can use web services or LDAP to pull data from Grouper into their data repository.
Group and membership changes are provisioned to target services with two main strategies:
- Full-sync batch scheduled provisioning looks at the source and the target and fully synchronizes the data
- Incremental near real-time provisioning looks at the change log to send focused events to the target.
It is best to do both full and incremental provisioning if possible. The full and incremental sync should not run at the same time (they should wait until the other is done).
Whether you use one or the other, or both models, largely depends on your specific situation and provisioning targets. The Grouper Provisioning: Locally & Cloud slides from 2016 Technology Exchange provide more details on these approaches.