Why are we doing this?

Problem Statement:

Our legacy IAM solution (Passport York) has reached some of limits in terms of group provisioning (e.g. automatic provisioning access to AD and Azure AD resources) that we are more and more relying on running ad-hoc scripts and manual interventions to try to keep up.

Impact Statement:

Reduced productivity resulting by the increase of manual work required by the various IT departments of the university to fulfill access management needs.

How do we judge success? Success metrics

  • Decommissioning scripts that are currently used as a passable stop-gap
  • The solution can be reused to allow automatic group provisioning to as many as possible directory services and applications at the university: (e.g.: AD, Azure AD, LDAP and Passport York) 
  • Replacing suboptimal process of group provisioning inside PY
  • Reducing the amount of manual activities by IT for access management
What are possible solutions?

Statements of justification for the solution(s) chosen

Grouper: An open-source access management solution that can provide automatic group provisioning, based on attribute, role or membership of a person.

High-level timeline


  • Grouper PoC installation and configuration: Jan/Feb
  • Validate Grouper PoC with various IT groups: Feb/Mar
  • Deploy Solution production: Mar/Apr
  • Decommission existing scripts: Apr*

*Note: Depending on the advancement of the project, the decommissioning of current scripts could be scoped out of this project and handled by a separate initiatives outside the CSP.
Issues trackingIT Ticketing system and JIRA

Stakeholder Impact

Who is the customer and how does this help them?

The overall organization 

Why will the customer want this?

Reducing required time to complete access management request

Affecting IT staff to activities that provides more value to the organization.

Scale and scope

Scale: Medium to large


  • Deploying Grouper and Docker into production
  • Importing necessary attributes and memberships from SIS and PY
  • Provisioning groups and access into AD and Azure AD
  • Developing framework for future reuse


  • Developer availability not confirmed yet that could scale back the scope of this project.
  • No Docker infrastructure supported by IT
  • No labels