UW-Madison is building on its Grouper deployment. The adoption of Office 365 for email, calendaring and perhaps more is driving the need for more sophisticated group provisioning services. We are trying to align our Grouper-based approach to permissions with the need to manage Active Directory (AD) role and resource groups.
The challenges here are first and foremost alignment of conceptual models. The hope is that if the two share a common conceptual model, the actual provisioning will be much more straightforward. Grouper supports the notion of permissions in the general form "holders of role R1 can perform action A on resource Re". Active Directory policies use the related terminology of role group and resource group. The first step will be to get a better understanding of recommended practices in AD. This is the document we're reviewing:
- Best Practice: Active Directory Structure Guidelines – Part 1
Anyone have a better document?