Date: Thu, 28 Mar 2024 20:00:22 +0000 (UTC) Message-ID: <145437059.6905.1711656022669@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6904_1561976900.1711656022668" ------=_Part_6904_1561976900.1711656022668 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Grouper was implemented as part of an IAM renewal program for the univer= sity in the spring of 2018. Version 2.4 is currently in production an= d an upgrade to 2.5 is currently being tested.
Our IAM strategy for determining access was introduced as two step proce= ss in Grouper:
The Grouper Loader is used to introduce affiliation groups based on avai= lable campus data that is linked to identity:
Delegated access is rolled out to the various units across campus on as = need arises. These administrators are asked to build further affiliat= ions that aid in required access definitions, things like:
Access definitions are then built using the available affiliations. = ; Access definitions typically require X groups:
Some access definitions are contained within a department while others a= re spread across the university.
A custom connector was built to allow the campus IDM system to track Gro= uper group memberships. The access definitions group memberships are = used in the campus IDM to detect entitlements required by an identity. = ; Accounts and access provisioning using these groups are currently targete= d towards services like:
We're also using PSPNG to provision to an Active Directory that was put = in place while Grouper was being piloted and has been left in place.
The system has been in use since spring 2018. There are currently = 540 delegated administrators across campus working with 29,000 groups (the = bulk of which are loaded).
The production system runs using two smaller VMs acting as user interfac= e servers, and one running the daemon (loader & PSPNG).