...
We are actively working with campus data stewards to identify/define institutional roles (types of students, types of employees, types of visitors/guests, etc.) in order to source and automate book-of-record group/role provisioning. At the same time, as opportunity As opportunities arise, we work with service providers to enable streamlined, flexible, and automated streamline and automate role-based access for current existing and future applications.
IAMUCLA manages/asserts eduPersonEntitlement values by mapping entitlement values to Grouper-managed service eligibility groups. The service eligibility groups, in turn, maps to a mix of institutional groups and service-specific, locally managed groups.
Use Cases
IAMUCLA Deployment
The sections below highlights several sample Grouper integration use cases at UCLA:
IAMUCLA Deployment Use Cases
Student Portal (MyUCLA) Role-Based Access
Type: Application Role-Based Access Control
MyUCLA is UCLA Student services portal. Rather a traditional portal where content is collected and delivered via a series of portletswidgets on a single platform, MyUCLA is made up of several distinct web applications. Each of these applications is managed by multiple departments a different department at UCLA. MyUCLA produces a coherent user experience through coordinated design, development, and a set of back-end data sharing/exchange interfaces. MyUCLA uses Grouper to perform all of its In particular, all MyUCLA applications share a common set of Grouper-managed user roles and access memberships. Group membership is managed via a mix of book-of-record data feeds and direct updates via Grouper web service. The membership info assignment in turn is mapped maps to role attribute values. All applications under the MyUCLA umbrella consume role attributes via Shibboleth to determine user access at run time.
| Gliffy Diagram | ||
|---|---|---|
|
Campus ID Card / Door Access Management (BruinCard)
Type: ACL-Based Access Control
BruinCard is UCLA's employee and student photo ID card. It is a physical door access token, a debit card, and is used for meals and access to events on campus. UCLA is in the process of replacing the BruinCard application (moving from an old Blackboard software to Blackboard Transact). While migrating, we are integrating BruinCard systems with Grouper, using Grouper to manage/automate door access provisioning and de-provisioning.
Shibboleth Multi-Factor Authentication Management
Type: Service Eligibility Declaration / Group Membership Management
External Service Entitlement Attribute Management (PAC-12 TV and HBO GO)
Type: Service Eligibility Declaration/Management
TODO: Write use case description.
Box Group Management
Type: Group Membership Management
...
1. automate Box group membership updates (from book-of-record data sources)
2. enable more flexible, distributed group membership management by project, department, or collaboration groups.
Application-Specific Deployment Use cases
Faculty Information System (Opus)
Separate from the Enterprise IAM deployment, UCLA's Faculty Information System Project (Opus) has adopted Grouper as an application-specific, academic hierarchy driven, role-based access management solution.
...