The overall approach to access management with Grouper is to create and maintain institutional meaningful cohorts (reference groups), which in turn are used to drive access policy groups. The access policy groups then provide subject attributes (role names or entitlements) that are mapped to coarse or fine-grained permission sets at the target service.
How the fine-grained application permission sets are managed is usually specific and local to the target service. In some cases, the privilege to use a particular service (a set of rights to specific resources) can be mapped to a subject attribute representing an entitlement (i.e. subject is entitled/authorized to access the service). In these cases, a membership assignment in an access policy group can drive an eduPersonEntitlement value that is often consumed by the target service via a SAML assertion. In other cases, group membership must be provisioned to the target service to effectively control access.
How application permission sets are managed, membership assignments are communicated, and access policy is enforced can vary quite considerably depending on the security needs and capabilities of the target service. However, the overall approach to access management with Grouper remains consistent. The following sections use terminology and models from 800-162 and XACML to demonstrate a variety of models leveraging this approach.
Access Control Model 1 - Grouper Subject Attributes
Access Control Model 2 - Grouper as PAP and PDP
Access Control Model 3 - RBAC User to Role Mapping
Access Control Model 4 - WebSSO Short-circuit
 Distributed Access Control Management
Application Permissions Management - RBAC with Grouper