The access control models described in this guide all assume some mechanism to communicate Grouper group and membership changes to target services or an intermediary like an LDAP based enterprise directory service. Provisioning may be set up to keep various groups in sync with target systems, translate a group membership to an eduPersonEntitlement value, or create and keep remote identity records up to date.
Grouper provisioning mechanisms broadly fall into several categories:
- “Direct from Grouper to target service” covers Grouper specific components and plugins for various targets such as AD/LDAP, Duo, etc. Grouper contains a change log for loosely coupled connections to external systems.
- “Message queue based delivery” relies on a message queue infrastructure to communicate changes to appropriate provisioning components. In this model the logic for communicating with the external system would not be executed / managed / monitored / audited inside of Grouper
- External systems can use web services or LDAP to pull data from Grouper into their data repository.
Data can be provisioned in two different ways. Generally it is best to do both full and incremental provisioning if possible. The full and incremental sync should not run at the same time (they should wait until the other is done).
- Full-sync batch scheduled provisioning looks at the source and the target and fully synchronizes the data
- Incremental near real-time provisioning looks at the change log to send focused events to the target. Note, depending on the natures of the changes in the queue the provisioner could kick off a full sync of a group, folder, or all of Grouper.
Whether you use one or the other, or both models, largely depends on your specific situation and provisioning targets. The Grouper Provisioning: Locally & Cloud slides from 2016 Technology Exchange provide more details on these approaches.
Previous: Access Control Models