Overview
UCLA's enterprise identity management program (IAMUCLA) deploys Grouper as a strategic component of its role and access management solution. Grouper is at the center of all group-like (role, access control list, service eligibility, distribution list) management activities on the IAMUCLA roadmap.
We are actively working with campus data stewards to identify/define institutional roles (types of students, types of employees, types of visitors/guests, etc.) in order to source and automate book-of-record group/role provisioning. At the same time, as opportunity arise, we work with service providers to enable streamlined, flexible, and automated role-based access for current and future applications.
As of October 2014, UCLA's MyUCLA student portal, which consists of multiple applications, is using Grouper-managed groups to perform all of its access control.
IAMUCLA now manages/asserts eduPersonEntitlement values by mapping entitlement values to Grouper-managed service eligibility groups. The service eligibility groups, in turn, maps to a mix of institutional groups and service-specific, locally managed groups.
Use Cases
IAMUCLA Deployment
Student Portal (MyUCLA) Role-Based Access
Type: Application Role-Based Access Control
Campus ID Card / Door Access Management (BruinCard)
Type: ACL-Based Access Control
Anderson School Role Management
Type: Organizational Role Management
Service Entitlement Attribute Management
Type: Service Eligibility Declaration/Management
Box Group Management
Type: Group Membership Management
Application-Specific Deployment
Faculty Information System (Opus)
Separate from the Enterprise IAM deployment, UCLA's Faculty Information System Project (Opus) has adopted Grouper as an application-specific, academic hierarchy driven, role-based access management solution.
Opus intends to operate a separate Grouper instance from the enterprise instance at its initial launch. Plans to migrate/converge with the enterprise instance is TBD.