UCLA Grouper Deployment
Update Underway
UCLA is in the middle of updating contents on this page. While everything posted is accurate, it is still missing substantial content. Please pardon our dust.
Overview
UCLA's enterprise identity management program (IAMUCLA) deploys Grouper as a strategic component of its role and access management solution. Grouper is at the center of all group-like (role, access control list, service eligibility, distribution list) management activities on the IAMUCLA roadmap.
We are actively working with campus data stewards to identify/define institutional roles (types of students, types of employees, types of visitors/guests, etc.) in order to source and automate book-of-record group/role provisioning. At the same time, as opportunity arise, we work with service providers to enable streamlined, flexible, and automated role-based access for current and future applications.
As of October 2014, UCLA's MyUCLA student portal, which consists of multiple applications, is using Grouper-managed groups to perform all of its access control.
IAMUCLA now manages/asserts eduPersonEntitlement values by mapping entitlement values to Grouper-managed service eligibility groups. The service eligibility groups, in turn, maps to a mix of institutional groups and service-specific, locally managed groups.
Use Cases
IAMUCLA Deployment
Student Portal (MyUCLA) Role-Based Access
Type: Application Role-Based Access Control
MyUCLA is UCLA Student services portal. Rather a traditional portal where content is collected and delivered via a series of portlets, MyUCLA is made up of several distinct web applications managed by multiple departments at UCLA. MyUCLA produces a coherent user experience through coordinated design, development, and a set of back-end data sharing/exchange interfaces. MyUCLA uses Grouper to perform all of its user roles and access. Group membership is managed via a mix of book-of-record data feeds and direct updates via Grouper web service. The membership info in turn is mapped to role attribute values. All applications under the MyUCLA umbrella consume role attributes via Shibboleth to determine user access at run time.
Campus ID Card / Door Access Management (BruinCard)
Type: ACL-Based Access Control
TODO: Write use case description.
Anderson School Role Management
Type: Organizational Role Management
TODO: Write use case description.
Service Entitlement Attribute Management
Type: Service Eligibility Declaration/Management
TODO: Write use case description.
Box Group Management
Type: Group Membership Management
TODO: Write use case description.
Application-Specific Deployment
Faculty Information System (Opus)
Separate from the Enterprise IAM deployment, UCLA's Faculty Information System Project (Opus) has adopted Grouper as an application-specific, academic hierarchy driven, role-based access management solution.
Opus intends to operate a separate Grouper instance from the enterprise instance at its initial launch. Plans to migrate/converge with the enterprise instance is TBD.