UCLA Grouper Deployment
Update Underway
UCLA is in the middle of updating contents on this page. While everything posted is accurate, it is still missing substantial content. Please pardon our dust.
Overview
UCLA's enterprise identity management program (IAMUCLA) deploys Grouper as a strategic component of its role and access management solution. Grouper is at the center of all group-like (role, access control list, service eligibility, distribution list) management activities on the IAMUCLA roadmap.
We are actively working with campus data stewards to identify/define institutional roles (types of students, types of employees, types of visitors/guests, etc.) in order to source and automate book-of-record group/role provisioning. At the same time, as opportunity arise, we work with service providers to enable streamlined, flexible, and automated role-based access for current and future applications.
As of October 2014, UCLA's MyUCLA student portal, which consists of multiple applications, is using Grouper-managed groups to perform all of its access control.
IAMUCLA now manages/asserts eduPersonEntitlement values by mapping entitlement values to Grouper-managed service eligibility groups. The service eligibility groups, in turn, maps to a mix of institutional groups and service-specific, locally managed groups.
Use Cases
IAMUCLA Deployment
Student Portal (MyUCLA) Role-Based Access
Type: Application Role-Based Access Control
MyUCLA is UCLA Student services portal. Rather a traditional portal where content is collected and delivered via a series of portlets, MyUCLA is made up of several distinct web applications managed by multiple departments at UCLA. MyUCLA produces a coherent user experience through coordinated design, development, and a set of back-end data sharing/exchange interfaces. MyUCLA uses Grouper to perform all of its user roles and access. Group membership is managed via a mix of book-of-record data feeds and direct updates via Grouper web service. The membership info in turn is mapped to role attribute values. All applications under the MyUCLA umbrella consume role attributes via Shibboleth to determine user access at run time.
Campus ID Card / Door Access Management (BruinCard)
Type: ACL-Based Access Control
BruinCard is UCLA's employee and student photo ID card. It is a physical door access token, a debit card, and is used for meals and access to events on campus. UCLA is in the process of replacing the BruinCard application (moving from an old Blackboard software to Blackboard Transact). While migrating, we are integrating BruinCard systems with Grouper, using Grouper to manage/automate door access provisioning and de-provisioning.
Anderson School Role Management
Type: Organizational Role Management
Anderson School is UCLA's Management School. Today, Anderson School has over 50 applications, many with their own group management schemes and access control lists. Anderson School is using Grouper to consolidate all of its school group and role managements.
Service Entitlement Attribute Management
Type: Service Eligibility Declaration/Management
TODO: Write use case description.
Box Group Management
Type: Group Membership Management
UCLA is in the process of rolling out Box (box.com) to employees and students. Box's built-in group management is awkward and difficult to scale to a distributed environment. We are externalizing group management from Box to Grouper, using Grouper to
1. automate Box group membership updates (from book-of-record data sources)
2. enable more flexible, distributed group membership management by project, department, or collaboration groups.
Application-Specific Deployment
Faculty Information System (Opus)
Separate from the Enterprise IAM deployment, UCLA's Faculty Information System Project (Opus) has adopted Grouper as an application-specific, academic hierarchy driven, role-based access management solution.
Opus intends to operate a separate Grouper instance from the enterprise instance at its initial launch. Plans to migrate/converge with the enterprise instance is TBD.