Grouper was implemented as part of an IAM renewal program for the university in the spring of 2018. Version 2.4 is currently in production and an upgrade to 2.5 is currently being tested.
Our IAM strategy for determining access was introduced as two step process in Grouper:
The Grouper Loader is used to introduce affiliation groups based on available campus data that is linked to identity:
Delegated access is rolled out to the various units across campus on as need arises. These administrators are asked to build further affiliations that aid in required access definitions, things like:
Access definitions are then built using the available affiliations. Access definitions typically require X groups:
Some access definitions are contained within a department while others are spread across the university.
A custom connector was built to allow the campus IDM system to track Grouper group memberships. The access definitions group memberships are used in the campus IDM to detect entitlements required by an identity. Accounts and access provisioning using these groups are currently targeted towards services like:
We're also using PSPNG to provision to an Active Directory that was put in place while Grouper was being piloted and has been left in place.
The system has been in use since spring 2018. There are currently 540 delegated administrators across campus working with 29,000 groups (the bulk of which are loaded).
The production system runs using two smaller VMs acting as user interface servers, and one running the daemon (loader & PSPNG).