Versions Compared

Old Version 1

changes.mady.by.user Jeremy Jeremy

Saved on

compared with

New Version 2

changes.mady.by.user Jeremy Jeremy

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

What is Grouper?

  • Grouper makes groups
  • based on URN namespaces to make sure group names don't collide
  • main objective is large scale admin and delegation of a common store
  • many people have authority over many other people's information
  • all those different agencies can source a knowledge system based on a common service that many agencies can plug into

Grouper Plumbing

  • Grouper can list subjects which is an abstraction (how to integrate a thing with God knows what?)
  • Subject API with packaged JNDI and JDBC
  • Grouper ships with it's own presentation of subjects
  • Main point of integration, point it at your LDAP directory or SOA implementation etc.
  • Other points of integration can assign privileges
  • There is a loader that can load people's LDAP entries, a dynamic group based on attributes
  • Get information reflected from outside of Grouper for maintenance tasks
  • Web Services interface, 4 varieties, light and heavy, SOAP and RESTful (2x2 matrix)
  • WS for query and management
  • You must use subject interfaces, WS interfaces are popular for putting things into Grouper like hierarchies of class membership or department structures
  • LDAP provisioning connector, selects a variety of group information and tailors the way the information is handled
  • Current LDAP provisioning connector is being replaced with a faster solution for large implementations like 1 million + groups
  • New connector will have asynchronous notifications, subscribe to the Loader, coming in 1.5 in November
  • New connector starts out with the Shibboleth attribute resolver
  • Delivery mechanism based on SPML
  • Will enable Shib to look up information directly from Grouper (potentially)
  • From the app perspective, you want to gather information from the enterprise data store or you can put a Grouper client in your cron and make it available to your app in a legacy way.
  • User interface for admin.
  • Command line interface exposes 100% of the api
  • XML import and export plumbing, don't do this but it's possible and sometimes even handy
  • Current interface is not the one for general use but a new one is coming but for the most part you want users to set up the access from within the application that is consuming the Grouper services
  • Far more coming in the attribute space in the new version

Success Stories

  • National Cancer Institute, 80 Cancer research centres is federated and uses PKI, Grouper is the access management component.
    • Central group registry and most sites have their own, but it provides a way for you to link your app to their grid while maintaining access
  • U of Chicago uses it to solve ordinary use cases, over time you amass a new asset of who can access what, provides an alternative to creating application level access control

Contributors

  • University of Washington
  • University of Pennsylvania
  • University of Chicago