r 18 2017 CIO Council Smith 561 What Does Grouper Do A group membership system Grouper is Integrated with IAM data so the group memberships are updated automatically A web tool for delegated administrators to manage groups for their local needs ID: 687834
Download Presentation The PPT/PDF document "Group Services Update Septembe" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Group Services Update
Septembe
r 18
, 2017
CIO Council
Smith 561Slide2
What Does Grouper Do?
A
group
membership system; Grouper is:Integrated with IAM data so the group memberships are updated automaticallyA web tool for delegated administrators to manage groups for their local needsUsed by school and department IT Service Providers to manage groups directly or via APIGrouper is NOT directly accessible to faculty, staff and students at this time.
2Slide3
What Types of Problems Can I Solve with Groups?
Problem “What If?”
Scenarios
Real ExamplesFunctionI need to limit access to the third-party web application I am integrating with HarvardKey to current affiliates.Access to Kenexa system used by job applicants and HR recruiters is controlled by HarvardKey with groups
Access Control
I need to make sure that my web site is only open to current affiliates of my department, plus a few other specific people I can name.
Open Scholar site owners can make content available using reference groups, or request custom groupCustom GroupsOur program needs a way to ensure that people who login to Amazon have limited access and permissions.ITS uses groups to limit user access within the cloud instance in real time, as the user logs inDelegated Group AdministrationAccess ControlMy School wants to create groups that we will use locally for access control and mailing listsFuture Development: Integration with Active DirectoryDelegated Group AdministrationHarvard should make sure that only active and current affiliates receive broadcast communicationFuture Development: Broadcast Communication ProjectCustom Group
3Slide4
How Can I Use The Service
IAM Product Operations supports the Group Service.
Service catalog listing and related documentation projects are in progress. Group Service Delivery Manager for IAM is Terry Connolly. 4
Group Service
How
To Use The ServiceAccess Control for Web Applications using HarvardKey and GroupsIam_help@harvard.eduSubmit a request to integrate an application with HarvardKey.http://iam.harvard.edu/files/iam/files/cas-saml-spusagerequest-form.pdfDelegated Group AdministrationDepending on your application needs we will provide consultation, training and onboarding for you to manage groups as you need.Custom Group By RequestUsers are directed to iam_help@Harvard.edu from within Open Scholar.Slide5
Appendix
5Slide6
Groups enable integration of other IT Services
6
Groups
are a critical component of these IT Services
Access Control
(available now)Enabling application access for eligible users (authorization)Automatically removing access as eligibility endsCommunication (start in FY18)Emailing or texting messages to targeted audiencesCollaboration (future)Simplifying document sharing to collaboratorsEnabling controlled file sharing (individuals and groups)Slide7
Vision for Group Services (Today)
Provide an IT service that enables other IT service providers to meet requirements for access control, collaboration, and communication through the use of groups
7Slide8
Guiding Principles of Service
The following are proposed:
Evolve and shape the service in response to demonstrated, prioritized needs
Empower schools/departments to create and manage groups in Grouper for their own service needsGovern the system with input from stakeholders, to ensure quality and usability are retained8Slide9
Service Model At Present
IAM Service Owner
Operates the Grouper Platform and integration with HarvardKey
Onboards customers integrating applications with HarvardKey, creating groups as required for web application authorizationOnboards and trains Delegated AdministratorsProvides support Delegated AdministratorInteracts directly with Grouper using API or Grouper UI to create and manage groupsReceives training in best practices, and observes these when managing groupsMay set up additional users to be Membership Managers9Slide10
Not Tackled Yet
On the roadmap:
ITCRB funded Broadcast Communication (FY18/19)
Provisioning of Grouper groups to:University ADLDAP(s)School-specific AD’sSolution for non-people groupsWe need a registry for these digital identities firstDesired, but solution/approach is not clearWidely distributed group management, integrated with various components in 036510Slide11
Value of Reference Groups
Reference groups are automatically updated daily based on the system of record feeds to IAM
By using reference groups, you get “active only” members and this supports authorization objectives
By intersecting reference groups with your own custom groups, you can ensure that the membership of your custom managed groups is automatically updated to remove people who are no longer active. 11Slide12
12
IAM-Managed:
Groups are set up and managed on behalf of a school/department by IAM
Broad or static application authorization requirements (e.g. all students)Client has no technical willingness/capacity for autonomous group administrationDelegated Membership Management: Groups are set up by IAM, or delegated administrators, and school/department manages group membershipsMembership Managers need to understand Grouper UI navigation and group membership admin features Delegated Group Administration: A Grouper namespace is set up by IAM and delegated to the school/department to manage its own groupsDelegated Group Administrators need to understand Grouper navigation, group creation, memberships, permissions and group-math concepts
Group Administration ModelsSlide13
Group Services Systems Model
13