Presentation is loading. Please wait.

Presentation is loading. Please wait.

Group Services Update September 18, 2017 CIO Council Smith 561

Published byBartholomew King Modified over 6 years ago

Similar presentations

Presentation on theme: "Group Services Update September 18, 2017 CIO Council Smith 561"— Presentation transcript:

1 Group Services Update September 18, 2017 CIO Council Smith 561
8/29/2018 Group Services Update September 18, 2017 CIO Council Smith 561

2 What Does Grouper Do? A group membership system; Grouper is:
8/29/2018 What Does Grouper Do? A group membership system; Grouper is: Integrated with IAM data so the group memberships are updated automatically A web tool for delegated administrators to manage groups for their local needs Used by school and department IT Service Providers to manage groups directly or via API Grouper is NOT directly accessible to faculty, staff and students at this time. When I met with the CIOs there seemed to be a little buzz in the air when these reference groups were mentioned around whether we had defined them correctly for a particular school. What I can tell you is that we have used the IAM Registry data since 2001 when we launched LDAP to define populations for authorization purposes using PIN system and Authorization proxy, and by exporting data to application owners, with guidance around how to determine active status for various populations. These concepts have gained a lot of traction over the years, and these definitions, driven off of the “source of truth” that is the Registry have been anchoring access to buildings, libraries, web applications, dining halls, for a while Our reference groups continue to use these definitions which have been in use. So far, so good We only created them at a fairly coarse-grained level, but the potential is there to define them down to a lower level as required. One of the “lessons learned” from University of Chicago was “build groups in response to actual need”  -- don’t build a lot of reference groups just on spec.  So that’s the tactic we are taking. Look at list of reference groups What if you want your own definitions of this type of category?   Delegated Group Administration is the answer As a school or department, you have expressed interest, in previous meetings regarding Grouper, about managing your own groups for us by your school  -- or for a specific application purpose Example is AWS Another is a school who wants to define specific groups for an Intranet. Grouper platform provides way to delegate administration to users, who then have rights to manage groups within the delegated namespace. As a Delegated Administrator, you need to be shown the ropes of How Grouper works -- how to use UI, how to understand what you are managing Norms established here at Harvard to keep permissioning able to be understood and managed IAM team sets you up, and trains  you GOOD TIME TO PAUSE, and examine the situation today regarding the boundary between what IAM handles on behalf of customers,  and what Delegated Administrators do on behalf of their stakeholders. This is an area of the service delivery where we have a lot of active discussion.   In the course of working with Academic Technologies (Courses, Confluence Wiki, Blog) and with Open Scholar team, getting down to the “brass tacks” of how the group migration, management, set-up of new groups would work.   We (AT, IAM) collectively realize that you (the schools) are a major stakeholder in the process because you are (probably) expecting to use the groups across more than just these Academic Technology applications.

3 What Types of Problems Can I Solve with Groups?
Problem “What If?” Scenarios Real Examples Function I need to limit access to the third-party web application I am integrating with HarvardKey to current affiliates. Access to Kenexa system used by job applicants and HR recruiters is controlled by HarvardKey with groups Access Control I need to make sure that my web site is only open to current affiliates of my department, plus a few other specific people I can name. Open Scholar site owners can make content available using reference groups, or request custom group Custom Groups Our program needs a way to ensure that people who login to Amazon have limited access and permissions. ITS uses groups to limit user access within the cloud instance in real time, as the user logs in Delegated Group Administration My School wants to create groups that we will use locally for access control and mailing lists Future Development: Integration with Active Directory Harvard should make sure that only active and current affiliates receive broadcast communication Future Development: Broadcast Communication Project Custom Group

4 How Can I Use The Service
8/29/2018 How Can I Use The Service IAM Product Operations supports the Group Service. Service catalog listing and related documentation projects are in progress. Group Service Delivery Manager for IAM is Terry Connolly. Group Service How To Use The Service Access Control for Web Applications using HarvardKey and Groups Submit a request to integrate an application with HarvardKey. Delegated Group Administration Depending on your application needs we will provide consultation, training and onboarding for you to manage groups as you need. Custom Group By Request Users are directed to from within Open Scholar. When I met with the CIOs there seemed to be a little buzz in the air when these reference groups were mentioned around whether we had defined them correctly for a particular school. What I can tell you is that we have used the IAM Registry data since 2001 when we launched LDAP to define populations for authorization purposes using PIN system and Authorization proxy, and by exporting data to application owners, with guidance around how to determine active status for various populations. These concepts have gained a lot of traction over the years, and these definitions, driven off of the “source of truth” that is the Registry have been anchoring access to buildings, libraries, web applications, dining halls, for a while Our reference groups continue to use these definitions which have been in use. So far, so good We only created them at a fairly coarse-grained level, but the potential is there to define them down to a lower level as required. One of the “lessons learned” from University of Chicago was “build groups in response to actual need”  -- don’t build a lot of reference groups just on spec.  So that’s the tactic we are taking. Look at list of reference groups What if you want your own definitions of this type of category?   Delegated Group Administration is the answer As a school or department, you have expressed interest, in previous meetings regarding Grouper, about managing your own groups for us by your school  -- or for a specific application purpose Example is AWS Another is a school who wants to define specific groups for an Intranet. Grouper platform provides way to delegate administration to users, who then have rights to manage groups within the delegated namespace. As a Delegated Administrator, you need to be shown the ropes of How Grouper works -- how to use UI, how to understand what you are managing Norms established here at Harvard to keep permissioning able to be understood and managed IAM team sets you up, and trains  you GOOD TIME TO PAUSE, and examine the situation today regarding the boundary between what IAM handles on behalf of customers,  and what Delegated Administrators do on behalf of their stakeholders. This is an area of the service delivery where we have a lot of active discussion.   In the course of working with Academic Technologies (Courses, Confluence Wiki, Blog) and with Open Scholar team, getting down to the “brass tacks” of how the group migration, management, set-up of new groups would work.   We (AT, IAM) collectively realize that you (the schools) are a major stakeholder in the process because you are (probably) expecting to use the groups across more than just these Academic Technology applications.

5 Appendix

6 Groups enable integration of other IT Services
8/29/2018 Groups enable integration of other IT Services Groups are a critical component of these IT Services Access Control (available now) Enabling application access for eligible users (authorization) Automatically removing access as eligibility ends Communication (start in FY18) ing or texting messages to targeted audiences Collaboration (future) Simplifying document sharing to collaborators Enabling controlled file sharing (individuals and groups)

7 Vision for Group Services (Today)
8/29/2018 Vision for Group Services (Today) Provide an IT service that enables other IT service providers to meet requirements for access control, collaboration, and communication through the use of groups

8 Guiding Principles of Service
8/29/2018 Guiding Principles of Service The following are proposed: Evolve and shape the service in response to demonstrated, prioritized needs Empower schools/departments to create and manage groups in Grouper for their own service needs Govern the system with input from stakeholders, to ensure quality and usability are retained

9 Service Model At Present
8/29/2018 Service Model At Present IAM Service Owner Operates the Grouper Platform and integration with HarvardKey Onboards customers integrating applications with HarvardKey, creating groups as required for web application authorization Onboards and trains Delegated Administrators Provides support Delegated Administrator Interacts directly with Grouper using API or Grouper UI to create and manage groups Receives training in best practices, and observes these when managing groups May set up additional users to be Membership Managers Tegarding the boundary between what IAM handles on behalf of customers,  and what Delegated Administrators do on behalf of their stakeholders… this is an area of the service delivery where we have a lot of active discussion.   In the course of working with Academic Technologies (Courses, Confluence Wiki, Blog) and with Open Scholar team, getting down to the “brass tacks” of how the group migration, management, set-up of new groups would work.   We (AT, IAM) collectively realize that you (the schools) are a major stakeholder in the process because you are (probably) expecting to use the groups across more than just these Academic Technology applications.

10 Not Tackled Yet On the roadmap:
8/29/2018 Not Tackled Yet On the roadmap: ITCRB funded Broadcast Communication (FY18/19) Provisioning of Grouper groups to: University AD LDAP(s) School-specific AD’s Solution for non-people groups We need a registry for these digital identities first Desired, but solution/approach is not clear Widely distributed group management, integrated with various components in 0365 I have a concern that despite our report outs during the development period, when we said we were live with “groups” people envisioned that we had all of the above.. Provisioning to University AD, or other AD’s Provisioning to the LDAPs we managed Groups in those directories are still managed manually We don’t have a solution for non-people based groups And most of all, we don’t have a design in mind for solution to the “holy grail” integration that everyone wants -- the widely distributed group creation that enables anybody to create a collaboration group in Sharepoint, use it for a mailing list, or in a wiki, or an open scholar site… This is the promise of a managed group system, however we don’t understand how to integrate it with these MS tools which have their own groups baked in.  And microsoft doesn’t have just one way to do groups -- it has many! As far as we know, there isn’t anyone in Higher Ed running grouper that has really nailed this challenge.  

11 Value of Reference Groups
8/29/2018 Value of Reference Groups Reference groups are automatically updated daily based on the system of record feeds to IAM By using reference groups, you get “active only” members and this supports authorization objectives By intersecting reference groups with your own custom groups, you can ensure that the membership of your custom managed groups is automatically updated to remove people who are no longer active. When I met with the CIOs there seemed to be a little buzz in the air when these reference groups were mentioned around whether we had defined them correctly for a particular school. What I can tell you is that we have used the IAM Registry data since 2001 when we launched LDAP to define populations for authorization purposes using PIN system and Authorization proxy, and by exporting data to application owners, with guidance around how to determine active status for various populations. These concepts have gained a lot of traction over the years, and these definitions, driven off of the “source of truth” that is the Registry have been anchoring access to buildings, libraries, web applications, dining halls, for a while Our reference groups continue to use these definitions which have been in use. So far, so good We only created them at a fairly coarse-grained level, but the potential is there to define them down to a lower level as required. One of the “lessons learned” from University of Chicago was “build groups in response to actual need”  -- don’t build a lot of reference groups just on spec.  So that’s the tactic we are taking. Look at list of reference groups What if you want your own definitions of this type of category?   Delegated Group Administration is the answer As a school or department, you have expressed interest, in previous meetings regarding Grouper, about managing your own groups for us by your school  -- or for a specific application purpose Example is AWS Another is a school who wants to define specific groups for an Intranet. Grouper platform provides way to delegate administration to users, who then have rights to manage groups within the delegated namespace. As a Delegated Administrator, you need to be shown the ropes of How Grouper works -- how to use UI, how to understand what you are managing Norms established here at Harvard to keep permissioning able to be understood and managed IAM team sets you up, and trains  you GOOD TIME TO PAUSE, and examine the situation today regarding the boundary between what IAM handles on behalf of customers,  and what Delegated Administrators do on behalf of their stakeholders. This is an area of the service delivery where we have a lot of active discussion.   In the course of working with Academic Technologies (Courses, Confluence Wiki, Blog) and with Open Scholar team, getting down to the “brass tacks” of how the group migration, management, set-up of new groups would work.   We (AT, IAM) collectively realize that you (the schools) are a major stakeholder in the process because you are (probably) expecting to use the groups across more than just these Academic Technology applications.

12 Group Administration Models
8/29/2018 Group Administration Models IAM-Managed: Groups are set up and managed on behalf of a school/department by IAM Broad or static application authorization requirements (e.g. all students) Client has no technical willingness/capacity for autonomous group administration Delegated Membership Management: Groups are set up by IAM, or delegated administrators, and school/department manages group memberships Membership Managers need to understand Grouper UI navigation and group membership admin features Delegated Group Administration: A Grouper namespace is set up by IAM and delegated to the school/department to manage its own groups Delegated Group Administrators need to understand Grouper navigation, group creation, memberships, permissions and group-math concepts

13 Group Services Systems Model

Download ppt "Group Services Update September 18, 2017 CIO Council Smith 561"

Similar presentations

SP Business Suite Deployment Kick-off

SP Business Suite Deployment Kick-off
Kentico CMS 5.5 R2 What’s New. Highlights Intranet Solution Document management package – WebDAV support – Project & task management – Document libraries.

Kentico CMS 5.5 R2 What’s New. Highlights Intranet Solution Document management package – WebDAV support – Project & task management – Document libraries.
Architecture Decision Group Group Organization & Processes April 7, 2015 | Tuesday.

Architecture Decision Group Group Organization & Processes April 7, 2015 | Tuesday.
Enterprise SharePoint Service (ESPS) 17 August 2011 A Combat Support Agency Defense Information Systems Agency.

Enterprise SharePoint Service (ESPS) 17 August 2011 A Combat Support Agency Defense Information Systems Agency.
A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.
UW Windows Authentication Group Multiple forest scenario task force - Testing report and recommendations.

UW Windows Authentication Group Multiple forest scenario task force - Testing report and recommendations.
Trimble Connected Community

Trimble Connected Community
Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.

Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.
Group Management at Brown James Cramton Brown University April 24, 2007.

Group Management at Brown James Cramton Brown University April 24, 2007.
Penn Groups PennGroups Central Authorization System June 2009.

Penn Groups PennGroups Central Authorization System June 2009.
Using Grouper and Signet for Access Management Kathryn Huxtable GPN Annual Meeting 30 May 2008

Using Grouper and Signet for Access Management Kathryn Huxtable GPN Annual Meeting 30 May 2008
Using the Right Method to Collect Information IW233 Amanda Murphy.

Using the Right Method to Collect Information IW233 Amanda Murphy.
The value of iSites Course iSites are typically recreated each year. Not so with standard iSites. iSites are important administrative tools, used for:

The value of iSites Course iSites are typically recreated each year. Not so with standard iSites. iSites are important administrative tools, used for:
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington 16-17 October 2007.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
The information contained in this document represents the current view of Microsoft Corp on the issues discussed as of the date of publication. Because.

The information contained in this document represents the current view of Microsoft Corp on the issues discussed as of the date of publication. Because.
V7 Foundation Series Vignette Education Services.

V7 Foundation Series Vignette Education Services.
L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.
Justin Scheitlin Daisey Fahringer

Justin Scheitlin Daisey Fahringer
UW Windows Authentication Group

UW Windows Authentication Group
Funded Agency Channel overview

Funded Agency Channel overview

Similar presentations

Ads by Google