The Grouper structure at Newcastle University has an implied data flow through the use of four distinct group types. Administrators are able to use Corporate Data Groups to build custom User Groups, a combination of which can then be used to build Application and Non-AD groups.

• Corporate Data
  These groups are populated from our corporate data source systems (principally SAP), and will automatically update membership as individual circumstances change.
  These groups are not editable.
• User Groups
  These groups are generally created by computing officers to manage groups which are not reflected in our corporate data, e.g. research groups. User groups may contain a combination of Corporate Data groups and directly assigned users.
  These groups are editable by delegated administrators.
• Application Groups
  All groups created in this branch will be automatically provisioned to the Active Directory. These groups are used to control access to applications and resources such as websites (via shibboleth) and filestores etc. Application groups may include a combination of Corporate Data groups, User Groups and directly assigned users.
  These groups are editable by delegated administrators.
• Non-AD Access Control
  These groups are identical to Application Groups other than that they are not provisioned to the Active Directory. Non-AD Access Control groups are used to control access to non-AD integrated applications such as Chubb.
  These groups are editable by delegated administrators.

To many computing officers who have grown up around the Windows stack, you may be wondering why we use an additional group management system such as Grouper when Active Directory has inbuilt group functionality. Simply put, AD is only a very small part of our overall landscape, and Grouper gives us the ability to centralise access control across many systems.

Furthermore, Grouper allows us to call upon the vast repository of data the University holds to automatically provision groups and keep membership up to date, while you sit back and do more interesting stuff.

Speaking of sitting back, Grouper offers delegated group management functionality through a convenient web interface. This allows you to devolve responsibility for maintaining your groups to non-technical office administrative staff or members of a research group who you would normally not want to let loose near AD.

So you want a group that contains only Postgraduate Research students in the SAgE faculty studying on their second year, excluding those from the school of Chemical Engineering, that can be used to populate your door access control system?…Grouper can do that.

Or, you want a group that can auto provision all staff in your school to have access to a file share and internal school website?…Grouper can do that too.

Grouper takes away the pain of managing access control to many systems, ensuring that when individuals move between roles or courses, their effective memberships are automatically propagated to connected systems.

When dealing with long group names in the new Grouper UI you’ll notice that the column isn’t wide enough to display the full name.

Thankfully there’s a few easy ways you can overcome this annoyance…

Clicking on the folder name will display the entire list of groups contained within:

Scrolling to the bottom of the white column reveals a scrollbar allowing you to scroll across to display the group names:

Pressing the scroll wheel on your mouse will reveal directional arrows. Continuing to hold the wheel down you can move your mouse left and right to pan across the group names:

Alternatively, you can also revert to the ‘old’ Grouper interface without the additional tree view by selecting the Admin UI option in the menu.