Category Archives: Group Management

Only create ‘Applications’ groups if you need them

Posted on by
Reply

Our fourth principle of Grouper good practice is:

  • Only create ‘Applications’ groups if you need them to be provisioned to AD or available as Shibboleth attributes.

There are two reasons for this:

  1. The GrouperGroups section of the AD is already quite busy and cluttered, adding unnecessary groups will only make it worse.
  2. The Grouper to AD provisioning process is quite inefficient and can slow down if there are a large number of changes. Minimising the number of groups being provisioned to AD will avoid any unnecessary slowing down of the provisioning process.

Create a ‘User Group’ if you’re likely to reuse the same set of members

Posted on by
Reply

Our third principle of Grouper good practice is:

  • Where adequate source data doesn’t exist to define a ‘Corporate Data’ group, create a ‘User Group’ if you’re likely to use the same set of members in more than one place.

This is a principle based around reuse, in order to save time and avoid inconsistencies and errors.

The classic example is for a research group. This fictional research group might be made up of some staff from School X, some from School Y and a few PGR students. There is nothing in our corporate data systems to identify that these people belong to this research group so we cannot create a ‘Corporate Data’ group for them.

Now, let’s say this research group wants to set up a mailing list, a wiki and a shared filestore. (These are all things that can be controlled through Grouper.) Instead of manually maintaining the membership list of three different ‘Applications’ groups, create one reusable ‘User Groups’ group which can be the member of the three ‘Applications’ groups.

Use ‘Corporate Data’ groups to control memberships

Posted on by
Reply

Our second principle of Grouper good practice is:

  • Whenever possible, use ‘Corporate Data’ groups to control memberships of your groups.

This is a straightforward, unambiguous and just plain sensible principle.

Membership of the ‘Corporate Data’ groups are populated with data from our corporate data source systems and are updated automatically. Using these groups to build up the membership of your groups means that the members of your groups will be updated automatically, too.

User Groups for admin privileges

Posted on by
Reply

Our first principle of Grouper good practice is:

  • Use a ‘User Group’ to determine who has admin privileges on all of your groups and folders.

Whilst setting up another group for this purpose might seem like an additional overhead of time and effort before you really get started with Grouper, I assure you it’s worth it. There are a few reasons and considerations behind this.

Now, if there are several of you working together with Grouper and all want to have admin privileges on each other’s groups then this is just common sense; it’s much easier to grant privileges on your groups to a single group than to several of your colleagues.

But you might be thinking, “Hey, it’s just me here. I don’t need to share admin privileges with anyone else.” Well, that’s OK, I hear you, but, please still create a user group for this purpose (with you as the only member). I appreciate it’s a small hassle, but hear me out.

Today, it’s just you working on it. But what if that changes? In six month’s time, you might be lucky enough to get a new colleague to work with you. Do you want to have to go through all the groups you’ve created and grant them admin privileges? Or would you rather add them as a member of one single group that you bothered to spend a couple of minutes setting up to have admin privileges on all of your groups?

Or, another scenario, what if you move on? Now your successor doesn’t have privileges on any of the groups they need to look after. If only we had a single admin group we could add them to! Of course, if you’re moving on, you might not be too worried about that but I’d like to think we’re all conscientious enough to care.

My final thought on this is a little more contentious. I’d say you should set up and use a ‘User Group’ for controlling admin privileges even if there’s already a ‘Corporate Data’ group containing the right people. I must admit this isn’t something I’ve always done myself but as my thinking has evolved and developed, it’s what I’m always going to do in the future.

You can then simply use the ‘Corporate Data’ group to populate the members of your admin group. The reason for this is that, whlist the ‘Corporate Data’ group might be right today, we’ve seen how things can change with reorganisations and evolving responsibilities.

Using a ‘User Group’ for admin privileges, from the start, will future-proof your part of Grouper.

Grouper? Huh, yeah? What is it good for?

Posted on by
Reply

… Well, quite a lot actually.

We’ve recently been trying to answer this question and we’ve identified numerous examples of where Grouper is providing value across the University.

From securing shared filestores to displaying personalised timetables within the mobile app, from controlling privileges within web applications to setting authority levels in the door access control system and from determining a user’s wireless network level of service to allowing our STEM students and teachers to download millions of pounds worth of free software through DreamSpark premium, Grouper is used in many interesting, useful and valuable ways.

Grouper uses

We know there are others, too. The flexibility and devolved privileges inherent in Grouper mean that it is quite possible that it’s also being used for all sorts of things we know nothing about. If you use Grouper in any other way or for any other purpose, please let us know. There might be a prize for the best use case.

As I’ve been writing this, it’s just struck me that a series of posts focusing in more detail on some of the use cases might be interesting. There’s something to look forward to.

Grouper UI issues and solutions

Posted on by
Reply

Since Grouper was upgraded at the end of last year we’ve received lots of positive feedback about the new, friendlier and easier-to-use UI.

New Grouper UI

However, there have been a few reports from IE users of issues with the new UI, where the quick links are visible but the content is not.

New Grouper UI in IE with compatibility view

It appears that this occurs when IE is running in compatibility view so, if you encounter this, there are two simple options to enable you to use the new UI:

  1. Use a different web browser.
  2. Switch off compatibility view.

Alternatively, you can click on the ‘Admin UI’ link to use the old interface.

Grouper upgrade

Posted on by
Reply

In December 2015, we upgraded our Grouper installation to the latest stable version. (For the uninitiated, Grouper is the software at the heart of NUIT’s group management service.)

The upgrade had been a long time coming. It had been talked about many times but had never quite managed to get to the top of the priority list. This is mainly due to the rapid expansion in demand for the institutional data feed service, which has taken up a significant proportion of our time and efforts over the last couple of years, but also because the group management service has been very stable and reliable and carried out its function quietly and competently.

The new version of Grouper has a few significant differences to the version we were running: most obvious is the new dashboard-based user interface but there are also a few other nice new features.

Shortly prior to the upgrade, we held a couple of captivating and enlightening demo sessions to highlight these differences to existing Grouper users. If you were unable to attend (or if you did attend and would like to relive the joy of the invigorating presentation), it’s now available on ReCap.