Tag Archives: tips

Creating new groups

Posted on by
Reply

I thought I’d already written about this but it seems I haven’t! (I can’t find it at any rate, which is just as bad.)

This post is for people who create groups in the Applications stem of Grouper and want them to be provisioned to AD or to be available as Shibboleth attributes.

There is a known error in this version of Grouper whereby the automatic provisioning only works if at least one member is added to the group before the provisioning service makes its first attempt to provision to AD; empty groups will not be provisioned.

In practice, this means that you must add a member to a group within about 45 seconds of creation of that group or provisioning (and subsequent updates) will fail for that group.

My tip here is simply to add yourself immediately to any new group you create in the Applications stem. This will ensure that it is picked up by the provisioning process. You can then correct the membership at leisure.

If you do happen to fall foul of this trap, don’t fret; we can fix it for you. Just contact the Service Desk (or log your own ticket in NU Service) explaining what’s happened and please include the full ID path of the group.

I’d also like to take this opportunity to remind you not to use spaces and slashes in group and folder IDs; please replace them with underscores.

Composite groups

Posted on by
Reply

Inside of Grouper is a little-known feature that allows you to create new groups through applying logic to existing groups. This feature is known as composite groups.

Whilst the functionality of using this ‘group logic’ brings great power, it’s easy to get yourself in a knot. The following simple example works through the creation of new groups containing students studying a specific stage on a specific programme.

Creating a group containing Stage 1 students studying on H200:

We already publish groups containing Student to Programme (Corporate Data:Student_Programme_Enrolments), and Student to Stage (Corporate Data:Student_Stage_Enrolments) assignments which are updated daily using data derived from SAP. If your school is not published already, get in touch and we’ll add it it.
We need to combine these two corporate data sources…

1. Browse to where you want to create the group (if you’re publishing to Active Directory then this will need to be in the Applications stem).

2. Create your new group as per normal, and give it a sensible name, e.g. MyExample_H200_Stage11

3. Click More Actions > Edit composite2

4. Select the two factors that will build this composite group, then select ‘AND’ as the operation (implying that a user will only become a member of your new group if they’re a member of both of the composite groups)3

Note that in addition to an ‘AND’ (intersection) operation, you also have the option of using a ‘NOT’ (complement) to exclude members.

Getting to grips with Grouper

Posted on by
1

Yesterday, Phil and I delivered a short overview session on Grouper, covering what it is, what it’s for, why you might like to use it and some tips and lesser known features.

The session was aimed at both new and existing Grouper users at Newcastle University (anyone who doesn’t consider themself to be an expert). We were very pleased with the turnout (about double what we expected) and the feedback.

If you missed the fun (or if you were there and want to hold on to the experience for a bit longer) you can now enjoy the full session on ReCap and peruse a copy of the slides at your leisure.

By the way, I’d like to offer a belated apology for the Star Wars references; I’ve recently watched the original trilogy with my daughter (her first time) so I’m afraid it was on my mind. I should’ve pointed out that Grouper is not quite as powerful as the Death Star.

Principles, tips and good practice for Grouper administrators at Newcastle University

Posted on by
Reply

As I’ve watched the uptake of Grouper grow within the computing officer community over the last year (with many new and interesting use cases), I’ve seen many people face the same problems and struggle with the same dilemmas. The more I’ve helped people tackle these challenges, the clearer the solutions have become in my mind and the more I’ve realised I should try to document some of it. So, here it is, my list of principles, tips and good practices for Grouper administrators …

  1. Use a ‘User Group’ to determine who has admin privileges on all of your groups and folders.
  2. Whenever possible, use ‘Corporate Data’ groups to control memberships of your groups.
  3. Where adequate source data doesn’t exist to define a ‘Corporate Data’ group, create a ‘User Group’ if you’re likely to use the same set of members in more than one place.
  4. Only create ‘Applications’ groups if you need them to be provisioned to AD or available as Shibboleth attributes.
  5. Adhere to the naming convention for ‘Applications’ groups.
  6. Make ‘Applications’ groups specific to a service or purpose.
  7. If you are delegating control of a group’s membership, give out the ‘update’ privilege, not the ‘admin’ privilege.

I realise it’d be useful to supplement this post with a higher-level overview of how Grouper works and what I mean by ‘Corporate Data’, ‘User Groups’ and ‘Applications’ groups. We’ll endeavour to get that written soon.

Give out the ‘update’ privilege, not the ‘admin’ privilege

Posted on by
Reply

Our seventh principle of Grouper good practice is:

  • If you are delegating control of a group’s membership, give out the ‘update’ privilege, not the ‘admin’ privilege.

One of the strengths of Grouper is that it enables you to delegate privileges to others to maintain membership of their own groups. If you’re doing this, you should assign the update privilege, which allows the updating of group memberships.

You should not assign admin privileges lightly. As well as allowing for the updating of group memberships, the admin privilege also allows the user to rename, move or delete the group. Or they could even remove your admin privileges, leaving you in a bit of a hole if you need to fix something.

Make ‘Applications’ groups specific

Posted on by
Reply

Our sixth principle of Grouper good practice is:

  • Make ‘Applications’ groups specific to a service or purpose.

This should ensure that each group provisioned to AD has a clear purpose and avoid any unforeseen consequences when a group is deleted, for example.

Additionally, requirements can change. Initially you might want to control access to a number of services with the same group but, over time, the people you want to grant access to might diverge from the original group. This scenario is best served by having specific ‘Applications’ groups all containing the same ‘User Groups’ group as a member. This gives the flexibility to allow the memberships to diverge, if required.

Adhere to the naming convention for ‘Applications’ groups.

Posted on by
Reply

Our fifth principle of Grouper good practice is:

  • Adhere to the naming convention for ‘Applications’ groups.

The naming of groups is important to ensure the consistency and uniqueness of group identifiers between Grouper and Active Directory groups. It is a requirement of the AD that group names are unique.

So, to ensure uniqueness, the group ID is split down into three defining sections:

  • Owning department/school – the school/department should be the abbreviation (without the leading D-) that is assigned to your school/department within SAP for example COMP (Computing science), LIBR (Library).
  • Auto – the word “Auto” needs to be included within any group that is to be provisioned into the AD. This identifies the group in the AD as being automatically generated and therefore management of the group should be carried out within Grouper.
  • Group purpose – this should provide a clear purpose for the group, so that users are able to quickly distinguish what the group represents.

This gives a group name of the format <Department/school>_ Auto_< Purpose>.

Please note that the group ID cannot include spaces so, if the purpose is more than one word, please replace spaces with an underscore character. AD will also not accept any of these characters, ” [ ] : ; | = + * ? < > / \,  so do not use them in your group names.

Only create ‘Applications’ groups if you need them

Posted on by
Reply

Our fourth principle of Grouper good practice is:

  • Only create ‘Applications’ groups if you need them to be provisioned to AD or available as Shibboleth attributes.

There are two reasons for this:

  1. The GrouperGroups section of the AD is already quite busy and cluttered, adding unnecessary groups will only make it worse.
  2. The Grouper to AD provisioning process is quite inefficient and can slow down if there are a large number of changes. Minimising the number of groups being provisioned to AD will avoid any unnecessary slowing down of the provisioning process.

Create a ‘User Group’ if you’re likely to reuse the same set of members

Posted on by
Reply

Our third principle of Grouper good practice is:

  • Where adequate source data doesn’t exist to define a ‘Corporate Data’ group, create a ‘User Group’ if you’re likely to use the same set of members in more than one place.

This is a principle based around reuse, in order to save time and avoid inconsistencies and errors.

The classic example is for a research group. This fictional research group might be made up of some staff from School X, some from School Y and a few PGR students. There is nothing in our corporate data systems to identify that these people belong to this research group so we cannot create a ‘Corporate Data’ group for them.

Now, let’s say this research group wants to set up a mailing list, a wiki and a shared filestore. (These are all things that can be controlled through Grouper.) Instead of manually maintaining the membership list of three different ‘Applications’ groups, create one reusable ‘User Groups’ group which can be the member of the three ‘Applications’ groups.

Use ‘Corporate Data’ groups to control memberships

Posted on by
Reply

Our second principle of Grouper good practice is:

  • Whenever possible, use ‘Corporate Data’ groups to control memberships of your groups.

This is a straightforward, unambiguous and just plain sensible principle.

Membership of the ‘Corporate Data’ groups are populated with data from our corporate data source systems and are updated automatically. Using these groups to build up the membership of your groups means that the members of your groups will be updated automatically, too.