| | 1 | '''Naming folders and groups in Grouper''' |
| | 2 | |
| | 3 | ua - Primary location for UA groups. |
| | 4 | |
| | 5 | etc - Internal Grouper folders and groups. |
| | 6 | |
| | 7 | |
| | 8 | ua:inst - Institutionally managed groups. |
| | 9 | |
| | 10 | ua:inst:buildings - Building locations |
| | 11 | |
| | 12 | ua:inst:buildings:<building name> - Groups for each building. |
| | 13 | |
| | 14 | |
| | 15 | ua:app - Application specific folders |
| | 16 | |
| | 17 | ua:app:vpn - Groups for UA VPN access. |
| | 18 | |
| | 19 | ua:app:vpn:vpn_access - Ad-hoc group for UA VPN access. |
| | 20 | |
| | 21 | |
| | 22 | '''Subject source configuration''' |
| | 23 | |
| | 24 | - What should we use as the subject ID in Grouper? Assuming the uid attribute for now. |
| | 25 | - What attribute will have the users' names? Assuming displayName for now. |
| | 26 | - LDAP searches will be based on the uid and displayName attributes. |
| | 27 | - Subject sorting will be based on the displayName attribute. |
| | 28 | |
| | 29 | |
| | 30 | '''Task details''' |
| | 31 | |
| | 32 | 1. Install and configure Grouper (including relevant components) and integrate with their subject sources. |
| | 33 | |
| | 34 | - Install the Grouper API and Grouper UI components. |
| | 35 | - Disable default grant read/view access on new group creations. This is generally good practice so that read/view access has to be explicitly given. |
| | 36 | - Enable wheel group to allow a group of admin users. |
| | 37 | - Enable include/exclude and requireGroup configurations. This allows easier creation of composite groups. |
| | 38 | - Enable the Grouper Report to run daily. What email address should the report be sent to? |
| | 39 | - Enable membership import and export in the Grouper admin UI. |
| | 40 | - Configure the subject API to query subjects from the production LDAP. |
| | 41 | |
| | 42 | |
| | 43 | 2. Integrate Grouper UI with their SAML environment. |
| | 44 | |
| | 45 | - Install and configure Shibboleth SP if not already installed by UA. |
| | 46 | - IdP should release the uid or eppn attribute to the SP. If releasing eppn, is that attribute available in the production LDAP? |
| | 47 | |
| | 48 | 3. Set up jobs to load data into Grouper from LDAP. |
| | 49 | |
| | 50 | - Set up the Grouper Loader to load buildings into Grouper under ua:inst:buildings using data from the production LDAP. |
| | 51 | - What attribute contains the user's building? Is the attribute multi-valued? Are all buildings being populated into Grouper or a subset? |
| | 52 | - Are the values of the attribute the exact name to use as the Grouper groups? Or does there need to be some mapping or parsing done? |
| | 53 | - How often should the job run? Hourly? Daily? Probably depends on how long it takes to run the LDAP query and how many users there are. |
| | 54 | |
| | 55 | |
| | 56 | 4. Create an ad-hoc group for VPN access. |
| | 57 | |
| | 58 | - Create the group ua:app:vpn:vpn_access. |
| | 59 | - This could be turned into a composite group if UA wants to see that functionality demonstrated. |
| | 60 | |
| | 61 | 5. Set up provisioning from Grouper to LDAP. |
| | 62 | |
| | 63 | - Set up the PSP to provision Grouper objects to a test LDAP and a test AD using the bushy structure (as opposed to the flat structure where all groups are created directly under one OU). |
| | 64 | - What is the base DN for groups and people in both test environments? |
| | 65 | - Do the two test environments (test LDAP and test AD) have all production users? If not, is there a large enough sample of users for the provisioning test to be useful? |
| | 66 | - For both test environments, currently assuming that the member attribute for group objects will be populated. |
| | 67 | - Group and folder descriptions will also be populated in LDAP/AD. |
| | 68 | - Incremental provisioning to LDAP will run through the Grouper Daemon. Bulk provisioning will run once a day. |
| | 69 | |
| | 70 | |
| | 71 | 6. Documentation |
| | 72 | |
| | 73 | - All configuration changes will be documented. |
