Version 1 (modified by dabantz@…, 12 years ago) (diff) |
---|
Group & Role Provisioning via Grouper - Phase I deployment
Overall Phase I goal:
Deploy and configure an instance of Grouper, the higher education de fact standard for generic group and role provisioning middleware. Deploy necessary user and backend interfaces to provision and consume group memberships in two categories: (1) groups of users in each campus building, provisioned automatically from data on office location in their LDAP record, and (2) users allowed into UA VPN, provisioned ad hoc by a group of administrators. It is intended that this work will demonstrate (or disprove) the feasibility of Grouper for more general group and permissions provisioning.
Work to be done:
• Deploy a working instance of Grouper;
( "working" entails an instance tested and accepted for these PoC functions, but not reduncant platform with active monitoring required for production)
• Provide authentication and authorization to Grouper via UA-standard SAML IdP, verifying users with UA-Username & AD password • Create building-based groups within LDAP, and • Implement a process for automatically provisioning users into the appropriate group(s) based on the office location data in their LDAP record • Create ad hoc groups of allowed VPN users within LDAP, and • Implement a process and end user interface for provisioning individual users into one or more such groups • Verify that group membership lists and groups to which and individual belongs are both consumable via LDAP queries • Document all configurations, interfaces, and connectors • Train IAM as needed on maintenance and operation of Grouper, connectors, and interfaces
Conditions:
UA IAM will provide the accounts and access permissions to its systems required for this work. Unicon will document efforts and expenses and UA IAMI will approve monthly billed hours of consulting based on progress and receipt of work. Any travel or other expenses will be approved in advance and must conform to UA policies on travel and expenses. No work will begin until UA Procurement has signed the Purchase Order for this work.
Group & Role Provisioning via Grouper - Phase II groundwork
Overall Phase II goal: (?)
Document existing data structures and interfaces use by the current in-house group & role provisioning system to be functionally replicated, and replicate a significant portion of these functions (ZUAUSR classes and superclasses) in Grouper. It is intended that this work will demonstrate the specific architecture and APIs needed for a full replacement of the existing UA in-house tool for administrative group and role provisioning with Grouper.
Work to be done in Phase II: (?)
• Document the existing database structure of ZUAUSR and replicate the functionality in Grouper's database schema • Document a sub-set of existing ZUAUSR interfaces (Oracle FORMS) used for requesting and granting permissions and roles • Design the connector needed for Grouper to use legacy identities from Banner (which the existing in-house tool uses as user identities) or some means of mapping standard UA identities to those legacy identities • Implement user interfaces used for roles for the Document Imaging application, and configure Grouper database and rules to enable Grouper end users to provision those roles as Groups with membership attribute (isMemberOf) values currently consumed by the OnBase? Digital Document application (that is, replicate the existing functionality of granting roles used by this application, using the same LDAP directory currently used)
For reference,
Phase III - full scale deployment of Grouper to replicate business functions of ZUAUSR
Phase IV - migration from ZUAUSR to Grouper implementation for admin group and privilege provisioning