Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

73
Using PennGroups Using PennGroups Using PennGroups Using PennGroups Chris Hyzer Chris Hyzer ISC/ASTT ISC/ASTT Sept 19, 2011 Sept 19, 2011 06/20/22 ISC 1
  • date post

    20-Dec-2015
  • Category

    Documents

  • view

    218
  • download

    0

Transcript of Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Page 1: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Using PennGroupsUsing PennGroups

Chris HyzerChris Hyzer

ISC/ASTTISC/ASTT

Sept 19, 2011Sept 19, 2011

04/18/23 ISC 1

Page 2: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Using PennGroupsUsing PennGroups

Overview of Grouper Grouper versions and roadmap Grouper at Penn Secure Space example Atlassian example eForms example PHP use case Grouper UI: groups, permissions, etc Grouper client example Grouper privileges Survey

04/18/23 ISC 2

Page 3: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Overview of GrouperOverview of Grouper

Tom Barton’s recent presentation

04/18/23 ISC 3

Page 4: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Penn RoadmapPenn Roadmap

Hopefully uses for central permissions– E.g. warehouse permissions– E.g. PennCommunity Direct permissions

Always available read-only web services Shibboleth entitlement group membership integration PennCommunity Direct getPerson WS secure

attributes FAST permissions integration?

Page 5: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

AtlasAtlas

Penn’s Identity Management StrategyPenn’s Identity Management Strategy

04/18/23 5

PennKeyPennKey

PennCardPennCard

Ancillary Affiliates

(Temp, VFAC, CHOP, etc..)

Ancillary Affiliates

(Temp, VFAC, CHOP, etc..)

PennNames

Penn Community

Penn Directory

UPHSUPHS

SRSSRS

PennGroups3rd

Party Apps

3rdParty Apps

In-HouseApps

In-HouseApps

AuthZ Decisions via LDAP or WS

penn(Root)

CommunityISC

HRHR

Page 6: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Penn: example folder structurePenn: example folder structure

Page 7: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Getting started with PennGroupsGetting started with PennGroups

When School/Center is purchasing or developing a new system

– LSP (local support provider)/ application developer contacts Central IT

– LSP/developer and Central IT collaborate to:• Establish authorization use cases for the specific

application

• Determine access method (LDAP or Web Services)

• Determine best approach for group creation and maintenance

– School/Center fills out access forms

– Central IT consults with LSP/developer on group hierarchy structure

Page 8: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

PennGroups use casesPennGroups use cases

PTO – Paid Time Off– Penn Groups provides the flexibility so that the user selects their approver for time off.

Warehouse Apps– Penn groups provides a feed for org based security based on active status

School of Engineering and Applied Science– Affiliate level groups - faculty members, staff members, students, undergrads, grads,

PhD students

– Class level groups - everyone enrolled in every SEAS course, and several ad-hoc groups.

– Ad hoc groups generated and maintained via specific applications and business rules.

Page 9: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

PennGroups architecturePennGroups architecture

Page 10: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

PennGroups UIPennGroups UI

Grouper has a built in user interface

Penn generally uses the default UI, though:

– We customized the authentication to use Penn’s single signon

– We added custom code to require users to be in a grouper group to be able to log in (not everyone allowed)

Penn did a facelift for the Grouper 1.3 release in Spring 2008, improving the usability and help documentation

We have a separate app to run the grouper loader in a webapp and register kerberos principals (add in subject database, and keep track of who owns it)

Page 11: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

PennGroups ancillary UIPennGroups ancillary UI

Page 12: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

PennGroups ancillary UI (continued)PennGroups ancillary UI (continued)

Page 13: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Penn’s experience with GrouperPenn’s experience with Grouper

Live for 3+ years 77 thousand groups 2.7 million memberships 54 kerberos service principals allowed to use

LDAP/WS– Some apps share, some are orphans

Page 14: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Components used at PennComponents used at Penn

UI Lite-UI WS Client SQL interface We have our own secure LDAP feed External users GSH Notifications

Page 15: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Components used at Penn (continued)Components used at Penn (continued)

Hooks (lightly) Rules (lightly) Permissions (lightly) Permissions UI Subject picker UI Kuali Rice – Grouper integration module Atlassian (Confluence / Jira) integration module Loader Encrypted passwords

Page 16: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Penn’s Secure SpacePenn’s Secure Space

Penn launched Secure Space in Fall 2010 Initially it was for PennKey holders only Last month we released a version which uses

Grouper external users

Page 17: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Penn’s Secure Space (continued)Penn’s Secure Space (continued)

Secure Space is built on Grouper with three groups per space: admins, users, readonly

When logging in, the grouper client / WS is used to cache the list of groups for user

On create/delete space, GC/WS is used to create/delete groups

Group memberships are managed via the membership lite UI screen

Page 18: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Penn’s Secure Space (continued)Penn’s Secure Space (continued)

Penn’s Grouper has rules to only allow external users in certain SS folders

Penn’s Grouper external users must be invited to be able to register

SecureSpace uses InCommon EPPN is required for external users External users self-register their name, email,

institution

Page 19: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Penn’s Secure Space (continued)Penn’s Secure Space (continued)

Penn installed Shibboleth Discovery Service (DS/WAYF), customized:– Pennify– Support channel– Make it easy for Penn users– Recommend ProtectNetwork for users who don’t have an

InCommon account which releases EPPN

Page 20: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Penn’s Secure Space (continued)Penn’s Secure Space (continued)

Grouper shows external users with different icon, and description:

[unverifiedInfo] First Last - institution [externalUserId] [email protected]

External users do not show in results for groups which do not allow external users

Demo

Page 21: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

FAST PennGroup’s integrationFAST PennGroup’s integration

FAST can link a FAST group to a PennGroup in the fastConfig

FAST_ADMIN asserts that users are in the ISC org to be an admin (can be overridden in fastConfig)– Contractors can be added in Group in PennGroups

PennKey to PennId translation uses PennCommmunity first, and if failure, then LDAP

FAST PennGroups membership called are also redundant

Page 22: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Atlassian – Grouper connectorAtlassian – Grouper connector

• Penn using in production since Dec 2010, requires Grouper 1.6+

• Implements the OpenSymphony osuser interfaces:– Credentials provider (optional?)– Access provider– Profile provider (optional?)

Page 23: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Atlassian – Grouper connector Atlassian – Grouper connector (continued)(continued)

Map a root folder for Confluence or Jira Groups (unnamespaced) are in that folder Can create/delete groups from atlassian,

though sometimes there are issues… we just create/use from Grouper

XMPP messaging from Grouper to Atlassian for real time updates

Fail-safe cache so if Grouper is down, Atlassian is up– Note, cache at Penn configured to last 24 hours,

failsafe cache lasts 48 hours

Page 24: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Atlassian – Grouper connector Atlassian – Grouper connector (continued)(continued)

If you have LDAP groups with memberOf and member, you can use Atlassian LDAP groups

If not, you can use this Two-way editing is nice (if it works) If no anonymous access, there is a REMOTE_USER

authenticator too

Page 25: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Atlassian – Grouper demoAtlassian – Grouper demo See Group in Atlassian See Group in Grouper (lite UI) Edit membership in Grouper See Group unchanged in Atlassian See logs, after 2 minutes a message will appear from

Grouper XMPP notifications Group is now changed in Atlassian Change group back, see message and change

Page 26: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Atlassian – Grouper futureAtlassian – Grouper future Penn ISC is happy with it Could have better cache clearing

– Currently it clears all groups, and with large deployments and lots of groups, and lots of membership updates, it can be a performance issue

Fix two way membership changes– This used to work, then stopped working, and we just use

Grouper (show demo)

Page 27: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Atlassian – Grouper Penn configAtlassian – Grouper Penn config Show Penn config for atlassian connector

Page 28: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Penn eForms: Paper form screenshotPenn eForms: Paper form screenshot

In 2009 Penn wanted to convert paper access management forms to eForms

28 – 04/18/23, © 2009 Internet2

Page 29: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Penn eForms: Paper form screenshot (continued)Penn eForms: Paper form screenshot (continued)

29 – 04/18/23, © 2009 Internet2

Page 30: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

30 – 04/18/23, © 2009 Internet2

Penn eForms: How to connect Rice to Grouper?Penn eForms: How to connect Rice to Grouper?

Add two jars to Rice (grouperRice.jar and grouperClient.jar)

Add and configure grouper.client.properties Configure Rice spring override to group and/or

identity service Setup a Grouper folder for the “Rice root”

Page 31: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

31 – 04/18/23, © 2009 Internet2

Ricerequest

grouperRice.jar

Kuali DB

Rice server

GrouperRegistry

Grouper WS server

Grouper.client.properties

grouperClient.jar

Penn eForms: Kuali Rice overridable servicesPenn eForms: Kuali Rice overridable services

Page 32: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Grouper WS serverGrouper.client.properties

grouperClient.jar

REST

LDAP

Penn eForms: Grouper clientPenn eForms: Grouper client

One jar (no conflicts with existing libraries) Supports all of Grouper WS API Command line example

java –jar grouperClient.jar --operation=hasMemberWs --groupName=aStem:aGroup --subjectIds=1234567

Java library examplenew GcHasMember().assignGroupName("aStem:aGroup“)

.addSubjectId("1234567").execute();

Page 33: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Initiator fills out form

GrouperRegistry

Kuali DB

Get members to route to and emails

Grouper WS

Routes to approver group

Routes to approver groupN

Final Add a member to a Grouper group/role and/or assign

permissions

On login to Rice, get subject details

Archive the document data, and workflow history

One in groupapproves

1

3

4

5

Grouper UI

Person / org pickers2

Penn eForms: workflow with GrouperPenn eForms: workflow with Grouper

Page 34: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Initiator fills out form If on behalf of someone else, they need to approve it, unless it is a ‘remove access’ 1

4

Supervisor (person picker)

2On behalf of

remove?

3

NoYes

Grouper group selected from available schools

Note: supervisor cannot be thesame as ‘On behalf of’

School admin

HR

Payroll

HR and payroll could approve in parallel in future

8 Operations Grant access that isn’t automatically provisioned

Change KEW initiator to ‘on behalf of’ user

7 Data admin Assert that form is valid

9 Data admin Assert that privileges were granted correctly

Final Send email to ‘on behalf of’ user10

5

6

eForms demo workfloweForms demo workflow

Page 35: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Grouper Rice demoGrouper Rice demo

Demo movie Note, there is a larger pres about this too

Page 36: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

PHP use casePHP use case

Page 37: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

© Internet2 2009

PHP simple use casePHP simple use case

Clay suggested a simple PHP use case... A Penn department wants to protect parts of their site

based on group in PennGroups https://spaces.internet2.edu/display/Grouper/

Use+case+of+Grouper+and+webpage+access Note, you need to change settings to be specific for

Penn, let me know if you need these settings

Page 38: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Some grouper featuresSome grouper features

Page 39: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

© Internet2 2009

Attribute frameworkAttribute framework

Grouper previously had Group types and attributes In 1.5, this feature was redone and improved

Page 40: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

© Internet2 2009

Can assign attributes to many object typesCan assign attributes to many object types

Groups Folders Members Memberships (immediate or effective) Other attributes Attribute assignments (1 level deep)

Page 41: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

© Internet2 2009

Attribute securityAttribute security

Similar privileges to group security ATTR_READ (can see assignments) ATTR_UPDATE (can make assignments) ATTR_ADMIN (can edit attribute fields) ATTR_VIEW (can see that the attribute

exists) ATTR_OPTIN (can assign to own member or

membership) ATTR_OPTOUT

Page 42: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

© Internet2 2009

Attribute security (continued)Attribute security (continued)

Anyone with CREATE in a folder can create attributes

It takes more than attribute security to assign attributes, you need rights on the object as well– E.g. To assign a group attribute, you need ADMIN

on the group and ATTR_UPDATE on the attribute

One attribute definition can have multiple names (to reduce the security assignments)

Page 43: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Attribute framework UIAttribute framework UI

Attribute framework UI is an ajax UI (similar to lite membership screen)

Creates, edits, assigns attributes For Grouper 2.0 Currently in SVN, you can create attributes, names,

hierarchies, privileges, roles, role hierarchies, actions, action hierarchies etc

Page 44: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Attribute framework UI Attribute framework UI (continued)(continued)

Attributes and actions Attribute privileges Attribute names (including hierarchy) Groups and roles (including hierarchy and privileges) Attribute assignments Permission assignments (including limits)

Page 45: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Permission managementPermission management

In Grouper (in the API, GSH, WS, docs, etc) a privilege refers to being able to do something in Grouper (e.g. READ a group or CREATE objects in a folder)

So, since privilege = permission, resources in the new privilege management features, a non-grouper privilege will be referred to as “permission”

There are permissions as RBAC (Role Based Access Control), and individual permissions

45 – 04/18/23, © 2009 Internet2

Page 46: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

© Internet2 2009

Grouper permission managementGrouper permission management Roles: links up groups/subjects and permission

resources Permission resources: a type of attribute (on Role or

effective Membership) Permission sets: can bunch up permission

resources into one resource (e.g. for hierarchies) Role inheritance: can allow roles to inherit

permissions from other roles (e.g. Senior loan administrator inherits from loan administrator)

Action: qualifier of permission assignment, e.g. read or write

Page 47: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

© Internet2 2009

Grouper role or permission directed graphsGrouper role or permission directed graphs

Not a hierarchy (supports multiple parents)

Supports circular references

Image is test case

Page 48: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Grouper permissions ALLOW/DENYGrouper permissions ALLOW/DENY

This is an up-and-coming topic (v2.0) Explains permissions in Grouper and how you can

set them up, and the issues involved Document

Page 49: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Demo serverDemo server Internet2 has a Grouper Demo Server Address is: https://grouperdemo.internet2.edu/ Host various versions of Grouper Show features (e.g. permissions, external users,

syncing between groupers) Allow users or potential users to kick the tires (not for

production obviously)

Page 50: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Penn’s test serverPenn’s test server

Penn has a test environment for Grouper, which is the best place to test things out

The production environment of Grouper has two top-level folders:– /penn/– /test/

If you want to try simple things out in prod in the penn or test folder, go ahead– Note: if you are doing load testing or have a lot of sample

data then do not use prod due to audit and point-in-time

Note: Im not sure of the status of the test ldap

Page 51: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Demo server setup folders for usersDemo server setup folders for users

Already done for all users except one (so I can demo) Show setup for mvm Create folder: users/penn2/mvm Create group: users/penn2/mvm/mvmAdmins Invite external user, conscript the eppn since it is

known: [email protected] Assign the CREATE GROUP and CREATE FOLDER

privileges to mvmAdmins, and READ/UPDATE on mvmAdmins

Page 52: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Demo server - registerDemo server - register

Google: grouper demo server external users Click on the register link Fill in name, institution, email, etc After everyone is done, I will regenerate external

subjects’ description via GSH, though Im not sure it is necessary

gsh 1% GrouperSession.startRootSession()gsh 2% ExternalSubject.internal_daemonCalcFields();

Page 53: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

GroupGroup

Group – a collection of subjects Create a group in your folder with the admin UI

– Do not make it world readable– Add some subjects

Do the same thing with the Lite UI

Page 54: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Grouper group privilegesGrouper group privilegesPrivileges (or Grouper Privileges) refer to control on Grouper objectsPermissions refer to central permissions management

Try to search for a group that your neighbor created–You shouldn’t be able to do it, you don’t have VIEW

Grant VIEW to your neighbor’s EPPN, have them do it too (Admin UI)–Search for your neighbors group, try to view members, can’t without READ

Grant READ with Lite UI to neighbor’s EPPN, try view membersTry to update members, grant UPDATE, try to update membersTry to change name of neighbor’s group, can’t without ADMINGrant ADMIN to neighbor’s EPPN, change name of group

Page 55: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Grouper folder privilegesGrouper folder privilegesCreate a folder in your folderTry to create a group in your neighbor’s new folderCan’t without CREATE GROUP (or other objects)Grant this privilege, try nowTry to create a subfolder in neighbors folderCan’t without CREATE FOLDERGrant this privilege, try now

Page 56: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

See groups of a subjectSee groups of a subjectSearch for your EPPN from menu on left of admin UISee which direct or indirect groups you are in

–Note, this is a secure view. If there are groups that you cannot READ or ADMIN, then you wont see them in the list

Page 57: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Grouper loaderGrouper loaderGrouper can load a group based on SQL query

–Generally this is from the PennCommunity database or the warehouse–Schedule is croned

Can also load a group of groups in one query–E.g. class lists–E.g. orgs

Show examplesISC Data Administration can help write queriesEmail the PennGroups help email list for information

Page 58: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Loader include/exclude exampleLoader include/exclude exampleCreate a groupRead/update should not be granted to everyoneUse addIncludeExclude type

Look in folder, there will be 5 groups created with that type.Open the system of record, and lets make that the loader group. The loader group is community:students

Create this view in the DB (this is done):mysql> CREATE OR REPLACE VIEW loader_student AS \(SELECT subjectId AS subject_id FROM SUBJECT WHERE \subjectId LIKE 'fi%');

Page 59: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Loader include/exclude example (continued)Loader include/exclude example (continued)

Add the students group to the system of record groupSet the system of record group to be grouperLoader typeEdit attributes on the group (already done, admin only):

grouperLoaderDbName: grouperNOTE: configure other DB connections in grouper-loader.propertiesNOTE: every minute just for testing…grouperLoaderQuartzCron: 0 * * * * ? grouperLoaderQuery: select subject_id subject_id from \ loader_studentgrouperLoaderScheduleType: CRONgrouperLoaderType: SQL_SIMPLEBounce loader (CTRL-c, start again, don’t run twice at same time!)

% ./gsh.sh -loader

Page 60: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Loader include/exclude example (continued)Loader include/exclude example (continued)

Never edit the loader group, unless you expect it to get overwrittenAdd fico to the excludes groupAdd bapo to the includes groupLook at the overall groupGenerally the privileges are:Assign READ on all to adminsAssign UPDATE on include/exclude groups to adminsAssign READ to service principal of app for overall group or other people who need to use the group

Page 61: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

RequireInGroups exampleRequireInGroups exampleCreate a folder under root: appsCreate a folder under that folder: ptoCreate a group in that stem: apps:pto:ptoAdminsSelect the requireInGroups type for that groupThis created another system of record group, and an overall groupIn the overall group, edit the attribute: requireAlsoInGroupsThe value should be: community:studentsNow see that the overall group is an intersection compositeAdd baco and fipo to the system of record groupWhich is in overall groupWhy?

Page 62: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Get the Grouper Client BinaryGet the Grouper Client Binary http://www.internet2.edu/grouper/release/2.0.0/ Edit the grouper.client.properties

grouperClient.webService.url = https://grouperdemo.internet2.edu/grouper-ws_v2_0_0/servicesRest

grouperClient.webService.login = test1grouperClient.webService.password = **************

Page 63: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Get the Grouper Client (continued)Get the Grouper Client (continued)Get usage:$ java -jar grouperClient.jar$ java -jar grouperClient.jar --operation=getMembersWs --groupNames=users:penn:mchyzer:apps:pto:mchyzerPtoUsers

Customize the output (note, double quotes for windows, single quotes for unix):

$ java -jar grouperClient.jar --operation=getMembersWs --groupNames=users:penn:mchyzer:apps:pto:mchyzerPtoUsers --outputTemplate='${wsSubject.id}$newline$'

Page 64: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Grouper client uses XML POXGrouper client uses XML POX$ java -jar grouperClient.jar --operation=getMembersWs \

--groupNames=test:testGroup --debug=true

################ REQUEST START (indented) ###############

POST /test1_grouperWs/servicesRest/v1_6_003/groups HTTP/1.1

Content-Type: text/xml; charset=UTF-8

<WsRestGetMembersRequest>

<wsGroupLookups>

<WsGroupLookup>

<groupName>test:testGroup</groupName>

</WsGroupLookup>

</wsGroupLookups>

</WsRestGetMembersRequest>

################ REQUEST END ###############

Page 65: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Grouper client uses XML POX (continued)Grouper client uses XML POX (continued)

################ RESPONSE START (indented) ###############HTTP/1.1 200 OKX-Grouper-resultCode: SUCCESSX-Grouper-success: T<WsGetMembersResults> <resultMetadata> <resultCode>SUCCESS</resultCode> <results> <WsGetMembersResult> <wsSubjects> <WsSubject> <resultCode>SUCCESS</resultCode> <success>T</success> <id>babu</id> <sourceId>jdbc</sourceId> </WsSubject>

Page 66: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Grouper client as libraryGrouper client as library% cd ~/1.6.3/grouper.clientBinary-1.6.3% emacs GrouperClientExample.javaimport edu.internet2.middleware.grouperClient.api.GcGetMembers;import edu.internet2.middleware.grouperClient.util.GrouperClientUtils;import edu.internet2.middleware.grouperClient.ws.beans.*;public class GrouperClientExample { public static void main(String[] args) { WsGetMembersResults wsGetMembersResults = new GcGetMembers().addGroupName("test:testGroup").execute(); WsGetMembersResult wsGetMembersResult = wsGetMembersResults.getResults()[0]; for (WsSubject wsSubject : GrouperClientUtils.nonNull( wsGetMembersResult.getWsSubjects(), WsSubject.class)) { System.out.println(wsSubject.getId()); } }}

Page 67: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Grouper client as library (continued)Grouper client as library (continued)

Note, colons for unix, semicolons for windows% javac -cp .:grouperClient.jar -sourcepath .

GrouperClientExample.java% java -cp .:grouperClient.jar GrouperClientExamplebabubabrBabl%

Page 68: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Grouper WS documentation and samplesGrouper WS documentation and samples

There are hundreds of samples of WS for each operation in:SOAPSOAP-litePOXPOX-liteJSONXHTML

These are auto generated for the release and stored in SVN.

Page 69: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Grouper customized UIsGrouper customized UIsGrouper UIs can have custom text or skins

–E.g. membership lite UI–E.g. person picker

Helps the Grouper screens integrate better with applicationShow example

Page 70: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Lite UI export/importLite UI export/importGo to the lite UI of ptoAdmins_systemOfRecordUnder advanced, export entity id's of the groupSave as csv, add elwiImport that, and see elwi added

Page 71: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

Admin UI audit logAdmin UI audit logGo to the admin UI of ptoAdmins_systemOfRecordClick on Audit LogSee all the actions taken to this groupWhy is the Create Group not there?Where is it?

Page 72: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroupsUsing PennGroups

SurveySurveyPlease fill out this survey to help us improve our traininghttp://www.surveymonkey.com/s/LLWGLGD

Page 73: Using PennGroups Chris Hyzer ISC/ASTT Sept 19, 2011 6/17/2015ISC1.

Using PennGroups

Questions?Questions?

04/18/23 ISC 73