Grouper Rules: Any Angler Can Use Them Now

Array

Estimated reading time: 6 minutes

By Chris Hyzer, University of Pennsylvania

If your financial planner or your lawyer talks to you about life cycle planning, it can be a weighty discussion. Luckily this blog is about something more fun, at least if you are an access management geek. A joke is told; you decide if it is funny. If so, you laugh. That is a rule. When something happens, check a condition; if true, then do an action. Another example: Grouper School is announced for August 19-22, you see if you are free, and you sign up for Grouper training (which includes covering the new rules features).

Graphic image of a man fishing while the sun is setting.

Now for an employee life cycle example from the access management world: When someone is no longer an employee and in a manual admin group for an application, then automatically the person is removed from the group. There are many life cycle patterns like this, and Grouper makes it easy to implement them in your system through a capability called Grouper rules. Another way to handle this use case is with something called a composite intersection, but using rules can improve deprovisioning in addition to blocking access.

Grouper Rules of the Road

Rules in Grouper usually have a concept of a daemon job. This makes sure that controls are consistent with existing data. For instance in the above example, if someone adds non-employees to the admin group, the daemon will remove them at night since they are not employees. Note you can add another rule to veto additions to the group.

Grouper has had rules for years, but they were a little difficult to manage because:

Grouper admins implemented them.
They were implemented via the attribute framework UI screens, a GSH script, or a GSH template.
There was a database view to see the rules in the registry.
If you deleted a group/folder that was a dependency in a rule, the rule would break without feedback to the user.
If you did a web search for “Grouper rules,” you would get fishing regulations (sorry!).

Graphic display of a sloth rock climbing.

Five Ways Grouper v5 Rules Are Easier to Manage

Grouper v5 rules addresses these shortcomings.

Any user with the appropriate privileges can implement a rule. A caveat is there is a list of patterns to choose from, which includes all the existing use cases on the Internet2 Grouper Rules wiki.
The UI has a “Rules” button for groups and folders, so you can easily implement a needed rule.
The UI also shows all the rules defined on that group/folder including rules that reference that group/folder.
If you delete a group/folder, the application will warn you that rules defined elsewhere will not be valid anymore.
Include “Internet2” as a search engine term.

Graphic display of a sloth riding a dirt bike.

Applying Grouper Rule Improvements: The Case of Membership Eligibility

To get a closer look at the improvements to Grouper rules, let’s examine the case of membership eligibility.

Graphic image displaying an eligibility form.

A delegated Grouper user can configure eligibility levels for groups, which essentially implements two rules at once (though it is not implemented with rules under the covers):

If someone is no longer in the eligibility group, then remove the person from the manual group.
If someone is added to the manual group who is not in the eligibility group, then veto it.
Daemon makes sure existing data is consistent (i.e., If the membership requirement is configured after the group has data, then make sure the existing members are eligible.).
Ignore groups as members. Groups are not employees, so if the rule is defined as non eligible subjects, then the group itself is not an employee and is not normally eligible.

On the Road to Managing the Full Life Cycle

Rules are nice for one-offs, and the eligibility requirements make it easy to implement multiple rules, but what if more sophistication is required to manage the full life cycle?

This is on our roadmap. A “membership eligibility” module in Grouper could provide an easy way to manage memberships automatically, improve attestation, provide notifications for events, which require human intervention, include grace periods, and have more granular controls for when someone should be removed from a group.

We are currently discussing the requirements and priorities with the community. Join our InCommon-Grouper Slack channel to participate. Thanks to our friends at Georgia Tech, who have been extremely helpful in moving this discussion forward.

Graphic image of a sloth floating in space.

Contributing to the Community

We appreciate all our community partners who have provided use cases and testing. Please check out the community contributions page here.
Please email Emily Eisbruch emily@internet2.edu if you’d be willing to share a new Grouper contribution.
Special thanks to all the Grouper community members working on a documentation improvement effort being coordinated by Nicolette Stout of Idaho State University. This work is being tracked on the Grouper documentation wiki page.

Get involved now and join us later! We are excited to meet with the Grouper community at 2024 Internet2 Technology Exchange in Boston (December.9-13).

Thanks!

Chris Hyzer, Grouper lead

About Grouper

Grouper is an enterprise group and access management system that simplifies access management by letting you use the same group or role in many places in your organization. Grouper is part of the InCommon Trusted Access Platform, an identity and access management suite of software designed to integrate with existing systems.Our roadmap is based on community input. Grouper, the access management component of the InCommon Trusted Access Platform, evolves to meet the community’s needs.