Add to collection(s) Add to saved
  1. Business
  2. Management

20071009-Grouper-Cramton

advertisement 
Implementing MACE Grouper
at Brown University
James Cramton
October 9, 2007
Internet2 Fall Member Meeting 2007
San Diego, CA
Project Goals
•
•
•
•
•
•
•
Centralize group definitions
Make groups more accessible to apps
Delegate group management
Improve group management interface
Adopt compatible standards
Minimize service interruptions
Phased rollout of supported apps
Solution Scope
• Identify measurable benefit to CIS
• Pilot Instructional Technology applications
•
•
•
•
WebCT course management software
Majordomo email list manager
Confluence wiki
iTunes U
• Limit initial user base to 6 users of the GUI
• Focus on the well known course group schema
• 1 year in planning
• 1 PT developer
• 1 PT sys admin
• 3 PT managers
• 2 months in execution
• 2 FT developers
• 1 PT sys admin
• 3 PT managers
Current Status
• Production launch at start of Fall semester 2007
• Limited to course groups
• 2,500 ‘real’ courses; 4,500 with independent study
• 14 groups per section  60,000 course groups
• Nightly provisioning takes 5 – 8 hours
• LDAP provisioning takes 1.5 – 2 hours
• Runs continuously after nightly provisioning
• Replicates ad-hoc changes in near-time (2 – 4 hours)
• Corrects minor discrepancies created under load
• Demographic groups using legacy Brown Grouper
System Diagram
Before
After
Grouper
Feed
Brown
Grouper
Majordomo
Courses
Grouper
Feed
Majordomo
Courses
Confluence
Courses
Confluence
Courses
MACE
Grouper
Admins
LDAP
Student
iTunes
iTunes
Auditor
TA
Instructor
Admins
WebCT
Course
Memberships
LDAP
WebCT
Course
Memberships
Provisioning Workflow
Person and Group Provisioning Interactions
Kilo
Kilo
QA
QAWebCT
WebCT
Terra
Terra
QA
QARegistry,
Registry,
Brown
BrownGrouper
Grouper
Lyra
Lyra
Registry
Registry
Bootes
Bootes
Falcon
Falcon
Brown
BrownGrouper
Grouper MACE
MACEGrouper
Grouper
Whiskey
Whiskey
WebCT
WebCT
LDAP Groups
MACE Grouper
Group Prep
People
Feeds
BRU Feed
Grouper Feed
Course Feed
WebCT
• Nightly provisioning
batch runs in 5 - 8 hours
• Each step executes via
ssh immediately after its
predecessors, from a
shell script on a one host
• Batched LDAP
provisioning replicates
ad-hoc Grouper changes
every 1.5 - 2 hours
• Dependencies on nightly
person provisioning can
suspend execution
Edsel
Edsel
QA
QAMACE
MACE
Grouper
Grouper
12:00 AM 1:30 AM
1:30 AM 3:00 AM
3:00 AM 3:30 AM
3:30 AM 4:00 AM
4:15 AM 7:00 AM
WebCT
provisioning
BRU Feed
Grouper Feed
Course Feed
Feeds
Complete
Harvey
Harvey
Harvey
complete
Harvey
complete
Grouper Feed
Course Feed
Registry_user
provisioning
Groupsync
Groupsync
Registry_user
provisioning
Registry_user
complete
Groupsync
complete
Groupsync
complete
Registry_user
complete
Update
Groups
Update
Groups
Updategroups
complete
Updategroups
complete
LDAPpc
LDAPpc
LDAPpc
complete
LDAPpc
complete
7:00 AM 8:00 AM
WebCT
provisioning
Course Group Schema
• Course : [ Subject ] : [ Number ] : [ Term ] : [ Section ]
• All
• Administrator
– Instructor (Provisioned)
– TeachingAssistant
– Manager
• Contributor
– ContentDeveloper
– Mentor
• Learner
– Student (Provisioned)
– Auditor
– Vagabond
[ brackets ] indicate dynamic data
Bold indicates eduCourse/IMS compatible role
• Schema is flattened to provision LDAP
• 12 groups per course provision hasMember attribute in Groups ou
• Person objects get isMemberOf pointers to groups
Application Role Mapping
• Documented how Grouper groups map to application roles
• Application integration characteristics allow some flexibility
• Mapping highly dependent on user feedback
MACE Grouper Course Groups
iTunes
All
Administrator
Instructor
Majordomo
Confluence
Recipient list, Discussion Sender
Can Use
Broadcast Sender
Space Admin
Instructors (provisioned)
WebCT
Instructor
Managers
TAs
Contributor
TA and Designer
Instructor
Content Developers
Space Admin
Designer
Mentors
Learner
Student
Auditors
Auditor
Students (provisioned, read only)
Student
Vagabonds
Auditor
Other, outside MACE Grouper
Super Admin
Super Admin(s)
Lessons Learned—Integration
•
Write good documentation
•
•
Test with the most representative data possible
•
•
•
•
Some integrate directly with LDAP ~ natively (iTunes, Majordomo)
Some use separate provisioning scripts (WebCT)
Some suffer loss of usability with thousands of groups (Confluence)
None pay any attention to group ACLs—use single bind dn
Application needs vary by course or group
•
•
•
•
•
Mid-term data not always representative—too little change
Beginning of term data causes more change—and longer run time
Be prepared for a lengthy support cycle after launch
Application ‘support’ for external groups is variable
•
•
•
•
•
40 pages of concepts, role mapping, plus Grouper and application tasks
Some need section-specific course groups
Some need multi-section course groups
Few performance problems in the Grouper UI
LDAPpc provisioning needs performance and feature improvements
Provisioning LDAP from group attribs would allow more flexibility
Lessons Learned—Group Management
•
•
Limit initial release audience to manageable, trusted group
Demographic groups are a big challenge
•
•
•
•
Demographic group resolution gating factor in deploying apps
•
•
•
•
WebAuth
Wifi
Bulk Email
Naming conventions take a long time to define
•
•
•
•
10 years of legacy demographic group evolution is a mess
Legacy demographic groups have redundancy and transparency problems
Can’t clean up part of the legacy data without addressing all groups
Accurately representing existing uses of groups
Maintaining standards compatibility (eduCourse/IMS)
Catch-all group important in course schema
Widespread use will require exposure of implications of actions
•
•
Lay users will need a clear understanding of how changes impact apps
GUI troubleshooting tool awaits in Nirvana
Next Steps
• Software improvements needed in near term
• Performance
• LDAPpc batched performance around 2 hours is too long
• Provision LDAP using attribs, not stems
– Speed: Do not provision 2,000 independent study course groups
– Flexibility: Add courses to provisioning process as needed
• Logging and auditing capabilities need improvement
• UI needs to be customized for Brown’s needs
• Off-the-shelf UI is demonstration of all capabilities
• Collaboration started with other campuses
• Identify priorities for fall development
•
•
•
•
•
Other CIS projects
Deploy more applications using course groups
Delve into demographic groups, AD, NDS migrations (complicated)
Support more detailed privilege management (Signet?)
Develop tool to expose implications of group and privilege changes
Long Term Vision
•
•
Identify who manages groups
Allow lay people to manage their groups & privileges
•
•
•
•
Must convey implications of group & privilege changes across apps
Pursuing idea of a ‘services portal’ to automatically activate selected
services for specific groups
Both imply more granular control of privileges
Message-based provisioning
•
Provide real-time change availability
1. From Grouper to LDAP
2. From HR or course management systems to Grouper
•
Enforcement of group ACLs from within applications
•
•
•
•
Apps should not expose existence or membership of some groups
Have yet to see an application support this
Probably can be achieved by removing capabilities from apps
May require exposure of privilege management to community
Related documents
Introduction to Grouper Client
Introduction to Grouper Client
PPT 2100 KB
PPT 2100 KB
Ch8
Ch8
Getting Closer to Students
Getting Closer to Students
lite-ui-permissions-part3
lite-ui-permissions-part3
What is new?
What is new?
Advanced Access Management presenting a case study of
Advanced Access Management presenting a case study of
Download
advertisement