Re: Process for handling web-based account management

[Bill Thompson <thompsow () LAFAYETTE EDU>]

Yes, I think we’ll know Grouper/TIER provisioning has succeeded when the community is actively sharing/maintaining 
provisioning plug-ins based on a standard architecture. There has been quite a bit of work on the Grouper messaging 
front lately, which gives one hope that we are getting closer to a place when enough deployments have converged to make 
this possible.

Carl Waldbieser has been pushing Lafayette’s provisioning code and grouper tools to GitHub here:
https://github.com/cwaldbieser/grouper_tools <https://github.com/cwaldbieser/grouper_tools>
https://github.com/cwaldbieser/grouper_python_provisioner <https://github.com/cwaldbieser/grouper_python_provisioner>

So far we have provisioners for:
* O365 (via the graph api)
* BoardEffect
* Slack
* Zimbra distribution lists
* LDAP (supports a whole host of services via ldap and saml)
* remote shell provisioner (targets systems with ssh access for authorization management)

The system makes it easy to add any remote/rest/web api based target.

We are planning on sharing more details about the system at the Internet2 Tech Exchange in October:
https://meetings.internet2.edu/2017-technology-exchange/program-guide/tutorials/#Grouper 
<https://meetings.internet2.edu/2017-technology-exchange/program-guide/tutorials/#Grouper>

Best,
Bill


> On Jul 5, 2017, at 9:26 PM, Mark Poepping <poepping () CMU EDU> wrote:
>
>  
> Is anybody sharing the specific code for integrating with the various cloud-based API’s (and where)?  Seems that 
> could be relatively generic if we’re sharing the same data model (or most of it at least) via a set of common tech 
> (aka Grouper).
> Thanks.
> Mark.
>  
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bill 
> Thompson
> Sent: Wednesday, July 05, 2017 12:34 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Process for handling web-based account management
>  
> We’ve been having some success with using Grouper to control both remote account and authorization/group management. 
> Insitutional cohorts and account/authorization policy are defined and managed in Grouper. Remote (i.e. Cloud systems) 
> are kept in sync via a messaging system based on RabbitMQ. The overall strategy is described in more detail in the 
> TIER Grouper Deployment Guide https://spaces.internet2.edu/display/TI/TI.25.1 
> <https://spaces.internet2.edu/display/TI/TI.25.1>.
>  
> Best,
> Bill Thompson
> Director Digital Infrastructure
> Lafayette College
>  
>  
> On Jun 29, 2017, at 4:45 PM, Rob Milman <rob.milman () SAIT CA <mailto:rob.milman () SAIT CA>> wrote:
>  
> Hi everyone,
>  
> With the ever-increasing move of campus services to web-based applications (aka The Cloud), we are finding it harder 
> and harder to maintain control over account management. Does anyone have a process that is working to manage these 
> accounts for their institution and would be willing to share?
>  
> Thanks,
>  
> Rob
>  
> <image001.gif>
> Rob Milman
> Security & Compliance Analyst
> Information Systems
>  
> Southern Alberta Institute of Technology
> EH Crandell Building, GA 214
> 1301 – 16 Avenue NW, Calgary AB, T2M 0L4
>  
> (Office) 403.774.5401  (Cell) 403.606.3173
> rob.milman () sait ca <mailto:rob.milman () sait ca>