Internet2

close
Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Your organization not listed? Create a local account to use Internet2 services.

Create SiteID

Grouper

overview

NEWS: Grouper 2.2 Released featuring enhanced user interface.


Grouper is an enterprise access management system designed for the highly distributed management environment and heterogeneous information technology environment common to Universities. Operating a central access management system that supports both central and distributed IT reduces risk.

Why Use Grouper?

  • Coordinated Collaboration Grouper helps collaboration happen. You can set up groups, roles, and permissions for many purposes, such as populating and administering standing committees, ad hoc research teams, departments, or classes. Key collaborative applications -- mailing lists, wikis, calendars, etc. -- can use this group, role, and permission information to make authorization decisions.
  • Single Point of Control When using Grouper, once a person is added or removed from a group, the group-related privileges are automatically updated in all of your collaborative applications. Grouper allows efficient management of the membership roster at a single point.
  • Who Can Use Grouper? Anyone needing to manage group access to resources can use Grouper -- from accountants to zoologists. A researcher might create a group and enable members to participate on an email list or view a web site. Students might use Grouper to set up and manage groups for similar applications as they work together on shared projects and class work. Your IT staff can delegate group management and enable those leading collaborations to set up and manage their own groups.

Project Context

Partnering with the Internet2 Middleware Initiative since 1998, MACE consists of a group of U.S. and international higher-education IT architects. The group was formed to investigate the creation of a national interoperable identity and access management infrastructure for the U.S. research and education community that would fit into a global context. To do this, MACE developed an interoperable identity and access management architecture model and worked to provide functionality important to higher education but missing from the marketplace or open source offerings. Grouper was developed from this effort.

Acknowledgements

The Grouper Project has received funding and development resources from

  • Internet2
  • National Science Foundation (NSF) Grant No. OCI-0330626, OCI-0721896, and OCI-1032468
  • Joint Information Systems Committee (JISC) (UK)
  • University of Chicago, University of Pennsylvania, Duke University, University of Washington, University of Memphis, University of Bristol (UK)
features

Grouper Features


  • Lower cost & time to deliver new services
  • Simplify management by using the same group or role in many places and automating changes to access privileges as a person’s roles change
  • Empower the right people to manage access, taking central IT out of the loop
  • Increase transparency and auditability - see who can access what with a report rather than a fire drill
  • Grouper integrates with almost any existing access management infrastructure
  • Supportive community of Grouper users worldwide  See deployment stories and resources shared on the Grouper wiki.
  • Online Library of Grouper Training Videos available on the wiki.
  • New for Grouper 2.2: Much improved user interface!
fees

Grouper is open-source software licensed under the Apache 2.0 license. See http://www.apache.org/licenses/LICENSE-2.0.html for a copy of this license.

faq

Where can I find Grouper Training?

Grouper Online Training Videos are available here.

Why should I use groups in my IAM infrastructure?

Using groups in the identity and access management infrastructure adds important contextual information about an individual's formal and informal affiliations with the institution. For instance, separate applications may use groups to track each individual's role(s). If an individual is in a particular group, the person is authorized to access the resource.

What problems does Grouper solve?

Without a group management tool, implementation of groups is managed separately for each service. Keeping the membership roster consistent across multiple applications becomes very difficult and inconsistencies are the rule. If a member leaves a project, for example, the group's email list, wiki space, calendar, research database, and other shared resources need to be updated separately. Grouper solves this problem by centralizing group information in one place.

Who manages all of these groups?

With Grouper, individuals across campus manage the memberships of the groups they steward. Grouper keeps the group membership decisions in the hands of the business/group owners, access control in the hands of the application owners, and the technology management in the hands of the technologists. Schools, departments and even project leads and students can use an institutionally-tailored interface to manage their groups using plain language they understand.

Where can I see a diagram explaining Grouper?

A Grouper Architectural Diagram and a High Level Concepts diagram are available here.

Who are the Grouper developers?

Where can I find the answer to technical questions?

A good place to start is the Grouper wiki.

Where can I see Grouper case studies?

In the Internet2 Case Studies section of the website.

How do I get on the Grouper-Users email list?

Instructions are found here.

How does Grouper enhance collaboration?

In Grouper, a researcher might create a "my-research-project" group and enable the members to participate on an email list, calendar group, web site, and so on. Alternatively, students could use Grouper to set up and manage "my-business-course-cohorts" to enable similar collaborative applications. The software enables group management on an individual level and empowers people to use more secure, robust, and responsive methods to control access to their resources.

How does Grouper help the IT staff?

After integrating Grouper with your identity management system, you will have a way to manage the membership of roles and other functions that individuals have with the institution. Further, automatic change or revocation of service can be accomplished based on group membership changes. Removing IT from the middle of managing groups will help ease your helpdesk headaches, as well. As more and more systems use Grouper, the benefits accrue and become more valuable.

What do I need to have in place?

To implement Grouper, you need to have:

  • an institutional identity management system and a model for how privilege management fits in.
  • a good relationship with key stakeholders across campus to develop the policy and business rules associated with groups and related authority issues.
  • the resources to implement and support the model.

Where can I find more information about identity management?

To get started with identity management infrastructures, refer to Internet2's NSF-funded project, NMI-EDIT, which offers roadmaps, practice papers, articles, and other tools to get you going.
Downloads

To download Grouper, or to see the Grouper demo, visit the Grouper Download page on the Grouper wiki.