By Chris Hyzer, University of Pennsylvania and Grouper Lead at Internet2
Estimated reading time: 7 minutes
In the identity management world, we get a thrill from new approaches that transform previously cumbersome processes. Before Attribute-Based Access Control (ABAC), Grouper would load groups with structured query language (SQL) queries and lightweight directory access protocol (LDAP) filters (also known as “loader jobs”). Over the years, many institutions have asked for dynamic groups “based on rows of data without negative performance implications” and “delegated management of loaders.” Grouper has had these features for more than a year, and your institution’s large lists of loader jobs can be upgraded to ABAC.
The benefits and efficiencies of using ABAC are numerous. “University of Michigan has created almost 100 ABAC groups that we had no way to make before,” according to Gail Lift, application developer lead at the university. “These groups are used, for example, in door access and Okta realms. ABAC manages large groups in near real-time.”
Read on to learn more about the benefits of making the transition from loaders to ABAC in Grouper.
Managing Loads of Loaders
Each Grouper loader job has a schedule, runs a query to get data from a data-source, has potential real-time configuration, and is only manageable by Grouper admins. For loaders which handle multiple groups, a high percentage of those groups might be unused since they are generated “just-in-case.” If the user who requested the loader (for example, an administrator requesting a list of all law school alums) is troubleshooting the results, it requires a ticket to the Grouper operators. At Penn we add on average one or two per month and currently have 467 loader jobs.
Understanding a Vision for the Future
We will always have loaders. Similar to Doc Brown’s quote “Where we’re going, we don’t need roads,” they still probably have some roads in the future. ABAC is not a complete replacement. Loaders are needed for “list of groups” or data which are not modeled in ABAC data fields.
Using AI to Help with the Transition
As often happens these days, it turns out that AI can help smooth the way. At Penn we have anABAC data dictionary (ABAC documentation generated in the Grouper user interface), and dozens of ABAC script examples are included in the data configuration of a custom GPT. The query from the loader job can be translated to an ABAC script using AI.
The query might look familiar in that it resembles gibberish. AI is not perfect at translating queries, but using it does save some time by providing a good starting point from which to iterate.
Making Easy Replacements
An easy loader replacement to ABAC is one where the required information already exists in ABAC data fields (ABAC attributes are referred to as “data fields”). A good way to start is to look over existing loader jobs by clicking Miscellaneous -> Loader jobs and find a “simple” job. Ask AI to translate the query to an ABAC script. Ask AI which data fields are missing if they cannot be translated. If the membership counts match up (or if they do not and it is determined to be an improvement), then you have just converted a loader to an ABAC scripted group.
Modeling person data into ABAC starts with an “as needed” strategy. As loader jobs are converted to ABAC, more and more data is represented in ABAC. Initially there will be more work adding data fields and rows, but eventually it should be an uncommon occurrence.
Managing a List of Groups
Loaders can manage a list of groups in addition to one specific group. As of November 2025, ABAC is a script for one specific group. Currently, to replace a loader that manages a list of groups, the managed groups can be queried to determine which policies use them.
Once all those policies are converted to ABAC (pointing to data fields and rows and not basis/reference groups), then the list of groups loader job can be decommissioned. At Penn, we will focus first on converting “simple” loader jobs that manage a single group.
Adding Data Fields or Rows
An advantage of loaders over ABAC is that each loader job is independent from all other loader jobs. With ABAC, data flows into data fields and then populates groups. So as you adjust your data fields and rows for new requirements, you need to be very careful that you are not introducing a bug into an existing ABAC group.
Grouper is an authorization platform and can be used to quickly address this risk since we must be as agile with ABAC as we were with loaders. There is a GSH template (one-pager UI backed by a script), which validates that ABAC changes do not cause bugs for existing ABAC groups.
For the “law alum” loader migration to ABAC, the number of affiliation rows needs to increase since inactive student degree pursuals are needed. We see in the output of this GSH template (shown below) that the rows of the ABAC have increased, but the existing affiliation ABAC groups have not changed their counts.
After working through this example for this blog, Penn now has only 466 loader jobs (one fewer). Thanks to the Grouper community, as always, for encouraging the development team to provide more efficient access management approaches and for your testing and feedback. You are invited to review the Grouper roadmap here.
Accessing More Resources
To learn more about Grouper and ABAC, check out
- Wiki documentation
- University of Michigan’s 2023 presentation on Grouper and ABAC
- ABAC Q&A blog (2022)
Grouper at TechEX 2025
The Grouper team is excited for TechEX25 in Denver, Colo., held Dec. 8-12. We hope to see many members of the Grouper community, including you! Registration for TechEX25 is open.
If you’re not able to join us in Denver, another great way to increase your Grouper knowledge is to take advantage of our expanded Grouper Training options.
There are many lessons to learn with the new training material. The community has given the team a lot of advice over the years about Grouper training, and we have done our best to implement most of the ideas.
Now, it is your turn to make sure your identity and access management (IAM) department is managing access as efficiently and accurately as possible. Get further details on Grouper Training.
For those of you who are planning to be at TechEX25 (or still thinking about it), let me assure you that the lineup of Grouper-specific sessions is stellar. Check out this blog on what your colleagues are going to share.
For full session descriptions, check out the TechEX25 program and filter by the Identity & Access Management track.
About Grouper
Grouper is an enterprise access management platform that simplifies authorization by automating and delegating administration of groups and roles in your organization. Grouper is part of the InCommon Trusted Access Platform, an IAM suite of software designed to integrate with existing systems. Our roadmap is based on community input. Grouper, the access management component of the InCommon Trusted Access Platform, evolves to meet the community’s needs.
