Grouper Deprovisioning, or Cleaning Out My Closet

Estimated reading time: 9 minutes

By Chris Hyzer, University of Pennsylvania

As a bit of a hoarder, I am not inclined to write this blog. But as someone who wants access to be correct, and who loves Eminem, I will do it anyway.

How does clutter that requires cleaning out your closet happen in the access management realm? When people need  access to protected resources to do their work, they open a ticket, and an administrator grants their request. When someone leaves, and there is no deprovisioning automation, sometimes those access assignments start filling up the closet. At my home institution, we have reviewed access of such systems, and sometimes 5% of the access is invalid due to job changes, and sometimes 20% of the access is invalid due to lost affiliations.

Note: There are some AI songs/videos to accompany this blog, one song for each paragraph. Song 1 – Intro (1:29)

Some systems have eligibility requirements to sign in. This blocks invalid access by people no longer at the institution but does not remove the underlying assignments. For example, if ex-employees with old access get hired at the institution again in a different position, they will wrongly regain their stale entitlements. What is really needed here is deprovisioning. Blocking invalid users is a useful tool, but it is not deprovisioning. Deprovisioning is removing role assignments and permissions in a service. Losing VPN access is not deprovision for an underlying system. While we are at it, composite group intersections and subtractions are not deprovisioning either.  Composites calculate memberships from groups to block access, but they do not remove invalid memberships from groups.

Song 2 – Blocking is not deprovisioning (1:40)

Grouper Deprovisioning Approaches

Luckily, Grouper, which is a component of InCommon’s Trusted Access Platform, offers several deprovisioning approaches designed to address the community’s needs. 

Attestation. A longstanding Grouper Deprovisioning feature is attestation. Attestation means managers of manual groups get a periodic email reminder to review the members of the groups. Attestation can apply to items other than manual groups (e.g. a report). It is well known that group managers frequently filter these emails to spam, ignore the emails, or click the “attested” button without reviewing the members. Some people might not collaborate with email anymore (slack me do not email me). There have been suggestions to improve this process, e.g. “attestation with teeth” where unattested groups are temporarily disabled.

Song 3 – Attestation (1:41)

USDU. Your subject source can help with deprovisioning if you only have active community members in the source. Grouper Universal Subject Daemon Utility (USDU)) will remove all memberships, privileges, and permissions for unresolvable subjects after a configured grace period. This is a very useful function, though there are thorns on that design: 

• How do you define who is eligible for access?  
• At what point do users become deprovisionable? 
• Do ex-employees collect vacation benefits? 
• Do retired employees or alums have access to anything? 
• Are systems allowed to have grace periods? 

Ouch, put your birding gloves on to go down that path (50% of institutions are on each side of that religious debate. Guess which side I am on?).

Song 4 – Subject source (1:28)

Grouper rules help with deprovisioning. You can perform actions on manual memberships when certain events happen: a user leaves the institution, switches departments, or has other lifecycle changes. The resulting action can be a membership removal, an end date applied to the membership (grace period), the group manager can get a notification to review the membership, or the user can get a notification. In the past there were some speed bumps with rules, which were assigned with raw attributes, and Grouper administrators had to set them up. They were not delegated to end users. In V5 there is a user interface with rule patterns and delegation to end users to mitigate those issues. (There is a rules blog which I’m sure you have already read.) Adding memberships with end dates or having end dates automatically added on certain groups helps with deprovisioning too.

Song 5 – Rules (1:12)

Membership eligibility requirements were the first pass at a future where Grouper rules (or similar higher level concepts) can be easily applied to groups, folders, and memberships. A coarse-grained requirement can veto invalid additions and automatically remove people who no longer satisfy the requirements. This wiki (and this one from Bert at Georgia Tech) shows some ideas for the future. Grouper is great at assigning new access; once we implement some of these ideas, it will take the closet cleaning to the next level. Configuring and capturing lifecycle events for Grouper users will help automate deprovisioning and enable access reports to highlight suspect access.

Song 6 – Eligibility (1:45)

Fewer Manual Assignments. Deprovisioning is improved when there are fewer manual assignments. Having a vast library of basis and reference groups (as defined in the Grouper Deployment Guide) makes it more likely that one of those groups can be used instead of or in addition to manual assignments. Generally Grouper administrators configure basis and reference groups based on new requirements. So pay attention to what applications need and be ready to add more community groups. If you are considering adding a new list of groups, and you think most of them will never be used, you can load a subset of the full list and easily add more later. Some examples of these groups are: users in payroll orgs, supervisory orgs, affiliations per org. This Grouper Shell {GSH) template will help identify which of these groups are potential candidates to replace some manual memberships.

Song 7 – Reference groups (1:35)

Deprovisioning is a different concept than provisioning, but having access automatically provisioned from Grouper will facilitate automatic deprovisioning. Provisioning automates the data flow. Deprovisioning makes sure unnecessary access is removed. As access management in institutions becomes more mature, deprovisioning will be more top of mind for application administrators. Services which are externally audited probably have the best deprovisioning practices. Grouper supports the functions that they expect. Internal audits of service access would help if your organization can stomach it. Audit attestation would be good too to make sure service admins are doing their chores!

Song 8 – Auditing (1:28)

Everything we have discussed assumes systems which need deprovisioning are integrated with Grouper somehow. If a system is not provisioned from Grouper, and that is not an option, then maybe there is an easy way to still leverage Grouper to help. If you can periodically export a user list manually and import into Grouper, you can get a report on the user list to see who should be considered for deprovisioning. Sometimes these systems have accounts based on email address, which makes matching identities more difficult. You might need to leverage GSH templates to do the logic of generating the report. There are examples on the wiki. Then you have a central repository of access even for disconnected systems. The service owner can still get notifications when their users leave the institution or switch jobs. Just because Grouper is not the system of record does not mean it cannot help you . A handy summary of Grouper deprovisioning is here. Good luck to all of us in keeping our closets free of clutter! 

Song 9 – Disconnected systems (2:01)

Grouper is an enterprise group and access management system that simplifies access management by letting you use the same group or role in many places in your organization. Grouper is part of the InCommon Trusted Access Platform, an identity and access management suite of software designed to integrate with existing systems. Our roadmap is based on community input. Grouper, the access management component of the InCommon Trusted Access Platform, evolves to meet the community’s needs.