By Chris Hyzer, University of Pennsylvania
Grouper, the access management component of the InCommon Trusted Access Platform, is continuing to evolve to meet the community’s needs. For many years, Grouper has been providing group and access management solutions for a broad and enthusiastic user community.
Recently the Grouper development team has enhanced Grouper with a variety of features that the community requested, including Grouper Visualization, electronic workflow forms, and now Grouper Reporting.
Grouper Reporting was designed to be highly flexible and meet a variety of use cases, including:
- See who has access across various groups or in an application folder
- Get reports in a spreadsheet so you can slice and dice
- See who in a service is a candidate for deprovisioning
- See who has not opted in to a service that you would like people to opt in to, e.g. a gradual multifactor authentication (MFA) rollout
- See who has access to a service to reduce licensing costs
Grouper can generate reports on a schedule, with users notified by email when a report is ready to view. A user just clicks a link in the email to securely download the report.
At the University of Pennsylvania, we have a team of 100 people working on a large project. We use Grouper to manage the application security and the collaboration tools access on the project. Usually this works well. One place it doesn’t is when a contractor’s affiliation term ends (though they are still working), and the Business Analyst (BA) does not extend their affiliation in time. They lose access to Box, Confluence, Jira, Project Management software, email list, VPN, and all the environments of the application. Oops.
Also if someone ignores emails from the Learning Management System and does not take the required yearly FERPA training, they also lose access. Also if they are not enrolled in MFA. When any of these happen, the project admin puts them in a “reprieve” group which automatically assigns a 1 week expiration of the reprieve. This gives them time to get their BA to fix their affiliation or take the required training or enroll in MFA. It would be nice if this situation did not arise.
Initially we created a Grouper Loader job to load people into a group whose affiliation will expire in the next month, or people whose training will expire in the next month, or who are not in MFA, and the project admin can check that and follow up. We configured weekly attestation reminders on that group so that the project admin would be reminded to check it. But it was not enough. Seeing a list of people who are about to have a problem was a process that could be improved.
Using the new Grouper Reporting capabilities, we have now created a Grouper report on the list of people about to have problems. This report has the person id, net ID, name, department, title, email address, phone number, primary affiliation, list of all affiliations, primary affiliation end date, if in MFA, if completed security training, if completed privacy training, if completed FERPA training, FERPA training expire date. In order to make this happen, all the data needs to be in one database (either in a shared database or after ETL), or needs database links to join to the data warehouse or another database. This report link is now emailed to the project admin weekly. Now it is known what problem will occur, and the admin can decide if it is expected.
Some other reports we are using at Penn include:
- Report to schools so they can see who is enrolled in MFA, if they use Duo push, etc. Another report for the MFA service owner about who is enrolled at Penn overall.
- Report to schools about who has a license for Office 365, and whose license is about to expire
- Report to the IT HR department about who does not have a job in the IT department but has memberships or privileges in the IT department Grouper folder
See the example here:
Report files can be stored on a shared file system or in AWS S3. For more information see the Grouper Reporting Documentation. In Grouper v2.5 we will allow reports to be stored in the database to make things easier.
We encourage you to try out the new Grouper Reporting features and provide feedback on the Grouper-users list. (To join that list, see instructions here.) Grouper Reporting is available in the latest Docker container download of Grouper.
Curious about the next items on the Grouper Roadmap? We are pleased to announce that in the coming months we will release Grouper v2.5.
Grouper is the open source enterprise access management system that’s part of the InCommon Trusted Access Platform. Over the past few years, the community has watched Grouper gain many new capabilities, including the advent of the containerized packaging using Docker. The number of institutions relying on Grouper has grown, as evident from the numerous campus case studies available on the community contributions page.