By Chris Hyzer, University of Pennsylvania, and Grouper Lead at Internet2
Estimated reading time: 8 minutes
As an “old school” recreational rapper, I enjoy using AI tools to quickly produce nerdy songs for presentations. I would not be able to orchestrate this music in a reasonable amount of time on my own, and AI would not be able to make Grouper specific songs “without me.” Together we are a force multiplier, which is an analogy for using AI in more useful Grouper areas. Before I saw (heard) AI make a decent song that didn’t exist before, I would not have believed it was possible. When thinking about what AI can do for Grouper, let’s be very open minded about the possibilities.
What should our attitude be about AI? We commonly hear, “Is that job going to be replaced by AI?” We should instead focus on, “Can that job use AI to become more productive?” Or, “Can AI help people solve issues ‘by themselves’ without needing a ticket or incommon-grouper Slack message?” Given the current industry momentum, the Grouper product could integrate with AI in many ways.
Developers, administrators, and users of Grouper will be better positioned if we can all embrace the direction and leverage the power. It will especially help people who can benefit from hints and do not want to do menial tasks. We need to be able to confidently review suggestions and identify hallucinations (misleading outputs). If there are best practices for “vibing” with Grouper/AI we need to centralize and share that knowledge. To that end, we recently started a brand new “incommon-grouper-ai” Slack channel. If you’re interested in joining the discussion, email help@incommon.org and ask to be added.
In the meantime, I’ve rewritten this blog a few times. It was too verbose, and now I’ve distilled it down to a couple of examples. (The other ideas are in the wiki.) I am sharing these two examples or opportunities to jumpstart our thinking about how Grouper and AI intersect.
Opportunity #1: Instructions for How to Do Something in an Institution’s Grouper
There are docs on how to do things in Grouper, and institutions have docs about how to do things in their environment. Sometimes end users have trouble distilling all of that information to figure out how to do a task.
Without AI, users would:
- Look at institution-specific docs (if they can find them).
- Read the docs and spend time understanding them.
- Google how to do things in Grouper.
- Maybe open a ticket when they get confused.
Here is a demo of an interaction from a power user using Grouper with AI. Full demo explanation here.
A trained AI tool, like an OpenAI GPT/assistant or a Copilot agent, can use a common/standard training file that can be crowd-sourced and provided by the Grouper project. This AI tool runs in the institution’s AI vendor. The institution adds its institution-specific training file that has information about how certain apps are structured in Grouper. When a user interacts with this tool, the training files give AI the knowledge it needs to help the user. This is a force multiplier since you can use a relatively minimal training file, and AI will connect the dots and be able to respond to natural language questions in impressive ways.
In this simple example, the Grouper training file outlines:
- How to add and remove a user from a group
- How to navigate to a group and folder at the institution
The institution training file outlines:
- The base URL for Grouper
- How delegated includes and excludes work for Mathematica
- The paths for application includes and excludes for each school in the university
This AI tool could run in the AI platform user interface (UI) or could be called from the Grouper UI via Grouper Web Services. How would Grouper support all the various AI platforms that institutions prefer? Grouper would be able to connect to some AI gateways that connect to all the various AI vendors. Grouper would also have a pluggable interface if institutions want a non-gateway option.
Opportunity #2: Integrators Wanting to Know How to Call Grouper Web Services for a Certain Need
You can think of Grouper Web Services as a Domain Specific Language (DSL) just like Grouper Shell (GSH) scripts, Attribute Based Access Control (ABAC) scripts, etc. If we programmatically create a training file from the existing Web Service examples and documentation, then AI will be able to help integrators call Grouper Web Services.
Without AI, users would:
- Look at Grouper Web Services documentation, including elements like timestamp format.
- Read the docs and spend time understanding them.
- Try certain things, sometimes unsuccessfully.
- Open a ticket with their institution.
- Experiment with calls (the Grouper admin).
- Post on the incommon-grouper Slack channel.
- Spend time experimenting (Grouper developers).
Here is a demo of an interaction with AI. Full demo explanation here.
It is offering a curl example, let’s try it:
When AI fails, it can be frustrating, but when it is correct, it is mind-blowing. I tried this output against our Grouper web service endpoint, and it is correct.
In this case the Grouper training file outlines:
- How to add a user to a group (does not include the end date)
- The Swagger Grouper Web Services definition
The institution training file outlines:
- The base URL for Grouper Web Services
- Instructions like when looking up people use the “pennperson” subject source
AI takes the input and produces the correct institution-specific result with no wading through docs, no tickets, and no bothering busy Grouper developers.
Why is this blog so long? Because as you start playing with AI, you think of many other things to do. What if we ask AI to fix a web services call? You can imagine a flag in a web services request to tell Grouper to give a suggestion to fix a call. Grouper sees an exception and sends the request to AI via web service asking for a fix. Grouper Web Services responds to the original client with an error and AI advice.
Next Steps
Join the discussion. Email help@incommon.org and ask to be added to the brand new “incommon-grouper-ai” Slack channel.
In this new Slack channel, let’s think about common challenges with Grouper and brainstorm how AI can help address them. We are in the early days of Grouper/AI and are open to all ideas. Let’s do our own experiments with GSH templates that use AI and share lessons learned. Help us prioritize what to focus on first.
Start preparing to integrate Grouper with AI at your institution. Discuss AI vendors and architectures in the incommon-grouper-ai Slack channel. Perhaps we will recommend a default free Large Language Model (LLM) container if an institution does not have or want to use a vendor which charges per token. Let’s discuss the architecture, have sensible defaults, and make AI optional but recommended.
As a product that is used by many institutions, this is a generic effort that cannot be tied into a specific AI vendor. In fact, the AI market share is not established yet, so being generic will help us adjust as things solidify. The early adopters will have a say in which vendors or Large Language Model proxies are supported.
Is AI ready for Grouper? If not, having the integrations and training files will position Grouper to be ready as AI rapidly improves.
Should we be scared or excited? Scared people will get left behind. Excited people will integrate their Grouper with more systems, reduce tickets, be more productive, and get kudos from pointy haired bosses, who like to hear “AI” in status reports. I’m excited.
Want more details on how this all works? Check out these additional resources:
- Presentation on ABAC including an AI example
- Demo of using AI to write a GSH script
- How to write GSH with AI (with examples)
What are other ways that we use AI along with Grouper to provide big benefits? We are only beginning to discover. Hopefully more ideas will be shared at Internet2 Technology Exchange in Denver, December 8-12, 2025. But by then, Grouper will already be AI enabled in several ways.
About Grouper
Grouper is an enterprise group and access management system that simplifies access management by letting you use the same group or role in many places in your organization. Grouper is part of the InCommon Trusted Access Platform, an identity and access management suite of software designed to integrate with existing systems. Our roadmap is based on community input. Grouper, the access management component of the InCommon Trusted Access Platform, evolves to meet the community’s needs.