Manually managed (ad-hoc) groups in Grouper can be configured to require periodic membership review. This process is called Attestation.
Resources
How-Tos
Grouper allows you to use two existing groups to define a third group. The two groups are referred to as the First Factor Group and the Second Factor Group.
A group is a collection of entities: either people or other groups.
There are two relationships within a group: Direct Member and Indirect Member.
Privileges can imply other privileges, meaning that some privileges are supersets of other privileges. As an example, If you have ADMIN privileges on a folder, you can CREATE objects in that folder.
You can add a group as a member of another group. When a group is added as member, the group is a direct member and the members of that group are indirect members.
Select My Groups in the Quick Links in the left navigation.
Select the group to add a member.
Select the +Add Members button in the top right.
Grouper privileges are assigned to subjects or entities and allow a subject to do something in Grouper. Subjects are people and entities can be people or groups.
If Attestation is configured for a group, and the number of days to recertify has passed, then all group admins and updaters will receive an email with a link to the group.
Before continuing to the attestation configuration step for your ad-hoc (manually managed) Grouper group you should first review the following guidelines for the frequency of which Attestation should occur.
Grouper allows you to leverage a centralized University of Minnesota access management strategy for institutional roles, access control lists for applications, email distribution lists, etc.
Gro
When copying a group, the copy group form will have the old Group Name and Group ID populated in the fields. These must be changed.
Create a Group
Select the More Actions button in the top right.
You can create subfolders in your managed folder to further organize your groups.
Groups organize membership. Group names should be descriptive and indicative of the group function, membership, and/or how it's being used within the application.
Attestation can be created for a group or folder. The steps are the same.
Folders can be deleted. When deleting, there is an option to:
Deleting a group is an action that cannot be undone. Verify that the group should be deleted before choosing the action
Select My Groups in the Quick Links in the left navigation.
Select the group from the table.
For large groups, use the filter at the top to easily find members.
For assistance with Grouper, please contact Technology Help. They will open a ticket with Identity Access Management.
The Admin privilege gives the ability to create groups, attributes, and subfolders in this folder, delete this folder, or assign any privilege to any entity.
The Admin privilege gives the ability to modify the membership of this group, delete the group or assign privileges for the group. The admin does not need to be a member of the group.
Grouper works by connecting the data derived from the system of record into groups. These groups are then applied as policy groups that are consumed by the application.
There are two methods to import a list of members into a group
The attestation will notify admins when the recertify time has expired. See the article Create or Edit an Attestation.
Navigate to the group or folder that you want to work with.
Select the Privileges tab.
Identify the entity (subject or group) that you want to work with, and then do one of the followi
You can move folders in your managed folder to any other folder that you have access to. Moving a folder will not affect any sub-folders: they will remain sub-folders.
Groups can be moved to any folder that you have access to.
There are several ways to navigate to a folder.
To request a new application be added to Grouper, or to change the maintenance of an applications access to Grouper, use the TDX form: http://z.umn.edu/grouper
A group admin might want to delegate the management of membership to another person. A Group Memberships Manager allows for a person to see the members of a group and add or remove any members.
Groups are made up of entities. An entity is either a person, or another group. Adding an entity to a group will make the entity a member.
The visualization tool in Grouper can help you make sense of how a composite group works and how the users are being funneled to the access policy group.
There are several ways to navigate to a group page.
All attestation actions are logged in the Audit Log. The Attestation Audit Log can be accessed from the Group's Attestation page.
Grouper is an open-source delegated group management tool from the Internet2 Consortium that is used for Access Management and Governance in institutions of higher education.
Self-Help Guides
Grouper provides the University of Minnesota departments an easy way to centrally manage access to different data and applications.