Group Management at Brown

James CramtonBrown University

April 24, 2007

2 James Cramton

Starting Point: Brown Grouper

• 1990s: Brown Grouper developed to manage groups• Base groups provisioned nightly from SIS & HR systems• Administrator includes or excludes members• Dated web interface is difficult to search and understand• Slimmed down web interface used by instructors to manage

course groups

• 11,700 groups in Brown Grouper• 18,000 users in SunOne LDAP registry• No groups in SunOne registry—yet• 1,000 AD & Novell groups manually provisioned• Managed by very few IT personnel who know the data

Background

3 James Cramton

Current uses of groups at Brown

• Web authorization• Licensed software access• .htaccess file ACLs on various websites

• Bulk Email• Morning Mail daily email distribution• Course email lists

• Application Provisioning• WebCT

Group Usage

4 James Cramton

Anticipated uses of groups at Brown

• Current uses, plus…• Network Access Control Lists• Wiki groups (Confluence)• Improved iTunes U provisioning• Centralized management of Exchange/AD groups• Novell eDirectory groups (file/print services)• Guest, alum IDs and ACLs• Shibboleth• Video on demand• Campus calendars• Personal groups

Group Usage

5 James Cramton

Brown’s group schema

• 11,700 groups• 10,400 are course groups for 2,600 courses• 1,300 are demographic groups• Schema is 4 levels deep

• Half the course groups are 2 levels deep• The rest are 3 levels deep• Half the demographic groups are 3 levels deep• The rest are 4 levels deep

• Number and complexity of groups expected to increase as capabilities and utilization grow

Group Types

6 James Cramton

Top level group schema at Brown

• SIS (5,200 base groups)• Admin & membership groups for each of 2,600 courses

• Courses (5,200 effective groups)• Admin & membership groups for each of 2,600 courses

• Electronic Address Book (750 base groups)• Provisioned demographic groups

• Community (502 effective groups)• Modifiable effective groups for demographic groups• Most of administrative overhead is here

• Service (10 administrative groups)• Admin users for Bulk Mail, WebAuth, Grouper, etc.

Group Types

7 James Cramton

Course groups at Brown

• 2 base groups provisioned per course• SIS.XY123S01• SIS.Admin.XY123S01

• 2 effective groups maintained per course• Course.XY123S01• Course.Admin.XY123S01

• Expect to add subject and course number to schema• Multiple groups per course

• Registrar’s official students, auditors, instructors• Effective course list includes ‘vagabonds’ for email, courseware• Currently maintained in local applications, not registry—for now

• Longer retention will increase number of groups• Current practice retains only current term• Expect to retain course groups in future for ongoing access

Group Types

8 James Cramton

Community group stems at Brown

•Employee (270 groups)• Payroll department• Social department• On campus or off campus• Full time or part time• Union or non-union

•Applicants (221 groups)• Degree• Major

•Students (84 groups)• Undergraduate department • UG Social year• Graduate department• Athletic teams

•Dorm (74 groups)• Facility designation• Social designations

•Affiliates (25 groups)• Visiting• Retired• Guest

•Registrar (8 groups)• Graduate• Medical• Undergraduate• Official graduating year• Gender

•600 stems with fewer groups

Group Types

9 James Cramton

MACE Grouper migration

• Brown is evaluating MACE Grouper• Currently loading 11,700 groups for performance testing

• 1st rev on dev server ran out of memory after 11 hours/2,000 groups• Primary problem: adding groups to stem with many groups (courses)• Adding subject & number containers to schema, deploying to QA box• Will publish final metrics to grouper-users@internet2.edu

• Major tasks include• Provisioning changes to populate MACE Grouper from feeds• Re-integration of 1,000 manually provisioned AD groups• Provision groups into SunOne, AD, and Novell directories• Provision groups into some applications• MACE Grouper interface changes to suit Brown’s needs• Disable application functionality that allows users to browse groups

MACE Grouper

10 James Cramton

Nested vs. flat group schema

• Delegation of management need nested groups • Applications generally don’t support nested LDAP

groups, although some try in different ways• Lowest common denominator is flat LDAP schema• Use MACE Grouper’s LDAP connector to map nested

MG group schema to a flat LDAP schema• Use MG display name for LDAP group names

• Community Groups : Staff : Full Time Staff

• Significant limitation in schema browsing in apps• How to browse 12,000 groups?• Don’t want users to browse anyway; need to disable in apps

Schema Design

11 James Cramton

Policy should lead practice

• Need to delegate management to data owners• Delegation requires clear policy• The need for policy easily recognized,

but the challenge is finding an owner• Analyst or director often defines de facto policy• ‘Policies from practice’ are often sound, but

poorly communicated across organization• Adherence to informal policies is unlikely

Policy Issues

12 James Cramton

Concerns moving forward

• Functional differences between Brown Grouper & MACE Grouper• Adjusting expectations• Extending MACE Grouper

• Performance of MACE Grouper• Deeply nested stem structure not previously tested• Administration usage patterns unknown

• Merging manually provisioned AD groups into global groups• Establishing and enforcing policy

• Naming conventions, stem structure• Who has authority to request changes for whom

• Transition of ownership from IT staff to Helpdesk• Learning new system• Different administrator skill sets• Loss of continuity

Moving Forward

13 James Cramton