This article covers how to create groups in Grouper and add/remove members to these groups. Grouper is a web-based tool for managing role-based access control policies. Instead of adding individual users to a large number of access groups, they can be assigned to a smaller number of representative role-based groups. These role groups can then be added to any number of policy groups, and the individual users will be populated via inheritance.
Access Grouper Web Interface
Log on to the Grouper main page. Access to the application will require 2 Factor Authentication.
Navigating folders and groups
There a number of ways to navigate to folders and groups.
If you are unsure of the group or folder name, you can browse folders using the “Browse folders” widget on the left side. You will be able to see all folders on the system, but you won’t see any groups within the folders unless you have access to them. Once you have found the group or folder you are looking for, you can click its icon in the directory browser to open it.
If you know all or part of the name of the group, you can enter it in the Search field in the upper right corner. The search results will include users, folders, and groups in the same list. If needed, you can narrow the results to just groups or folders via the available “Filter for” drop down list.
The “My groups” link on the Quick Links on the left lists all the groups you can manage (the Groups I Manage tab) and the groups you are a member of (the My Memberships tab). The groups you can manage and your memberships are also available as widgets in the main area of the home page. The “My folders” link on the left lists all the folders you can manage (the Folders I Manage tab), and folders containing groups that you manage (the Folders with Groups I Manage tab).
When you are in the entry for a folder or group, there is an option in the More Actions menu on the right, Add to My Favorites. This will add the item to the list of bookmarked items in the My Favorites menu item in the Quick Links on the left side. To remove a favorite, go into the item and choose More Actions -> Remove from My Favorites.
Managing Memberships
Adding and removing members both take place from the main group page, although the actions are in different parts of the page. There is also a feature to import multiple members at once, and to export members to an Excel file.
Adding users
Records to add will always be from the UNC LDAP datase. To add members one at a time, you can use the orange Add Members button in the upper right. In the form that appears, enter the user’s pid, onyen, or their full name. While typing, a drop down list of potential matches may appear. If the target person is in this list, click on the option, or navigate using cursor keys and then tab to select it. If the entity was found, the field will convert to their full name. If no entity matches the search value, the field will show “the value entered is not valid”. Note that when searching by name, starting with the last name, adding a comma (“,”), then the first name will give results more quickly than by starting with the first name.
Important: do not use the carriage return in the text field to enter values; use the tab instead.
If there is a problem finding the user this way, click the “search for an entity” link below the field. This search form allows broader search capability. The default search will be a full text search in LDAP where the search term matches pid, onyen, last name, or full name (as a single string). To search in a special “Last name, First name” format, enter the last name, a comma, then the first name. This is faster than a general search, and will also include results matching nicknames and alternate last names stored in LDAP. This search method is invoked whenever there is a comma in the search request. The wildcard character * can be used to search for partial names, and can be put anywhere within the search string. When combined with the “Last name, First name” syntax, it can search cases where the last name or first name isn’t exactly known. The wildcard can be used for generic full name search as well, but the search will be slower and will possibly time out. The search is not case-sensitive.
Search examples
Doe, John : search where last name (LDAP surname or uncPreferredSurname) is Doe, and the first name (LDAP givenName or eduPersonNickname) is John
- Doe, John* : search where the last name is Doe, and the first name starts with “John”. This is sometimes needed when it’s unknown if the person’s LDAP entry includes multiple first names
- Doe, J* : search where the last name is Doe, and the first initial is J
- Doe, * : search where the last name is Doe
- *, John : search where the first name is John
- Thomas*Jones, David : search where the last name is “Thomas Jones” but possibly hyphenated
- Smith, Kath*r*n* : search multiple spellings of Katherine, Kathryn, etc. Will also return results with Kate or Katie if that is their nickname in LDAP
- doe : search where the onyen is doe, the last name is Doe, or the full name is Doe
- John * Doe : search the full display name where John Doe may have a middle name included in the LDAP entry. Note that this will be much slower than a search for “Doe, John*” (and possibly time out), while usually returning the same results
Normal users will have a person icon next to their name in the results. If the name does not contain “(onyen)” after their name, it is missing from their LDAP entry, likely because it is an old record. Users with a red X through their icon are marked inactive in LDAP, meaning that they don’t have a current affiliation with UNC. Other, non-person, entries may sometimes appear in the results, but these are usually not the kind of record you want to add.
Adding multiple users in a batch
If you need to add more than a few users to a group, a faster method may be to batch add them. Instead of the orange Add Members button, open the More Actions menu just below it. Then select the Import Members option. Under “How to add members”, you can select either to copy/paste a list of member IDs, or to import a file. Copying and pasting a list is adequate in most cases. Choose the Copy/past radio button, then paste pids and/or onyens in the text area below it, one per line. To ensure that non-system entities are found, choose the data source “Person source (person)” from the drop down list. When you click on Validate Entities, the list will be matched to LDAP records and then displayed with their user icons. Any invalid values will be listed in a red area at the top of the page, reading “Error: entity ids or identifiers not found: …” If the result looks ok, click the orange Add Members button at the bottom. If not, re-select the “Copy/paste a list of member IDs” option, and the list will revert back to your original text.
Adding groups as members
The procedure for adding a group as a member of another group is the same as for adding a single member. First, click on the orange Add Members button. The search bar appears, but will only accept the full path name for the group. If it’s not fully known, you can click on the “search for an entity” link to do a general search. Choose data source “Grouper: Grouper Source Adapter”, then enter at least two letters of the name. If the name is found, click on it to populate the original search field. Then click the orange Add button to add the group.
After adding the group, note that the membership list below will now include the added group, and will also list members of that group with membership type “Indirect”. To filter out these indirect members, change the filter from “all members” to “has direct membership” and click Apply Filter.
Removing users
The member list is in the lower half of the group window, and by default combines both direct assignments and indirect membership inherited via a subgroup. Only direct members can be readily removed from a group; to remove indirect members you will need to have the membership in the subgroup changed. To remove one or direct members, highlight the checkbox by their name(s) click Remove Selected Members above the list. To highlight all direct member checkboxes at once, check the box next to the Entity Name heading at the top. To narrow down the list, you can filter for “Has direct membership”, or you can enter the pid, onyen, or partial name to shorten the list to matching members.
“Group math” and attested groups
“Group math” groups are a way to structure groups in a way that guarantees the users will be quickly removed once they leave the department. An original list of users is not used directly in an access policy; rather, it is used a source list that gets filtered against specific departments. Users in the source group but not in the department group will be filtered out. Since the department groups are updated every 2 hours, users the leave their position will be removed from the policy group in a timely manner. Administrators should also keep the source list current and accurate, but this provides an additional mechanism.
After merging the sources with the filter groups, an additional step will remove any users in a list from the Security Office. This is a small list generally used for emergency mitigation. The result of all these steps will be in the Authorized group. This final list of users will be published to LDAP or AD, depending on the application’s needs.
Most of these configurations will be set up as “attested” groups. This means that the administrators of certain groups — the Allow Sources and the Admin group itself — will receive an email every 6 months, reminding them to check the membership of groups they can edit. If the membership looks ok (before or after editing), there will be a button on the page, which will log the date the membership was confirmed.
Adding privileges
If you have administrative access to a group, you can assign various privileges to other users or groups for the current group. If you see a Privileges tab next to the Members tab, then you have this option. Adding privileges to a group will indirectly give the same privilege to all members of the group.
Adding privileges is similar to adding a single user. First, select the Privileges tab instead of the Members tab. Then, click the orange Add Members button. In the search field, you can enter a pid, onyen, or full path to a group. If you don’t know the exact ID, click “search for an entity” for a full search. Choose as the data source either “person source (person)” or “Grouper: Group Source Adapter” to narrow down the search results. if the correct result is listed, click on it to enter it in the previous page. Then, choose the appropriate privilege type from the available checkboxes. If the checkboxes don’t appear (e.g., you were on the Members tab instead of Privileges), you can show the checkboxes by select the Custom Privileges radio button instead of Default privileges.
- member: add as a group member
- admin: make an administrator of the group; includes all the other privileges except Member
- update: can modify membership of the group; includes the view privilege
- read: can see the membership of the group
- view: can see that the group exists but can’t see members
- other privileges: not in use
Note that when a group is added to the privilege list, all members of that group will also be shown. Their privileges will be the same as the group, but their checkboxes will be in gray instead of black, indicating that the inherited privilege can’t be removed directly from the individual. But a privilege can be explicitly added to an individual by checking the appropriate privilege column; the privilege will remain on the individual even if it is removed from the group.
Filtering for only direct members is slightly different than from the membership tab. To see only direct privileges, click the filter “Advanced” button, then change the option from “all entities” to “Has direct assignments”.
There are a few ways to remove privileges. The first is to simply uncheck all the checkboxes for the row. After removing the last privilege, the row will disappear from the list. To remove privileges from multiple entities, select their checkboxes and then choose the appropriate Assign or Revoke privilege from the drop down list.
Creating new groups or folders
If you have administrative access to a folder, you can create new groups or folders under it. First navigate to the folder that will contain the target folder/group. Then, select the blue “Create new group” (or pull down the menu to select “Create new folder”). Or, select More Actions on the right menu, and select “Create new folder” or “Create new group”.
The folder or group will have a short ID string uniquely identifying it, and a longer free-form name. By default, the ID and name are assumed to be the same, but we generally set them to be different. So, check the “Edit the ID” checkbox to allow the ID to be independently set. The ID field becomes part of the name that appears in LDAP. Thus, it should be a shortened name or abbreviation with no whitespace. The Name field should be an accurate title for the group/folder, so that it can be easily found in searches. The description field is optional, but may help other administrators to understand the nature of the group/folder. After filling in, click the orange Save button.
By default, the creator of a folder or group is the only one with administrative privileges to it. After creating the folder/group, it is important to add administrative access to it, so that others can maintain it. See above for adding privileges to a group
Publishing a group to LDAP and/or AD
The Identity Management team has the ability to set export flags on a group, which will update the group’s flattened membership to LDAP and/or to AD distribution or security groups. Once flagged, the membership will resync to the external source within 30 seconds whenever it is changed in Grouper.
To prepare the request, obtain the groups full page from Grouper. On the group page, expand the “More” item, and copy the contents of the “ID path:” field from the expanded list.
To submit a request to Identity Management submit a support ticket:
- For the How can can help? question, enter:
- Route this to: ISO-Identity-Access-Management
- Specify whether this should this be published as a group in LDAP, AD distribution group, and/or AD security group.
The Identity Management team will respond to the request when the group is published, or will follow up with any preliminary questions.