Date post: | 28-Dec-2015 |
Category: |
Documents |
Upload: | beverly-hood |
View: | 216 times |
Download: | 1 times |
Group Management at Brown
James CramtonBrown University
April 24, 2007
2 James Cramton
Starting Point: Brown Grouper
• 1990s: Brown Grouper developed to manage groups• Base groups provisioned nightly from SIS & HR systems• Administrator includes or excludes members• Dated web interface is difficult to search and understand• Slimmed down web interface used by instructors to manage
course groups
• 11,700 groups in Brown Grouper• 18,000 users in SunOne LDAP registry• No groups in SunOne registry—yet• 1,000 AD & Novell groups manually provisioned• Managed by very few IT personnel who know the data
Background
3 James Cramton
Current uses of groups at Brown
• Web authorization• Licensed software access• .htaccess file ACLs on various websites
• Bulk Email• Morning Mail daily email distribution• Course email lists
• Application Provisioning• WebCT
Group Usage
4 James Cramton
Anticipated uses of groups at Brown
• Current uses, plus…• Network Access Control Lists• Wiki groups (Confluence)• Improved iTunes U provisioning• Centralized management of Exchange/AD groups• Novell eDirectory groups (file/print services)• Guest, alum IDs and ACLs• Shibboleth• Video on demand• Campus calendars• Personal groups
Group Usage
5 James Cramton
Brown’s group schema
• 11,700 groups• 10,400 are course groups for 2,600 courses• 1,300 are demographic groups• Schema is 4 levels deep
• Half the course groups are 2 levels deep• The rest are 3 levels deep• Half the demographic groups are 3 levels deep• The rest are 4 levels deep
• Number and complexity of groups expected to increase as capabilities and utilization grow
Group Types
6 James Cramton
Top level group schema at Brown
• SIS (5,200 base groups)• Admin & membership groups for each of 2,600 courses
• Courses (5,200 effective groups)• Admin & membership groups for each of 2,600 courses
• Electronic Address Book (750 base groups)• Provisioned demographic groups
• Community (502 effective groups)• Modifiable effective groups for demographic groups• Most of administrative overhead is here
• Service (10 administrative groups)• Admin users for Bulk Mail, WebAuth, Grouper, etc.
Group Types
7 James Cramton
Course groups at Brown
• 2 base groups provisioned per course• SIS.XY123S01• SIS.Admin.XY123S01
• 2 effective groups maintained per course• Course.XY123S01• Course.Admin.XY123S01
• Expect to add subject and course number to schema• Multiple groups per course
• Registrar’s official students, auditors, instructors• Effective course list includes ‘vagabonds’ for email, courseware• Currently maintained in local applications, not registry—for now
• Longer retention will increase number of groups• Current practice retains only current term• Expect to retain course groups in future for ongoing access
Group Types
8 James Cramton
Community group stems at Brown
•Employee (270 groups)• Payroll department• Social department• On campus or off campus• Full time or part time• Union or non-union
•Applicants (221 groups)• Degree• Major
•Students (84 groups)• Undergraduate department • UG Social year• Graduate department• Athletic teams
•Dorm (74 groups)• Facility designation• Social designations
•Affiliates (25 groups)• Visiting• Retired• Guest
•Registrar (8 groups)• Graduate• Medical• Undergraduate• Official graduating year• Gender
•600 stems with fewer groups
Group Types
9 James Cramton
MACE Grouper migration
• Brown is evaluating MACE Grouper• Currently loading 11,700 groups for performance testing
• 1st rev on dev server ran out of memory after 11 hours/2,000 groups• Primary problem: adding groups to stem with many groups (courses)• Adding subject & number containers to schema, deploying to QA box• Will publish final metrics to [email protected]
• Major tasks include• Provisioning changes to populate MACE Grouper from feeds• Re-integration of 1,000 manually provisioned AD groups• Provision groups into SunOne, AD, and Novell directories• Provision groups into some applications• MACE Grouper interface changes to suit Brown’s needs• Disable application functionality that allows users to browse groups
MACE Grouper
10 James Cramton
Nested vs. flat group schema
• Delegation of management need nested groups • Applications generally don’t support nested LDAP
groups, although some try in different ways• Lowest common denominator is flat LDAP schema• Use MACE Grouper’s LDAP connector to map nested
MG group schema to a flat LDAP schema• Use MG display name for LDAP group names
• Community Groups : Staff : Full Time Staff
• Significant limitation in schema browsing in apps• How to browse 12,000 groups?• Don’t want users to browse anyway; need to disable in apps
Schema Design
11 James Cramton
Policy should lead practice
• Need to delegate management to data owners• Delegation requires clear policy• The need for policy easily recognized,
but the challenge is finding an owner• Analyst or director often defines de facto policy• ‘Policies from practice’ are often sound, but
poorly communicated across organization• Adherence to informal policies is unlikely
Policy Issues
12 James Cramton
Concerns moving forward
• Functional differences between Brown Grouper & MACE Grouper• Adjusting expectations• Extending MACE Grouper
• Performance of MACE Grouper• Deeply nested stem structure not previously tested• Administration usage patterns unknown
• Merging manually provisioned AD groups into global groups• Establishing and enforcing policy
• Naming conventions, stem structure• Who has authority to request changes for whom
• Transition of ownership from IT staff to Helpdesk• Learning new system• Different administrator skill sets• Loss of continuity
Moving Forward
13 James Cramton