A Division of Information Services
Identity Management Services
Grouper Entitlement Management
Entitlements are represented to the world by the
eduPersonEntitlement attribute in our LDAP directory. These values
are provisioned from Grouper groups. A single group provisions a
single entitlement.
Entitlements are then used by applications to control access to
resources, e.g. if a user possesses the
urn:mace:ku.edu:entitlement:grouper:user attribute then that user is
allowed to access the Grouper web page. (Of course, Grouper will
only accept that attribute from trusted sources.)
Setting up an entitlement
To set up an entitlement, contact Identity Management Services and
discuss the name you would like to use for the entitlement. If you
are providing services local to the KU Lawrence campus, the
entitlement is likely to be in one of the following forms:
-
urn:mace:ku.edu:entitlement:groupName:serviceName:other...
If you need fine granularity of access control, or if you are not
controlling access to a web resource, you may want to use the URN
form, allowing for a hierarchy of entitlements allowing, say, read
access versus read/write access.
-
https://your-web-site
If you only need to allow or
deny access to a web page, then the URL form may be the simplest
to use.
Once the name of the entitlement is agreed upon, you discuss the
name of your Grouper group with Identity Management. You may already
have a group you would like to use. If not, Identity Management will
suggest some group names.
Once you have your group set up, Identity Management will set up a
group which will provision the entitlement using the membership in
your group.
As you add and remove members from your group, the entitlements will
automatically be provisioned and deprovisioned.
Copyright
© 2005 by the University of Kansas