-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' of github.internet2.edu:internet2/iam-knowledge-bits
- Loading branch information
Showing
10 changed files
with
114 additions
and
4 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
|
|
||
| ==== Grouper Data Integration with PeopleSoft @ UNC Chapel Hill | ||
| Ethan Kromhout, 2 Nov 2022 | ||
|
|
||
| I wanted to talk about how our data currently gets from Peoplesoft to Grouper. | ||
| There's maybe a story that I didn't include about how grouper data gets indirectly to peoplesoft. But maybe I can comment about that at the end. | ||
|
|
||
| We've got three main paths the data goes through to get from from Peoplesoft to to Grouper. | ||
|
|
||
| The first path, the the largest and most complex, is our our homegrown Java app. We call it directory manager, but it's basically been | ||
| the place where the business logic happens for deciding people's, affiliation states and things like that, and getting those things published out to, particularly, the Open LDAP Directory, but also Active Directory. | ||
|
|
||
| image::images/unc3flows.jpg[Directory Manager] | ||
|
|
||
| So that path through Directory Manager includes our oldest integration, which is with Campus Solutions. We brought up campus solutions in 2009 well ahead of bringing up the HR And finance modules. The integrations are messaging and the reason for those two different transports are that the original campus solutions integration was all messaging. | ||
|
|
||
| The original campus solutions integration was all messaging based, and then we just found that later a polling strategy was perhaps at least as effective as the messaging we were doing. | ||
| So when we did the integrations with HR And Finance, those were done as as SOAP transport integrations and either way it's It's pretty close to real time. So the the information that's pushed by messaging. And unless there is a ton of changes that back things the updates are near real-time. | ||
|
|
||
| Those that are polling or polling every five minutes are an acceptable form of data integration. But a second path that we use is Informatica, an ETL tool. So the main thing that's used for is for developers in the group that runs people soft to write queries, | ||
| and then either push those out the different locations, or create apis in informatica for people to retrieve data without having direct database access. | ||
| So the developers in relation to group or do a fair amount of querying of things in those databases, and then pushing information into Grouper for a couple of use cases i'll talk a little bit more about. | ||
|
|
||
| Is it near real time for those other integrations? In the case of the Informatica ETLs, it's really up to the developer. Most of those are things that run on kind of a daily cycle. But,,, the developer in informatica has the capability to schedule things as often as they want them to run. It really is up to them. | ||
|
|
||
| The business logic to publish those into reasonable affiliations happens inside Directory Manager. The Directory manager also does those SOAP queries that I mentioned. So that's the direction we decided to go with for | ||
| HR and finance. | ||
|
|
||
| It connects to HCM and queries for jobs and associations with the construct that we described here. For the | ||
| poorly worded affiliate status which is basically your sponsored researchers | ||
| contractors anybody who you can't really say is an employee of the university, but still has quite a formal relationship with the University goes through what we call our affiliate process. That creates those associations. | ||
|
|
||
| The Directory manager is is what they call every five minutes or so | ||
| for any new jobs and associations that are available. And then also, once a week, has so pinpoint that a call and say, Okay, cycle through and give me everybody so that it can do a full synchronization. | ||
| And then there's just a very simple query over to Peoplesoft finance, really. Only thing that I am cares about from | ||
| our finance installation is what are the department names? So it gets nbers department nbers that are associated with jobs or associations or student status. But it it's nice to have a friendly name to associate with those department nbers, and so it retrieves those friendly names from our our finance install. | ||
|
|
||
| And then Directory manager is responsible for essentially has its own open ldap instance running kind of locally to that application, and then we use the built-in open all that sync where to? To? To to that out to our our large open | ||
| installation, and then finally, That's where Grouper can run. It's loader jobs and retrieve things from Ldap. So just like we run loader jobs for databases. We've got these that run directly against our open laptop installation, and that gives group or, | ||
| first of all, it's subject source, | ||
| but also affiliations with student type and departments all come through wearing that open all that instance. So this. These are fairly indirect, as obviously. But as I mentioned, they perform well that this works. It's just kind of | ||
| old and very C specific. | ||
|
|
||
| The second flow that we have I mentioned informatica, | ||
| and it's doing sql queries into any of the big towers along with some other data sources. Honestly, it's just here we're We're concerned about Peoplesoft | ||
| and then informatica has the capability to | ||
| push those in the group or via the group or web services. So a lot of the roles that are people solve security folks create are useful in other applications besides just inside people's, so they they function. As for | ||
| proxies to other data that people might have access to because of the roles that they have. And and one of the Peoplesoft powers. So, for example, they can go to a data warehouse. | ||
|
|
||
| image::images/uncInfMat.jpg[Informatica path] | ||
|
|
||
| Instead of having a separate role structure for the data warehouse the people self-security folks would rather just replicate those roles that they have, and people solve the Grouper, and then ! It can be queried, or L. That can be queried | ||
| to retrieve that information about those roles. We also do use this for some special group that our Hcm. People need to keep track of, anyway. So an example that I off the top of my head is who's in a hipaa-related department? So are you in a hip a covered entity? | ||
| ! Because there's a nber of of things that want to know that, for example, our our zoom installation needs to know if you're if or not, because it turns on and off. You know, certain capabilities inside of zoom | ||
| and . So | ||
| all of those are published. A group or many of them are then published to that to be consed. But this gives group or some knowledge about internal people, self-security information as well as those kind of edge case groups that we haven't come across a friendly, her way to to get replicated out for consption to be a group, | ||
|
|
||
| and I should have said this before. But but Please interrupt with questions as we go along, because I know these paths are are fairly divergent. | ||
|
|
||
| So it's a really, really quick one about the diagram that you're showing that Are the arrows correct? Are you taking data from and from Fromatica and sending it to people talk? Or is it the other way? | ||
| I I I usually debated which way to point these arrows, but this is our sql query, so informatic that is, reaching out to the Peoplesoft hours, The Nsql query and pulling data back. I see. | ||
|
|
||
| The third flow is just direct loader jobs that people saw from that group or a queries people. Probably the courses and course roles are the main use of these queries | ||
|
|
||
| image::/images/uncLoader.jpg[Loader Jobs] | ||
|
|
||
| We we do publish all of our courses out to Grouper each semester, and then break out | ||
| the different roles inside the courses. So, student, faculty, primary | ||
| teaching assistant, all of those kinds of roles. | ||
|
|
||
| Currently, the majority of our courses are in sakai but we are trying to migrate to canvas. So we have something a little bit larger than pilot groups on campus at this point. | ||
|
|
||
| - - - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| === SIWG-2022.adoc | ||
| - - - | ||
| _2023-01-08 20:44:32 submit list of work items and accomplishments_ | ||
|
|
||
| https://spaces.at.internet2.edu/display/ISI/Service+Management+PoR-2022 | ||
|
|
||
| planing and launch of midPoint User Group and Peoplesoft integration Wg | ||
|
|
||
| *-Jan 2022, p. 221-* + | ||
| ID Match API complete implementwtions of the API in COmanage and independently in midPoint + | ||
| Recorded discussion of the possible uses of Grouper loader jobs w BillT and CarlW + | ||
|
|
||
| *-Feb 2022, pp. 112-113-* + | ||
| Recorded discussion of Grouper templating, provisioning and proposed entity data system capabilities with Chris Hyzer + | ||
| Recorded discussion of COmanage and midPoint user invitation, self-registration, and onboarding and mP SSH connector | ||
|
|
||
| *-Apr 2022, pp. 76-78-* + | ||
| Arch and design for using COmanage as Identity Registry integrated with midPoint for provisioning | ||
|
|
||
| *-May 2022. p. 71-* + | ||
| Volunteers take on drafting a list of connector how-tos + | ||
| Help organizing a panel on campus midPoint deployments for Tech Ex + | ||
|
|
||
| *-June, July 2022, pp. 51-2-* + | ||
| Interview James Babb to obtain better understanding of the growing adoption of Azure AD for a growing set of IAM tasks + | ||
| Organizing project for next iteration of Grouper/midPoint integration + | ||
| Procesa map illustrating the path from raw SoR data to access policy and enforcement + | ||
| Reviewing state of development of ProvisioningIAM's open source Base Connector Utility for creating ConnID connectors + | ||
|
|
||
| *-September, 2022-* p.24 + | ||
| end-to-end demo of the auto-documentation feature of midPoint, ultimately this functionality was incorporated into the TAP Workbench used by participants in the Collaboration Success Program. p. 24 + | ||
|
|
||
| *-October-December 2022, pp. 1-19-* + | ||
| Conducted review of the draft BTAA Provisioning Cookbook + | ||
| Recorded presentation on the WebAuthN passwordless login service at Duke U. + | ||
| Exploring tools and methods for performance analysis on interacting TAP components + | ||
|
|