Intro

Group Manager is a Duke-developed front end to Duke's enterprise group management tool, Grouper.  Grouper tracks over a million groups at Duke which manage memberships of everything from DukeCard access plans to email distribution lists.

Getting Started

Beginners to working with groups at Duke are encouraged to start by creating an "ad hoc" group in Group Manager.  Ad hoc groups only require a name and description to create your group:

Ad Hoc Group Screenshot

Ad hoc groups allow you to access some basic features, such as:

  • Adding and removing Duke users individually, by group, or in batch.
  • Adding and removing co-owners for the group.
  • Syncing your group members to an email list or other IT infrastructure
  • Access basic audit history about changes to group members.

Curated Groups

Ad hoc groups are useful for learning, but they aren't the best option for official Duke use.  For supporting departments or services, you will want to work with curated groups.  These include:

  • Support groups - registering a Support Group will qualify your team for access to discover more features of Group Manager.
     
  • Reference groups - these are general purpose groups managed by Duke's data authorities to ensure consistent definition of key populations. 
     
  • Policy groups - these are service or departmental groups used for access or reporting.  They may refer to one or more reference groups for definition.
     
  • Community groups - these are opt-in/opt-out groups used for developing communities within Duke and tying membership of those communities to relevant entitlements (such as being on an email list or getting access to a system relevant to that community).
     
  • Sponsorship groups - these are registered groups which allow users to submit and management guest sponsorship (affiliates) as a collective group instead of as an individual user.
     
Screenshot of a reference group in Group Manager

Group Automation

One of the most powerful features of Grouper is the ability to partially or fully automate group membership.  Examples of this include:

  • Automating group membership based on users' relationships to Duke.  For example, ensuring all students are automatically in a group, and automatically removed after graduation.
     
  • Deriving group membership based on comparing other groups.  For example, Group C may be derived by subtracting Group B from Group A, or identifying the overlap between Group A and Group B, or selecting users who are in Group A, but not Group B.
     
  • Loading a group's members based on the results of a database query.
     
  • Automating group cleanup for a manually-managed group via a deprovisioning policy.

An important feature of most curated groups is that they follow an "includes-excludes" structure.  This means that group automation can be combined with manual inclusions or exclusions.  A common pattern is to have an access policy defined automatically by a reference group (e.g., active students) with a manual inclusion of a test or administrative account.  Manual inclusions will persist, while the reference group(s) will keep automated memberships up to date.

Accessing Membership Data

Group Manager and Grouper will show you groups you own or have been authorized to see.  Identity Management offers consultations with departments looking to leverage a definition that may not be published for discovery.  If desired groups are identified in the consultation, Identity Management will contact the group owner(s) to arrange permission for the requesting department.

There are many ways to access group membership information, including:

  • Over the web:  Both Grouper and Group Manager offer web-based interfaces for viewing, searching, and exporting group memberships.  Group owners may delegate viewing rights to collaborators in Group Manager.
     
  • Through SSO: Duke services that accept NetID authentication can access group memberships supporting access decisions.  This can be requested when a site is registered with Authentication Manager.
     
  • Via API: Group Manager and Grouper API Access is available to be used by Service Accounts. Your service account can be used to retrieve group membership for any group it has access to. A quick start guide for Grouper Web Service is available in the Duke Knowledgebase.