PennGroups, an offering of ISC's Identity Management Services, is a centralized middleware system allowing distributed management of permissions and groups of people/entities for authorization or other reasons (e.g. email lists). It is built on top of Internet2's Grouper product. Submit your support request through Penn’s Support Center: https://supportcenter.upenn.edu. Select the PennGroups Request tile.
Using the online tool Penn Groups, you can electronically manage access to Penn resources, from web applications to physical resources (such as printers), and more.
- Groups can be quickly created and automatically maintained based on affiliations or other centrally managed data
- Group membership can be automatically updated based on external triggers and events (e.g., when a person leaves Penn or changes roles within Penn)
- Easy creation and maintenance of custom, ad-hoc lists of group members
- Multiple services can share the same lists of provisioned group members
- Centralized deprovisioning: closing an individual’s access to multiple resources in a single location
Eligible population
As of July 2023, the eligible population for an identity to be a member of a group or have a privilege in PennGroups is:
- Have a persistent affiliation (active or inactive) which is something other than ALUM, APPL, GAPL
- -or- Have an ALUM affiliation and also have a PennKey
- -or- Have an active non-persistent affiliation
Note: if you are an ex-employee, you will still be in PennGroups.
Glossary
- Entity: (aka subject, aka identity): generally this is a person at Penn whom you can add to a group or add a privilege. Note: a group is also an entity since it can be added to another group
- Group: collection of entities
- Folder: (aka stem): namespace to organize a collection of groups or folders (similar to file system)
- Privilege: the ability to perform some action on a group or folder. e.g. VIEW that a group exists, CREATE objects in a folder
- Membership type:
- Direct: the entity is assigned membership in the group and can be directly unassigned
- Indirect: (aka effective): the membership is a member of the owner group due to a direct membership in another group which is related to the owner group by membership or composite
- Composite: (aka JEXL scripted): two or more factor groups are computed (based on group math for example) to populate the membership of an overall group (e.g. wikiUsers is the wiki manual group, intersected with employee, and minus the locked out users)
- Union: (aka "OR") this does not really exist, if you want a union, add the factor groups as members of the overall group
- Intersection: (aka "AND") if an entity is in all factor groups, it will be in the overall group
- Minus: (aka complement, "NOT") if an entity is in the first factor, but not in the second factor, then it will be in the overall group
- Manual group: (aka ad hoc): some person is managing the membership of a group by hand
- Loaded group: the group is populated via SQL or LDAP query
- Basis group: the group is pouplated via loader from arcane codes from a source system (e.g. affiliations)
- Reference group: the group represents an institutionally meaningful population, e.g. student or employee. These can be constructed from basis groups or other means.
- Policy group: the group is used in an application or service to authorize a right to perform an action (e.g. log in, view reports, be an admin). These can be constructed from basis, reference, loaded, manual, composite, etc. Note, reference groups should not be used for policies and the same policy group should not be used in multiple applications/services