Carnegie Mellon University

Group Management FAQ

This FAQ will address your questions about using Group Management services.

What is Group Management?

Group management is the process of granting authorized groups the right to use a service, while preventing access to non-authorized groups. Group management can also be referred to as rights management or access management. Groups can be used for several purposes across multiple applications, for example, to determine access to specific services, to establish permissions to shared resources, or to determine members for distribution lists.

Carnegie Mellon uses Grouper technology to support its Group Management service. Grouper:

  • allows applications to use CMU’s information about how individuals interact with the university (as a student, employee, etc.) to manage group permissions
  • allows groups to be created once, and then used as often as necessary, to streamline processes
  • ensures that groups remain up to date when individuals change roles or organizations within the university

Who can use Group Management?

Group Management is available to faculty and staff acting as Group Managers and IT Administrators for university services, applications, website, resources and distribution lists. University student organizations may request group management for approved projects.

How does Group Management work?

Group Management uses Grouper technology to create and manage group and role-based permissions in a centralized repository, allowing for streamlined processes.

How do I request Group Management?

University IT Administrators (with collaboration from Group Managers) can request Group Management Integration to manage access to their application(s) or IT resource(s). The request form is sent to Identity Services.

What happens after I submit a request?

Based on the information in the Group Management Integration request form, Identity Services will provision a managed folder with administrative privileges based on your integration needs.  You will receive an email when your Grouper integration is complete and your folder is ready. Visit How to Use Grouper to manage subfolders, groups, member and privileges. 

What integration options are available?

Grouper can be integrated with the following:

  • Web Login - You can protect your service or application with Web Login and have group information authenticated through our single sign-on service (SSO). Visit Install & Configure SSO with Web Login for detailed instructions.
  • LDAP - You can use LDAP to query group information stored in our Directory Services. Visit Integrate with LDAP for detailed instructions. 
  • API - You can obtain read/write group membership using the Grouper Web API. Contact Identity Services for assistance.

Can I link to the Andrew Active Directory?

Yes. You can designate what groups you want to sync to Andrew Active Directory on the request form. Visit Integrate with LDAP for detailed instructions. 

Can my groups access Community Populations?

Yes. There are several Community Populations that your groups can access upon request. You can also request community access to specialized groups based on department or other attributes. Visit Integrate with Grouper for more information.