There are some changes in the way you will manage who has access to your service now that you’re moving to Okta. The main difference is that, in addition to how you normally manage access in your application, you will also manage the access to your service using Grouper.

Thinking Through the Process

If you have not been using Grouper to manage access to your service, Identity & Access Management (IAM) can help you get your Grouper group established. There are some important things to consider as you begin to use Okta with Grouper.

1. Who should have access?
   It is extremely important that access to your services be limited to the people who really need access rather than to anyone who might want at some point to have access. You are always able to manage exceptions using your Grouper group. The default should be to limit access. 
2. How do you provide access now?
   Does your service serve a specific department? Do select groups from across the University require access? There are a lot of defined groups in Grouper. IAM can help to assemble those groups into your Grouper group.
3. If your service provides access mostly ad hoc or your service model calls for lots of exceptions, you should become familiar with the Grouper Group Administration website (grouper.uchicago.edu) so that you can add and remove individuals from your group as appropriate. 
4. How do you currently remove access to your service?
   If your users should have access until they are no longer active members of the University community, IAM can help set up your access so that Grouper automatically removes them from your group when they are no longer actively affiliated. Otherwise, you will need to consider how you will manage account removal when users should no longer have access.

Making the Move

Once you have considered how your service is currently managed, complete the Okta Application Integration Support Request to convert. Your vendor may assist you with the technical details. 

The Identity & Access Management team will get in touch with you to help plan your conversion based on the information that you provide. We can help seed your Grouper group. It may be that your service is provided to a user community that can be managed entirely by existing Grouper groups (e.g., your service is designed for the faculty, students, and staff of the College). More likely, you will have a user community that is mostly straightforward groups, but with some exceptions (your service is designed for the faculty, students, and staff of the College… but you also provide access to certain Lab School students and a few graduate students in Humanities and the Biological Sciences Division). IAM can help to seed your Grouper group, but you should become familiar enough with Grouper to be able to manage your one-off exceptions manually.

Information about Grouper is available in the IT Services Knowledge Base, but the Grouper Group Administration website has additional knowledge articles that you can reference. Just select the Documentation link on the left side of the screen. That will pull up a list of Grouper documents, including a Grouper User Guide and instructions on how to add and edit entries in your Grouper group. 

IAM can also help to set up the automatic removal of members of your Grouper group when they lose their active status in University systems. If you are adding ad hoc members or your service does not follow regular University account closure processes for eligibility, you’ll need to think through how to remove your members when they no longer need access. Offboarding members is as important as onboarding members and is something you should consider carefully—especially if you provide your service to members whose accounts may remain active after they are no longer eligible for access to your service.