Groups Management

groups

The Division of IT offers the ability to create and manage security groups. Security groups determine where permissions can be assigned to a group of individuals, granting them access to files, workstations or other resources. 

At GW, we use automated groups and delegated groups for role-based access control (RBAC). RBAC is a method of regulating access to GW resources based on your role (staff, faculty, student, department, team).

Automated Groups
Automated groups are built based on your role at the university. Depending on your role, you will have access to different applications and services. Automated groups will grant or deny you access to these applications. 

Delegated Groups
Delegated groups are created upon request. The group is assigned to a specific set of privileges that matches its requested use. These groups also have an automated function in that if a member becomes inactive, the membership is automatically removed without intervention by the delegate.

 

Authentication

When you log on to an application or service with your GW NetID and password you are authenticating.

Through role-based access control (RBAC), you can allow access to applications only to members of predefined groups.

 

Example

Faculty and staff access to GW Google Mail

  • Currently only users with the RBAC role(s) of staff, faculty, wage, or affiliate can use Google Apps in the Faculty/Staff domain.
  • When a GW faculty or staff member logs into GW Google Mail with their GW NetID and Password, their credentials are validated as a member of the faculty/staff group and can access the application.

Authorization

Authorization is the process of verifying that you have permission to access something. Gaining access to a resource (e.g. directory on a hard disk) because the permissions configured on it allow you access is authorization.

Authorization is the verification that the connection attempt is allowed. Authorization occurs after successful authentication.

Authorization through Security Groups

 

Security groups (automated and delegated groups) help delegate access to application features based on role membership. 

Examples

  • GWorld can allow access to certain physical locations based on your membership within certain security groups. Law students will have automatic access to Law School complex building doors. 
  • Sharepoint will grant access to specific TeamSites depending on your role

Benefits

Increase Security Efficiency

  • Do more with less (multiple applications authorize against a set of groups based on job functions)
  • Make fewer mistakes (authorization is provided based on pre-defined rules and not based on request)
  • Access is granted quickly (automate vs. manual processing)
  • Simplify user experience (reduce number of forms/approvals)

Increase security effectiveness

  • Better controls (de-provision immediately upon termination of a role)
  • Fewer mistakes (prevent retention of access to a resource if unnecessary)
  • Better auditing

Business Agility and Productivity

  • Let business focus on goals (reduce time and steps required to provision users to resources)
  • Let applications focus on business function and service delivery
  • Allow applications to be integrated to a federated lifecycle system with minimal development and turn around to delivery time