Skip to content

Grouper Access Management#

Gaining access to Vault is managed by the Vault Grouper updaters for each CESI unit once onboarded to vault. When a unit's namespace was originally requested, a list of group updaters was required as a part of that process. Any individual listed there will have access to Grouper to manage members but not Vault itself.

Namespace Request Group Updaters

Within grouper, follow these instructions to add/remove users who need access to Vault. Follow these instructions to change who are members of the Vault grouper updaters group.

Info

Access to Vault via Grouper group membership is intended for individual, named access. Functional or departmental accounts added to the namespace's adhoc group will not be able to login to Vault. For application or machine access to Vault, one of Vault's built in authentication methods should be used (examples)

Process to Add/Remove Vault Users#

Note

The following processes are exactly the same for sub-namespaces, however, the grouper groups will also contain the subteam name:

(eg. adhoc_[unit]_[subteam]_admins or adhoc_unit_subteam_users).

  1. Login to Grouper

  2. Navigate to Root>app>HCP Vaults>ref>[unit]. If you are managing a subteam, the path will be Root>app>HCP Vaults>ref>[unit]_[subteam].

    Grouper Ref

  3. Open either the adhoc_[unit]_admins or adhoc_[unit]_users group. It is up to each team to determine who will be admins versus users for their team. For a comparison of the permissions, see this article

    Warning

    Do not place an individual in both the admin and users groups for a namespace as this will result in conflicting Vault permissions.

  4. To add a member, click the orange +Add Members button in the upper right corner, enter their username and click the orange Add button. No start or end date is required unless your team requires it. Attestation of group members will be required every 180 days.

  5. To remove a member, check the checkbox next to the members name and click Remove selected members

Process to Add/Remove Grouper Updaters#

  1. Login to Grouper

  2. Navigate to Root>app>HCP Vaults>security>[unit]. If you are managing a subteam, the path will be Root>app>HCP Vaults>security>[unit]_[subteam]

    Grouper Ref

  3. Open the [unit]_updaters group.

  4. To add a member, click the orange +Add Members button in the upper right corner, enter their username and click the orange Add button. No start or end date is required unless your team requires it. Attestation of group members will be required every 180 days.

  5. To remove a member, check the checkbox next to the members name and click Remove selected members

Namespace Structure#

This structure represents the groups associated with standard CESI unit. This structure is the same for subteams that have requested sub-namespaces.

Text Only
app
└── HCP Vaults
    ├── ref
    │   └── [Unit Short ID]
    │       ├── adhoc_[unit]_admins
    │       └── adhoc_[unit]_users
    └── security
        └── [Unit Short ID]
            ├── [unit]_deny
            └── [unit]_updaters
  • Managers/Updaters [unit]_updaters [unit]_[subteam]_updaters - These individuals have access to manage the CESI unit in grouper, without any direct Vault access. They are responsible for bi-annual attestation within Grouper and for removing team members who should no longer have access.
  • Admin Users adhoc_[unit]_admins adhoc_[unit]_[subteam]_admins - These individuals have admin level access to the namespace in Vault.
  • General Users adhoc_[unit]_users adhoc_[unit]_[subteam]_users - These individuals have general level access to the namespace in Vault.