Group Management Service
The Group Management Service (GMS) is an access management platform supporting distributed and automated access controls for university applications.
Core capabilities include:
- Define and apply access control policies to applications (use group math operations and nesting of groups and the ability to deligate membership management to others)
- Integrate with nearly any application
- Audit and point in time knowledge
- Consistent expression for access controls across application boundaries
- Ability to link and reuse access controls across application boundaries
- Application owners can extend, redefine and reuse access controls as often as they choose too.
- Application owners can choose to delegate partial or full control over individual GMS groups to other OSU access managers.
GMS Interface Descriptions
WebSSO (AKA: "Shibboleth") Authentication
If you are already using WebSSO for your application and the application can use “User Attributes” from the SAML process, then this is likely your best/easiest choice.
This is “real time” read from GMS (via WebSSO integration) and has a local “fall back cache” (refreshed frequently) in WebSSO to ensure data is available as long as WebSSO is up.
GMS Web Services Rest/SOAP
GMS can expose data via REST/SOAP API models. If your application can be modified to integrate with a REST API and would prefer to directly interact with GMS then this is likely your best choice.
AD Domain Groups (BCD is currently available)
If your application(s) only integrate with AD/AD groups, then this is likely the easiest choice.
Note this approach exposes your group membership to the AD domain and requires some “sync processing” to occur to keep things updated.
This can be extended to support other AD's as well.
Custom/Direct
If you are willing to implement (AKA: “write code”) a “connector” then this method can get updates directly to your application in an event-based model just after the changes happen in GMS. This is likely the more difficult to implement of the choices, but it can also provide you with much more flexibility and leverage GMS in a more complicated way as well.
AWS SQS Queue (other message queue systems are also possible)
If your application/infrastructure uses a Message/Service Bus design, then this may be an easier alternative to the Custom/Direct integration model.
Access the Service
If you already have access to the GMS service, you may log in at go.osu.edu/gms.
Request the Service
To explore or request using GMS, complete the intake form on ServiceNow to start the process. You must log in to view the form.
Support
For public documentation, visit the Group Management Service GMS User Documentation.
You can also join the GMS Microsoft Team to interact with the GMS service team and other GMS users.
Contact
Email: gms-admin@lists.osu.edu