Managing User Access with Grouper

Managing User Access with Grouper#

Group Layout#

Access to AWS LCA1 is driven by CU’s Grouper Tool. Each account and role combination is allocated a Grouper group. Members of that group will be allowed to log into AWS as that role.

Group names use the <AWS account alias>-<Role> format. For example, the group awsucob0myaccount-MyRole would allow members of that group to log into the awsucob0myaccount AWS account as the MyRole role.

The necessary groups will be created for you as part of your AWS onboarding, and you will be given the ability to add and remove users in your account. It is your ongoing responsibility to ensure membership in this group accurately reflects the people who should have access to your AWS account.

All access groups live in Root -> Services -> Cloud Broker -> AWSLZA -> customer-access-groups.

User Types#

Every person at CU has an Identikey user that is used for daily work, like checking email and logging into campus portals. When a person has duties that require increased privileges, they are usually provisioned with a “super user” (SU) account that is separate from their Identikey. This supports the security best practice of separating privileged administrative activities from unprivileged work. SU accounts are preferred for all AWS cloud administration.

Important

We recommend all AWS cloud administration be done using SU accounts. When adding users to AWS access groups in Grouper, choose the SU accounts of your team members instead of their regular Identikeys. If any team members need a new SU account, they may request one here.

Adding Users#

AWS customers can add team members as Administrators to their AWS account. This is done using CU’s Grouper Tool. Note that changes can take up to 15 minutes to take effect.

  1. Navigate to the Grouper Group for your AWS Account using one of the following methods:

    Method 1: Use the direct link that was sent to you in your welcome email to go directly to the group you wish to administer, and login using your CU IdentiKey.

    Method 2: Go to the My Grouper Groups view in Grouper. Login using your CU IdentiKey. Filter for AWS (if you can’t find your group easily). You will see a list of groups that you can administer. Select the Group for your AWS Account.

    The Grouper "My groups" page with the AWS filter applied

  2. In the “Members” tab view, click the “Add members” button.

    The Grouper "Add members" button

  3. In the “Member name or ID” field, enter the user’s CU IdentiKey and select the matching entry.

    The Grouper dropdown box for selecting members to add to a group

  4. Click the “Add” button.

    The Grouper "Add" button for adding the selected member to a group

  5. Verify the new user show up in the table.

    The Grouper group membership page with a sample user circled in red

Removing Users#

Users can be removed from accessing the AWS account by removing them from the Grouper Group.

  1. Login to the Grouper Group, as described above, using your CU IdentiKey.

  2. In the “Members” tab view, place a check next to the user(s), and click the “Remove selected members” button.

    The Grouper group membership page with a sample user checked for removal

  3. Verify the user(s) no longer appear in the table.