GridGrouper is a group/virtual organization management solution for the Grid, providing a group based authorization solution for the Grid, where grid services and applications enforce authorization policy based on membership to groups defined and managed at the Grid level. Grid Grouper is built on top of Grouper an internet2 initiative focused on providing tools for group management. Grouper is a java object model which currently supports: basic group management by distributed authorities; subgroups; composite groups (whose membership is determined by the union, intersection, or relative complement of two other groups); custom group types and custom attributes; trace back of indirect membership; delegation. Applications interact with Grouper by embedding the Grouper's java object model within applications. Grouper does not provide a service interface for accessing groups. Grid Grouper is a grid enabled version of Grouper, providing a web service interface to the Grouper object model. Grid Grouper makes groups managed by Grouper available and manageable to applications and other services in the grid. Grid Grouper provides an almost identical object model to the Grouper object model on the grid client side. Applications and services can use the Grid Grouper object model much like they would use the Grouper object model to access and manage groups as well as enforce authorization policy based on membership to groups.
In Grouper/Grid Grouper groups are organized into namespaces called stems. Each stem can have a set of child stems and set of child groups with exception to the root stem which cannot have any child groups. For example let's take a university which is compromised of many departments each of which has Faculty, Staff, and Students. In terms of organizing the university in Grid Grouper, a stem could be created for each department, each department stem would contain three groups one for each Faculty, Staff, and Students.