Grouper Call of April 10, 2024

Attending 

• Chris Hyzer, Penn, Chair
• Vivek Sachdiva, independent
• Shilen Patel, Duke
• Carey Black, Purdue
• Gail Lift, University of Michigan

• Chris Hubing, Internet2

Administrivia

• Internet2 Intellectual Property Policy
• Review AIs  Grouper Project Action Items (Google Doc)
  
  

InCommon Basecamp is June 3-7, 2024 (online only)

• https://incommon.org/academy/camp-meetings/basecamp/

DISCUSSION

Administrivia

• Internet2 Intellectual Property Policy
• Review AIs  Grouper Project Action Items (Google Doc)

InCommon Basecamp is June 3-7, 2024 (online only)

Current Work

Vivek

• There are many dependencies that should be considered when deleting
• Worked on deleting a folder or a group and what rules are associated.
• Shows rules outside of the hierarchy
• Question: Can I jump to a rule to modify it? Might want to tweak the rule
• Answer : makes sense to add an assignment column
• AI  Vivek will add assignment column to his work on deleting folder or group
  
  
• Vivek worked on these Jiras:
  
  
• GRP-5303  underlying database connection issues are masked in logs in certain circumstances
• GRP-5304  do not flush ehcache controller when clearing caches if it is not alive

• Next tasks: go over rules, test privileges
  
  

ABAC work upcoming potentially

• U Michigan is working on ABAC and may have some requests around the expressions, 
• 80 job codes, need a good way of easily saying anything in this list counts.  
• Suggestion to re-use a set of values across policies? 
• Basis attribute values, make into something more institutionally recognized.  
• But job codes may be very specific per department
• Have a list for “my workspace” ? 
• Use intermediate groups?  
• Some things are extractable and some are not
• Gail will work through the use cases
• Chris: we hope to eliminate need for so many “ORs” , use wildcards perhaps
• Use dynamic attributes potentially 
• Hope to get real time attribute changes to propagate to policies.

Shilen

• Visualization work  
  • GRP-5401   Visualization with member criteria
  • When visualizing a group or folder, want a way to include a user, a member yo uare searching for,
  • if user is in a group, then group is green, otherwise it’s red
  • Colors were already used for other purposes 
  • Some colors changed to borders
  • Legend is used to explain
  • Question on ADA compliance
  • Shilen will add an alternate form of indicating 
  • Suggestion to add a marker on the box, that says “is present”
  • Suggestion to change the way color and hue and shading are used
  • Text at bottom should have all the info
  • Shilen will remove the use of red, implement pink 
    
  • Add “entity in group” text
    
    
•  Performance testing  
  • Shilen got test instance set up
  • Both postgress and openLDAP are crashing
  • Spends a lot of time on one section of provisioner
  • Need different VMs? (currently using one VM for Daemons, postgress and open LDAP)
  • Shilen will do more work on this
    
    

Apache Directory Studio security

• Chris Hyzer has question on Apache Directory Studio security and restrictions looking at attributes
• Chris Hubing may have some insight to this, using LDIFs
• Not allowed to walk structure, must do a blind search
• AI Chris Hubing will consult with Paul Caskey on Apache Directory Studio attributes security issu and let Chris Hyzer know. 

Chris

• Need to go to Tomcat 9. Push that out to v4 and v5
• Has anyone installed Selenium in Rocky? 
• AI Chris Hubing will look into whether anyone has experience with Selenium in Rocky
• WebISOGET is a simplified approach 
• Chris Hubing suggests: Come up with list of test cases
• U Michigan has used Selenium for testing
• Discussion of Duo, Kubernetes
  
  
• Chris fixed Attestation Group Save issue
  • GRP-5396
    AttestationGroupSave.assignMarkAsAttested() does not work

Issue Roundup

JIRAs

• GRP-5401
  Visualization with member criteria
  
  
• GRP-5400
  Template V2 tests fail: "gshTemplateOwnerType is a required field"
  
  
• 
  GRP-5399
  SCIM attributes for ServiceNow
  
  
• 
  GRP-5398
  mysql and oracle have grouper_sql_cache_group disable_on column as non null, should be nullable
  
  
• 
  GRP-5397
  Veto invalid permission assignments based on attribute name
  
  
• 
  GRP-5396
  AttestationGroupSave.assignMarkAsAttested() does not work
  
  
• 
  GRP-5395
  upgrade tomcat to 9.0.87 since 8.5 is EOL
  
  
• 
  GRP-5394
  error deleting, adding data field
  
  
• 
  GRP-5393
  when abac data fields / rows / providers are edited in the UI, need to update the database aliases
  
  
• 
  GRP-5392
  remove uesrSearchFilter from ldap provisioner config
  
  
• 
  GRP-5391
  Foreign key constraint missing from Oracle upgrade DD 0
  
  

Wiki updates in past 2 weeks

• Grouper Deployment Guide

• Deploying Grouper

• Community Contributions

• Navigation

• Grouper TIER Packaging

• Grouper Wiki Home

• Grouper - Loader LDAP

• Grouper Demo

• Grouper Administration Guides

• Grouper membership eligibility requirements

• Creating a policy group (run template)

• Operational Considerations

• Grouper UI - attribute name editor

• Grouper UI - Types on objects

• Create a new folder

• Grouper UI - Folder attribute view and edit

• Move a group in Grouper UI

• Grouper book - Installation of core components

• Grouper attribute framework

• Grouper data cleanup

• Grouper Maintenance

• Grouper Monitoring

• Grouper Auditing

• Grouper health check endpoint (healthcheck, stav5 Release Notes

• Grouper custom template via GSH user membership history

• Grouper health check endpoint (healthcheck, status, diagnostics)

• Grouper Product Roadmap

• Versioning & Support Policy

• Tools & Topics for Ongoing Administration

• Grouper UI - attribute action editor

• LDAP Subject API example

• Grouper rules

• GrouperBook

• Grouper ABAC membership cache tables

• Grouper deprovisioning settings on objects

• Advanced Access Management Techniques

• Grouper UI - Templates

• Grouper UI - Template wizard - Policy group

• Access Management

• Getting Ready for Production with Grouper

• Access Management Features Overview

• JEXL script tester

• Grouper UI - Assign/view permissions

• Contact Information

• Grouper UI - Delete Folder

• Grouper UI - Auditing

• Grouper UI - Membership View Advanced Options

• Grouper UI - Composites

• Grouper UI - subject API diagnostics

• Grouper UI - Check version

• • Grouper UI - Assign/view permissions

• • Grouper UI - attribute action editor

• • Grouper UI - Folder attribute view and edit

  • Grouper Community

  • Grouper - How to guides

  • Getting Started with Grouper

Next Grouper Call: Wed. 24, 2024