Child pages
  • Grouper Call 4-Dec-2013
Skip to end of metadata
Go to start of metadata

Minutes: Grouper call of Wed. Dec 4, 2013


Chris Hyzer, U. Penn (stand-in chair)
Jim Fox, U. Washington
Bill Thompson, Unicon
Dave Langenberg, U. Chicago
Shilen Patel, Duke
Emily Eisbruch, Internet2, scribe

New Action items

[AI] (All) Read Chris's email of Nov. 21, 2013 re penetration test results

[AI] (Shilen) email the Grouper users list about import and export approaches

Carry Over Action items

[AI] (Shilen) email Jim and Chris about what calls are needed for CIFER API for Duke's project

[AI] (DaveL) work on the PSP aspect of GRP 914.

[AI] (Andrew) let us know what emerges from the Apereo security notification process work.


Grouper Security

The Grouper team is asked to look at the Chris Hyzer email of Nov. 21 on penetration testing and the web inspect report.
We need to determine if there are items to add to JIRA related to these results.

[AI] (All) Read Chris's email of Nov. 21, 2013 re penetration test results

Data Guard

Chris is working on a project to have a third Grouper database at Penn, to be housed off site. This will address an issue with the current data guard being subject to outage in the case of a fail over, where there is a need to turn it off and then back on. With a third database, housed offsite, one of the three databases will always be available. The plan also involves running Grouper on an offsite app server.

Bad Membership Finder utility: GRP-945

Shilen reported that JIRA 945 is taken care of

Deleting a group now removes a bad membership. Also the Bad Membership Utility will address the issue.

Grouper message-based provisioning

Are there design ideas we should consider adding to PSP or to a new changelog consumer for LDAP/AD/SCIM provisioning?
Some sites may be putting change log information onto the message queue, though this is not recommended.
A possible approach would be to convert change log messages to  JSON and then send them.
As part of CIFER, it would be helpful to look at how to generate messages like the representations from web services (resource representations).

Grouper v 2.2

Grouper UI (Chris)

Chris has finished developing the screen for add/remove folders/groups to favorites.
He is also making good progress on the folder move/copy screen.
Chris will soon get Shilen's changes and update the database and demo server.

SCIM  - no progress to report at this time.

Legacy attribute migration

On a previous call, it was decided that in Grouper 2.2, if new group types are created and privileges are not explicitly added, then any new privileges, such as the privilege to view the group type, should be in effect. Shilen has completed that work.

Does it make sense to add security to the group type finder methods?
Decision was not to do that for now.

Shilen's next task is to look at the XML import and export.
Shilen asked: should it be allowed to import the old format into the new database (export 2.1 and import into 2.2)? Or should it be required that sites follow the migration instructions? It was agreed that some sites will want to do an export and import. However, one problem is that export and import does not handle every column of every table. Dave will suggest to the people managing Grouper at U. Chicago not to do the export import.

[AI] (Shilen) email the Grouper users list about import and export approaches.

Grouper Roadmap

The group reviewed the roadmap. Did not find any substantive changes to make.
Bill added a link to the CAS / Shiro / Grouper proof of concept work:

Discussion included these thoughts:

Kuali KIM / Grouper integration:
-There is a Grouper / KIM integration that works for a KIM version being used at Penn
-If KIM will be used in CIFER, then more work may be needed

Grouper / uPortal integration
- Bill: There is some thought that with the new Grouper UI, uPortal might rely on Grouper as the default for group management and pare down the native Group Management in uPortal

Provisioning Connectors

-At Identity week and elsewhere there was discussion of account provisioning
-there is interest in using Grouper to set up a Google account or an AD account etc.
-What about some kind of extended UI in Grouper, that would allow an admin to configure a group to be provisioned?
-tto trigger provisioning to a downstream group such ad AD or LDAP?
-This question partly came out of discussions with a college running the old Sun IDM.
    -The college has a feed from their systems of records and creates groups from the data in that feed.
    -Based on those groups, it provisions accounts to Google and AD.
    -Thinking about a replacement for that Sun IDM.

-U. Washington does something similar
-A group can get checked to be exported to a Google Group
-U. Washington has a tab on user interface that allows one to check for "I want this group to go to Google"
-Then it allows you to specify which of the the 4 levels of access you want for the group in Google.
-The UI puts that as an attribute on the group.
-The message on the message bus includes that info on how to provision to the Google groups
-The UI must support such settings for every target system
-UW also exports to Microsoft Exchange, so the UI has settings for Google and Exchange coded in

-the actual provisioning is a task of the downstream system receiving Grouper messages. The account provisioning is not a Grouper function

Dave: At U Chicago we have looked at taking Subject API info and sending it to a system and saying "create this account"
Need to have subject configuration, so the right info is available to the API

Chris: This involves the new UI and how marker attributes are put on groups.
If we develop a good UI for attributes and attributes on attributes, it might be possible.

Scaling REST Web Services and DNS Load Balancing

Concerning scaling REST Web services (an unassigned item on the roadmap), Chris asked if DNS load balancing could be helpful.

Next Grouper Call: Wed. Dec. 18 at noon ET

  • No labels