Grouper Working Group Face-to-Face Session
Internet2 Fall Member Meeting in Atlanta
November 1, 2010
Tom Barton, working group chair, welcomed the attendees.
- Internet2 Intellectual Property Rights
- Agenda bash, topics of interest
- Documentation Update
- What's new in Grouper 2.0
- Point in time audit (Shilen Patel)
- Ldappc-ng integration with changelog and attribute framework (Tom Zeller)
- Rules (Chris Hyzer)
- Federated users (Chris)
- Grouper roadmap (TomB)
- Discussion Topics
- Reflecting Subjects into Grouper
- Provisioning Groups beyond LDAP, beyond Campus
- Topics suggested by attendees:
- Grouper Project Governance
- What is not in scope? Is it supposed to become an entire IdMS?
Grouper Documentation Update
Tom Barton expressed appreciation to Ann Ann Kitalong-Will and others for their work in reorganizing the Grouper wiki. reorganization makes it easier to find things. The new Grouper wiki structure has been partly modeled after the Shibboleth wiki.
Thanks to Grouper contributor Rob Hebron from Cardiff University for taking on the project of writing an ebook on Grouper, called "Getting Started with Grouper." Comments on Rob's work to date are welcomed.
New in Grouper 2.0
The current release of Grouper is Grouper 1.6.
The next major release of Grouper will be Grouper 2.0.
Shilen described two of the new features coming in Grouper 2.0: point in time audit and flattened notifications.
Point in Time Audit
- Point in time audit allows one to query the state of memberships and permissions in Grouper at a specific time.
- Point it time audit is different from user audit, which highlights high-level actions.
- It's possible to use GSH or Java API to do point in time audit. Capability to use web services and UI for point in time audit may be added.
- Point in time records are populated by the change log daemon.
- Flattened notifications for memberships were part of Grouper 1.6.
- Due to performance concerns, the way flattened notifications are handled will change for Grouper 2.0.
- In Grouper 2.0, flattened notifications will be based on point in time records, originating from the change log.
Ldappc-ng Integration with Change Log and Attribute Framework
- Ldappc-NG integration involves interfacing with the Grouper change log for the purpose of provisioning data
- The Grouper attribute framework extends Grouper to support information beyond just groups, such as supporting permissions
- Oracle supports SPML.
- SPML is not used widely in higher ed; Higher ed uses SAML more widely
- It makes sense to leverage SAML as well as SPML
- First step is to express the Grouper change log as SPML
- TomZ became dissatisfied with the Java library. He is getting help from Chad, learning how things were done with OpenSAML.
- UNC-Chapel Hill has provided another SPML library
- The next step will be to write changes and roles to Shibboleth ( via Java, web services or SPML ) for provisioning.
- Using SAML "change notify" could become another possible avenue.
- TomZ has developed a method of provisioning via the Shibboleth Attribute Resolver
- U. Washington is using a service bus to provision data. There is a need for queuing. SPML or SAML could be used.
- RL Bob noted that provisioning to the cloud is a key area for a lot of campuses.
Provisioning Use Cases Needed
- SPML standards body is looking for examples/use cases from people who have experience with SPML version 2. There don't seem to be complaints, however there is a lack of adoption.
- There is a need for provisioning use cases in general.
- U. Wisconsin uses Oracle identity management, which leverages SPML
Chris Hyzer's Report
Chris has been working on Rules Engine, Federated Users, Penn Grouper workflow, uPortal integration, CMU Permissions MACE-paccman use case
- Rules in Grouper are attributes on objects to fire at certain times (e.g. when a membership is removed from a group)
- Rules that fires can optionally check to see IF other things are true.
- If yes it fires the "THEN" part of the rule
- "ACT AS" part of the rule can be used to enforce security.
- There is a daemon component to run periodically, to ensure that rules have been enforced throughout the database, not just when the trigger event (e.g. a membership removal) happens.
- This daemon can clean up he things that exist already, prior to the rule being added
- Rules are in some ways like hooks, but hooks are Java plug ins
- Rules don't require Java, they can be written in expression language, and rules can be configured by end users.
- Chris's slides show a set of use cases that can be solved by initial implementation of rules (disabled date activation, etc.)
Jim Fox suggested that a test mode should be added for rules. This could be added to the roadmap.
Grouper Federated Users
- For sites where the IdM system does not already support federated users, the plan is to store some identity info for federated users in the Goruper DB
- This may be modeled to some extent on how COmanage handles federated users
- An external submect table and an external subject attribute table will be used.
- There will be self-service registration option and an invitation option, or an admin can input an external user if the EPPN is known.
- Some external users may need to go to ProtectNet if they don't have a sign on from their institution
- RL Bob asked about the use case where an admin wants to add people and wants to let them get their federated ID later.
- Chad suggested making the identifier field quite large. 40 characters is not enough.
Grouper and Kuali Rice Integration
- Grouper Kuali Rice integration facilitates use of Kuali workflow
- U. Penn has been using this integration to pilot eforms, and the simple workflow needed for approval
- The plan at U. Penn is for eforms to replace paper forms using Grouper and Rice eDoc Lite.
- For futher details, see Chris Hyzer's 9-Nov-2010 Kuali Days presentation: "Kauli eDoclite and Grouper for access forms workflow at Penn"
Grouper uPortal integration
- Grouper uPortal integration will be similar to the Grouper Kuali integration
- Secure portlets to Grouper groups will be used
- U. Chicago has developed a connector. The Grouper team and Unicon are extending it.
Permissions Use Case for CMU
- Chris developed a detailed response to a CMU billing permissions use case.
- The case involved four ways to view someone's bill, including delegation
- Details are at:
- The data for this use case can be seen on the Grouper demo server.
- A possible gap involves hosting the decision logic at a central point. To address this gap, there is discussion of having a generic pluggable web service call.
Q: What is out of scope for Grouper? Can Grouper be used as a full IdMS?
TomB said the intention is to focus Grouper towards a narrower mission having to do with access management.
LIGO may be interested in using Grouper - together with LDAP and LDAPPC - as an IdMS.
A difference between the LIGO Virtual Organization and most campuses is that campuses have two independent business systems.
RL Bob stated that a lot of systems have stood in for IdM systems, including LMS systems such as Blackboard.
U-W had performance problems with external subjects and reflected them into Grouper and that worked fine. Should this be a standard option in the system? What about maintaining the freshness of the replicated data?
Links to Grouper-Related Track Sessions at FMM
Using Grouper: Campus Case Studies
Delegated Access Control in AD Using Grouper