Notes from Grouper Working Group at 2011 Fall Member Meeting in Raleigh
Tom Barton, University of Chicago, welcomed the group and provided an overview:
- Grouper is open source, community-driven project of the Internet2 Middleware Initiative
- Originally focused on robust management of groups
- Grouper v2.0 provides a broader set of access management capabilities, including roles and permissions.
New and Improved in Grouper 2.0
• Attribute and Permission UIs
• Permission Disallow
• Permission Limits
• Point in Time Audit
• External Subjects
• Syncing Groupers
• Member Search and Sort
• Ldappc-NG enhancement
Roadmap for Grouper v2.1
• Real-time incremental LDAPPC-NG
• LDAP Grouper Loader
• Grouper entities in namespace
• Hibernate upgrade
• Grouper WS/client group/stemp finder sorting / paging
- Under discussion:
• Subject attribute WS security
• always available readonly client
• Grouper WG attribute/permissions expansion
• uPortal integration update
• UNIX GID management
Roadmap for Grouper v2.2
• New UI
• Collecting objects in Grouper into a "service"
• Other stuff not done from Grouper 2.1 Roadmap
• Externalizing Shib release policy into Grouper
• FIFER Service
• Your item here
Suggestions/Comments from the Group
- Leif Johansson, NORDUNET, suggested that Grouper provision groups like OAuth does.
A reference is the VOOT protocol, a subset of the OpenSocial protocol: https://github.com/andreassolberg/voot/wiki/Protocol
- University of California System is interested in workflow tools to get data into groups. The workflow tools don't have to be part of Grouper, but integrated with it.
- University of California System is also trying to get information about permissions about UC schools together into one place and provision groups into the central system. UC could sync across Grouper instances.
- Grouper may have enough connecting bits that custom code would not be needed to get permissions populated, but it would be good if a campus could try this out.
- It would be great to have a catalog of services/applications that people could review and request access. This may be naive, but could have merit. There's now a Grouper request process that campuses can use to fulfill requests.
Q: Can the UI work be moved up in the schedule?
A: Yes. Currently, the Grouper development team is working on the process for how to determine requirements for the UI. If you're interested in this, please join the upcoming Grouper-Dev calls.
Q: Can an external subject assign groups and members etc.?
Q: What is being done on outreach to scientific projects that tend to reinvent the wheel?
A: The Grouper Project Team understands the additional need for more outreach and training and are working on plans.
- Grouper needs better packaging and easier install. The developers understand this and may move the Grouper Loader into the web services. LDAPPC-NG has potential for more generic business system integration so still may be kept separate.
- Grouper would benefit from a third-party support organization. Campuses need third party support to build the case for management. Unicon is talking internally about Grouper support, but not sure about the demand and would be interested in more information about this.
Q: Can organizations engage Unicon directly w/o a formal support program?
A: Unicon would support Grouper if someone requested it.
Q: Group naming is the biggest issue with deployment. Can group naming be changed later?
A: Yes it's possible.
Grouper website: http://www.internet2.edu/grouper/
Grouper wiki: https://spaces.internet2.edu/display/Grouper/Grouper+Wiki+Home
Grouper 2.0: http://www.internet2.edu/grouper/software.html
Please share your Grouper story and documents on the Grouper Community Contributions page at: https://spaces.internet2.edu/display/Grouper/Community+Contributions