Skip to end of metadata
Go to start of metadata

Grouper Product Roadmap

This roadmap sketches substantial and signal functional enhancements to Grouper, and to align at least some of them with future releases. It is (always!) a work in progress, subject to the considerations and requirements of participants in the Grouper Working Group. It is also a proposition: it represents the default plan that the Grouper core developers will attempt to implement.
Items that have fallen off of the roadmap appear further below with some explanation as to why.

Release

Tentative date or time frame

1.6

Released June 2010

2.0

Released September 2011

2.1

Released March 2012

2.2

Released July 2014

2.3

Released April 2016

2.4Scheduled for Jan 2018

Release

Item

Description

2.4 (done)Add new messaging strategiesAdd new messaging strategies in the Grouper Messaging system for ActiveMQ, AMQP (e.g. RabbitMQ), AWS
2.4 (done)AttestationGroups and folders can be marked to require periodic membership review. Reminders will be emailed to group owners
2.4 (done)TIER API in installerThe TIER API Tomee service is installed with the grouper installer
2.4 (done)Grouper loader in UIUser interface to show loader configuration, diagnostics, logs, wizard editor
2.4 (done)Subject source diagnostics in UIUser interface to analyze, diagnose, and recommend improvements for subject source configuration
2.4 (done)Harmonize configurationConvert sources.xml and ehcache.xml to be cascaded properties files
2.4 (done)Grouper loader real time updatesAllow a change log table (SQL triggers) or messages to trigger loader updates for a partial population or single user
2.4 (done)Grouper instrumentation

Improve and standardize Grouper logging to provide centralized metrics at an institution and the ability to upload stats to a central Internet2 server

  • Around Dec 2016, make the patch default to on
  • Add features: Number of loader jobs, Hourly stats of number of users (UI/WS) [rate information not just count], Collect configuration (non sensitive), Performance (e.g. threadcount of loader jobs, heap size), Operations per time period for pspng / ldap server, how many messages, Subject source type

  • UI so administrators can see local stats
2.4 (done)TIER packaging for 2.4In the TIER packaging for Grouper, create Grouper docker container, integrate Grouper with Shibboleth, configure PSPNG, configure user registration with COmanage
2.4 (done)UI accessibilityIncorporate recommendations from Colorado UI accessibility review

2.4 (done)

Improve GSH

Improve gsh by adding readline like capabilities (line editing, tab completions, history, etc).  Explore incorporating Jline2 into the current beanshell approach or possibly adopting groovysh as the base. Nailgun is an option too

2.4 (done)Inbound messages

Allow Grouper to read a message queue and act on messages (e.g. membership changes etc)

2.4 (in progress)DeprovisioningUser interface to manage deprovisioning of subjects
2.4 (in progress)Update third party dependenciesUpdate third party dependncies and have strategy to easily do this on each release. Document which libraries are used and licenses.
2.4 (in progress)upgrade vt-ldapto ldaptive (PSPNG to use ldaptive). Use adaptor

2.4 (in progress)

Finish the new UI, replace admin and lite UI

Add features into the new Grouper 2.2 UI so that everything from the admin UI and the lite UI can be performed in the new UI.  Remove the admin and lite UIs (redirect outdated links).  Add user based auditing and overall auditing.  Add new features like the ability to easily configure "rules" in the UI

2.4Provisioning in UIManage and view provisioning information in the UI
2.4Add database columnsAdd database columns for group expiry (membership expiry already exists), and membership notes (maybe an attribute instead). Anything else for point-in-time? "visible" flag for UI for groups
2.4Allow configuration to be stored in databaseAllow configuration to be stored in the database so common configuration is shared among all JVMs. Of course some configuration wouldnt be elgible for this (e.g. database connection information, passwords, etc)
2.4Require Java8, Tomcat8Standardize and require java8
2.4Improve pagination in WSReturn the total count. At least change the WS schema for 2.4
2.5Membership reportsSee which users in a group or a folder of groups are not active. Add other attributes. Download reports. Schedule reports.
2.5 (started)Revise build environment and dependency retrieval

Revising code environment to get rid of dependencies and the hybrid builds (Maven and ant builds, hard to keep everything in sync)

Possible options:

  1. Ivy: keep existing ant scripts and use Ivy for dependency retrieval
  2. Maven: Remove ant build script and let maven drive both the build and dependency retrieval. (create various profiles for each env)
  3. Gradle: Remove ant/maven build scripts. Use groovy scripts to retrieve dependencies and drive the build

Need to figure out versions for each dependency.

2.5Real time message based loading LDAP by personAllow messaging to take events to update a user in loader jobs (ldap)
2.5Real time message based provisioningAllow messaging to take events to provision new netIds (pspng)
2.5Expire dates

Add expire dates to groups (other objects? attribute definitions? attribute names?) and expose privilege expire dates to WS/UI

GRP-849: add enable/disable dates on groups like memberships and permisisons

2.5Add remaining attribute/permission operations to WSAdd permission hierarchy services for roles, actions. Limits? Any other attribute permission services?

2.5

Provisioning by message

Use a message bus to notify interested parties, including traditional provisioning agents, of group changes. TBD: supported message transports, format of messages, content of messages.  Possible transports include AWS, Azure, ActiveMQ. 

2.5Membership approvalsAdd simple workflow (approval) for an OPTIN or UPDATE operation on a group
2.5Add dropbox endpoint to pspng 
2.5?Add unicon azure integration to grouperAdd the unicon azure integration to grouper.

https://github.com/Unicon/office365-and-azure-ad-grouper-provisioner

2.5?Add O365 to pspngNeed technical requirements first, leverage the existing Unicon work
Not yet assignedUI warn, restrict, or schedule large operationsIf adding a group to another group, maybe warn, restrict, notify user that the operation will take a while to provision. Or schedule this for later?
Not yet assignedUpdate training videosGo through training videos and either keep, re-record, annotate, or delete. Identify new training videos to make
ongoingRefine next generation provisioningTake PSPNG and feedback from the field and add more features, refine it, improve it, etc

On-going

Grouper Core enhancement

Continue adding capabilities to meet requirements from the field.

On-going

Community contributions

Solicit and publicize community contributions of extensions and complements to Grouper.

Not yet assigned

Register for notifications

Add ability for users to register to be notified of changes to specified objects. Note, there are rules to email users about changes to memberships

Not yet assigned

More provisioning connectors

Add further connectors to reflect specified group, membership, role, and permission information into external systems and services. Include Google provisioning (from the Unicon contribution to the PSPNG)

Not yet assigned

Scaling REST webservice

A page in the Administration guide, Grouper always available web services and client, demonstrates one way to provide always available services using a specialized client.  The CIFER REST web service will need the server-side capability to provide that always-available functionality.  In addition the REST API should be able to access multiple, read-only caches so it can efficiently handle any increase in query requests, most of which will not need to directly access the primary database. PSPNG should be able to provision to a database table, and WS should be able to read from that table (or tables) for simple operations.

Not yet assignedImprove grouper startup timeGrouper takes a while to startup in webapp or gsh command line. Some ideas were nailgun for GSH, javassist byte code enhancement with gradle, profiling, making sure grouper starts in webapp before first request.
Not yet assignedRules on individual membershipAn individual membership could have a rule that it is dependent on memberships in another group for example

Whatever happened to ... ?

A brief explanation of why some things seem to have disappeared from earlier versions of this roadmap.

What Happened?

Item

Description

Completed in 2.3

Successor to the PSP first pass. Include AD and LDAP connectors

Replacement of the PSP for LDAP/AD

2.3's PSP will deliver provisioning of three different flavors of LDAP targets:

1) Group Memberships reflected in LDAP Attributes (eg, an entitlement attribute)

2) Group Memberships reflected in LDAP Groups (groupOfUniqueNames or Active Directory groups): Group contains an attribute (eg, uniqueMember or member) with the DNs of ldap objects corresponding to member Subjects)

3) Group Memberships reflected in another group schema (eg, posixGroup): Group contains an attribute (eg, uidMember) that has values directly from Subjects or an attribute of an ldap object that is found by searching with Subject attributes

 

2.3's PSP will deliver much higher provisioning performance .

Completed in 2.3

Standard authorization TIER API

Define and implement a standard WS API.  This is a CIFER/TIER effort and might be based on SCIM or OAuth2 and might be readonly for 2.3.  This would be a web service and might also include messaging.

Completed in 2.3

Add operations to WS

Add ability to manage attribute definitions, actions, and messaging through web service

Completed in 2.3Add more features to new UIAdd Attribute definitions and folder inheritance to the Grouper UI

Completed in 2.3

Improve Grouper Loader

  • Unresolvables
    • The grouperLoaderLdapErrorUnresolvable option doesn't seem to have any affect. Remove it.
    • Add option in the loader properties (i.e. globally for all loader jobs) to specify how to deal with unresolvable subjects. If for a given loader job, there are more than a specified number of unresolvable subjects, the result should be SUBJECT_PROBLEMS. If less, SUCCESS.
    • If running the loader via GSH, print out the unresolvable subjects. Make sure it's also being logged to the file.
  • Add the ability for the Grouper Loader to run on multiple nodes to it has better availability by adding tables for quartz
  • Look at loader.thread.pool.size, is it used? Can it be added to quartz config? Should it be removed from the config file if not?
  • Allow changes to loader configs to be read without having to bounce the loader. 

Completed in 2.3

Improve folder privileges

Change folder privileges so that instead of the STEM privilege, there is an ADMIN privilege on folders.  The ADMIN privilege would mean you have all rights to the folder, you can rename it, delete it, change privileges, and effectively every other privilege.  The CREATE privilege would be changed to also include creating folders (in addition to groups and attributes).  And the STEM_ATTR_READ and STEM_ATTR_UPDATE would remain the same.  Note, so the name doesnt conflict with the group ADMIN privilege, the stem privilege will be called STEM_ADMIN.

Completed in 2.3TIER packaging for 2.3Make Grouper image for quick start. Link to TIER Packaging Working Group.

Completed in 2.3.0

Provisioning by message

Use a message bus to notify interested parties, including traditional provisioning agents, of group changes.

Completed in 2.2.1

Grouper installer to upgrade and patch Grouper

Improve the Grouper installer so that it can leverage config overlays to upgrade a grouper environment (or help give steps to upgrade grouper)

Completed in 2.2.1

Namespace Uniqueness Constraint

Active Directory has some constraints regarding the storing of group and membership objects of the same name.  This item would create an optional API-level constraint which would prevent you from re-using a name across multiple objects (stem, group, attribute, etc).

Completed in 2.2

New Grouper UI

Grouper has an administrative UI, the Membership Update Web UI, and as of v2.0, additional Web UIs for attribute, role, permission, and user invitation management. Further, several substantial UIs have been created by Grouper users, usually designed to meet needs in a specifically identified context. This roadmap item is aimed at addressing how Grouper should engage, support, or borrow from these efforts to provide UI capabilities that are closer to contextual needs more often than at present.

Initial substantially complete new UI to be included in v2.2. See Grouper UI Redesign planning page.

Completed in 2.2

Services in Grouper

Add ability to tag objects in Grouper (via the new attribute framework) so that folders, groups, permissions can be grouped into a "service".  The API/UI/WS could filter search results based on the service to make it easier for users to perform tasks in Grouper.  See documentation page.

Completed in 2.2

Improved Grouper configuration

In order to make Grouper more easily deployable across environments, and more easily upgradable, add ability for cascaded config files, and expression language in config file entries.  There can be a default configuration file, and an override file so that only the changes from the default can be tracked in the overlay.  See Grouper configuration overlay.

Completed in 2.2

SCIM interface

Provide group, membership, and group management role information via SCIM, in partnership with SURFnet.

Completed in 2.2

Treat privileges as Group lists

Remove the pluggability of Grouper privileges (Group READ/UPDATE etc), treat them as group lists to improve WS operations, simplify the UI, etc

Completed in 2.2

Unix GID management

Built-in support for managing unix GIDs by assigning a numeric ID to each group and folder.

Completed in 2.2

Legacy attribute migration

Migrate from legacy attributes to the new attribute framework in a transparent way.  The old API and WS and UI should still work correctly.  Plan to migrate lists and hooks as well.

Completed in 2.2

COmanage integration

Work cooperatively with the COmanage project to integrate Grouper within COmanage.  Integer group ID's, WS operation tweaks

Completed in 2.2

Subject security realms

Differently users might have different privacy requirements for the Subject API. Security by realm is implemented in the JDBC2 source adapter. Callers pass in which "realm" the search should take place in, and the source can adjust how the search takes place, what attributes look like, etc.

Completed in 2.2

Grouper user data

Store information about a user in grouper in a generic way.  e.g. recently used objects.  favorites, etc.

Completed in 2.1

GrouperWS high availability

In-built load-balancing to enable highly available read-only access to the Groups Registry via web services.

Completed in 1.6-2.1

PSP, formerly Ldappc NG

Complete work on the new provisioning connector, built from the Shibboleth Attribute Resolver and SPML components. Integrate with Grouper notifications for asynchronous, incremental updating in addition to periodic batch style updating. Includes specific support for Active Directory. Package a Shibboleth DataConnector for Grouper.

Real-time and incremental provisioning will be added in v2.1.

Consider adding an SPML input to grouper capability.

Completed in 2.1

Dynamic group membership

Dynamically maintain groups and memberships based on LDAP-resident attributes.

Completed in 2.0

Point in Time Audit

Query the state of the groups registry at a prior point in time.

Completed in 2.0

Rules

Declarative triggers that perform changes to the Grouper Registry.

Completed in 2.0

Federated group membership and privileges

Built-in support for memberships and Grouper privileges to be assigned to federated identities.

Completed in 2.0

Federated group management

Enable groups from autonomous Grouper instances to be referenced by and incorporated into another Grouper instance.

Completed in 2.0

PDP

The Grouper permissions web service takes into account allow/disallow and limits to give the decision of access back to the requestor

Completed in 2.0

Lite UI enhancement

Support easier to use end-user UI components in addition to the existing administrative UI. Initial component, for managing membership of a single group, is in v1.5.

In v2.0, add simple management of attributes, roles, and permissions.

Completed in 2.0

Integrate with VOOT

Integrate Grouper with VOOT (group protocol for cloud webapps), experimental...

Completed in 1.6-2.1+

Notification of changes

In v1.6, build on the initial implementation of incremental group, membership, and folder (or namespace) change notifications in v1.5 to provide notification based on flattened group membership to more efficiently enable relying parties to maintain membership lists. Also in v1.6, partner with a deployment using an asynchronous messaging infrastructure (perhaps an ESB) to drive enhancement of the toolkit for that style of data integration.

For v2.0, add flattened membership notification.
Somewhere along the line, add ability for users to register to be notified of changes to specified objects.

Completed in v1.6

Attribute framework

Complement the existing ad hoc attribute on groups with the ability to define and associate attributes of various types to groups, memberships, and folders. Initial release was in v1.5, comprising marker attributes. Additional attribute types in v1.6. Expose attribute framework suitably through web services interfaces in v1.6.

Completed in v1.6

Kuali Identity Management integration

A connector that enables Kuali Rice to delegate group management to Grouper.

Completed in v 1.6

Subject Web Service

Expose Subject API methods suitably via Grouper Web Services so that clients don't have to build their own way to reference Subjects.

Completed in v 1.6

External workflow integration

Integrate Grouper with Kuali Enterprise Workflow (v1.6), and maybe other implementations.

Completed in v1.5

Namespace Transition Support

The hierarchy of folders (or naming stems) in a deployment will change over time. This supports the ability to logically move or copy a group, a selection of groups, or a folder from one folder to another. This complements the capability of the XML Import/Export tool for prune & graft operations for large scale changes.

Completed in v1.5

User Audit

Report on who took which administrative action when.

Completed in v1.4

Extension hooks

Implement infrastructure within the Grouper API to enable independent extension of key internal events. Pre- and post-processing hooks will be provided for each "primitive API operation". This would make certain other tasks more feasible, notably "Notification of changes" in this roadmap and incorporation of a site's business rules.

Completed in v1.4

Enhance Web Services

Solidify the experimental Web Services support released in 1.3.0 based on field experience.

The issue has been resolved with improved Grouper configuration and the cessation of the Signet project.

Configuration and binding framework for I2MI

Identify and implement a framework in which combinations of I2MI components (currently Grouper API, Grouper UI, Grouper Web Services, Signet API, Signet UI, Ldappc, and Subject source adapters) can be easily integrated (not just in a single JVM). This is largely an issue of managing configuration and 3rd party libraries. The Spring application framework is an example of what might be used to address this need.

This was overtaken by the  "Enhance Web Services" item  in the roadmap.

Web service interface facades

Determine which subsets of native API capabilities should be exposed through more focused end points to facilitate access by applications to Grouper- and Signet-provided access management capabilities. Also investigate how facades may be used to manage access to underlying group and privilege management and query capabilities.

Not yet assigned

Further KIM-Grouper integration

Refine the Kuali KIM services interfaces and extend existing integration beyond group-level into roles & permissions.

Not yet assigned

Further uPortal-Grouper integration

Complete Phase II deliverables. Time frame for Phase III deliverables still to be determined in concert with uPortal team.

Not yet assigned

Security plugins

Spring security, Shiro, .NET plugins for Grouper WS that might be able to be distributed with the plugin itself.  Initial proof-of-concept code available: https://spaces.internet2.edu/display/Grouper/Unicon+Grouper+Contributions.

  • No labels