Grouper Product Roadmap
This roadmap sketches substantial and signal functional enhancements to Grouper, and to align at least some of them with future releases. It is (always!) a work in progress, subject to the considerations and requirements of participants in the Grouper Working Group. It is also a proposition: it represents the default plan that the Grouper core developers will attempt to implement.
Items that have fallen off of the roadmap appear further below with some explanation as to why.
Release | Tentative date or time frame |
1.6 | |
2.0 | |
2.1 | |
2.2 | |
2.3 | |
2.4 | Scheduled for May 2018 |
2.5 | Scheduled for March 2019 |
Release | Item | Description |
---|---|---|
2.4 (in progress) | Deprovisioning | User interface to manage deprovisioning of subjects |
2.4 patch | Provisioning in UI | Manage and view provisioning information in the UI |
2.5 | Add database columns | Add database columns for group expiry (membership expiry already exists), and membership notes (maybe an attribute instead). Anything else for point-in-time? "visible" flag for UI for groups |
2.4 patch | Allow configuration to be stored in database | Allow configuration to be stored in the database so common configuration is shared among all JVMs. Of course some configuration wouldnt be elgible for this (e.g. database connection information, passwords, etc) |
2.5 | Improve pagination in WS | Return the total count. At least change the WS schema for 2.4 |
2.4 patch | Membership reports | See which users in a group or a folder of groups are not active. Add other attributes. Download reports. Schedule reports. |
2.4 patch or 2.5 | Provision lifecycle events | Events (such as admission, enrollment, new hire, etc.) must trigger lifecycle stage transitions, role changes, affiliation changes, etc. Those can then cause other events such as service eligibility. Lifecycle changes or affiliations all precipitate a need for provisioning wherein roles are mapped to services / entitlements. |
2.4 patch or 2.5 | Workflow state groups | The solution must support high level workflows between states. Group memberships transitioning among workflow state groups |
2.4 patch of 2.5 | Separation of duties | The solution must anticipate the possibility of conflicting roles in the case of multiple personae. Also allow overrides of separation of duties |
2.4 patch or 2.5 | Conflicting roles | The solutions must take into consideration that conflicting grants of authority, eg, one source indicating a grant of access and another a denial of access, must be resolvable according to the needs of each application or service context |
2.4 patch or 2.5 | Handle multiple roles | The solutions must enable individuals to have multiple roles/affiliations/relationships/whatever with the institution, each with its own lifecycle and overlapping set of access privileges needed to undertake each role. Statefulness (persistence and preservation of state) must permeate the design goals of all solution components in order to correctly and efficiently manage their access over the course of these multiple lifecycles |
2.5? (started) | Revise build environment and dependency retrieval | Revising code environment to get rid of dependencies and the hybrid builds (Maven and ant builds, hard to keep everything in sync) Possible options:
Need to figure out versions for each dependency. |
2.4 patch or 2.5 | Real time message based loading LDAP by person | Allow messaging to take events to update a user in loader jobs (ldap) |
2.4 patch | Subject source adapter configuration wizard | Have grouper subject source adaptor configuration in the UI like the loader config. Explore including Midpoint and Comanage if useful |
2.5? | Real time message based provisioning | Allow messaging to take events to provision new netIds (pspng) |
2.5 | Expire dates | Add expire dates to groups (other objects? attribute definitions? attribute names?) and expose privilege expire dates to WS/UI. GRP-1807: folder names limited to 255 GRP-849: add enable/disable dates on groups like memberships and permisisons |
2.5 | Add remaining attribute/permission operations to WS | Add permission hierarchy services for roles, actions. Limits? Any other attribute permission services? |
2.5 | Use a message bus to notify interested parties, including traditional provisioning agents, of group changes. TBD: supported message transports, format of messages, content of messages. Possible transports include AWS, Azure, ActiveMQ. | |
2.4 patch | Membership approvals | Add simple workflow (approval) for an OPTIN or UPDATE operation on a group |
2.5? | Add dropbox endpoint to pspng | |
2.5? | Add unicon azure integration to grouper | Add the unicon azure integration to grouper. https://github.com/Unicon/office365-and-azure-ad-grouper-provisioner |
2.5? | Add O365 to pspng | Need technical requirements first, leverage the existing Unicon work |
2.5 | Add bulk operations | Make bulk operations faster, e.g. creating or deleting a list of groups, adding or removing a list of memberships |
2.4 patch | Provision to BMC Remedy | |
2.4 patch | UI warn, restrict, or schedule large operations | If adding a group to another group, maybe warn, restrict, notify user that the operation will take a while to provision. Or schedule this for later? |
2.5? | Copy entitlements to another user | Copy entitlements to another user. Optionally include start and end dates |
2.5? | Automatically clean various things | If a group is marked as a composite ad hoc list (and/or maybe includes / excludes), then if the membership is no longer relevant, then set an end date for some time in the future. Optionally notify. This applies to individual permissions as well. Automatically or manually clean up redundant privs (if assigned to group and individual). Automatically or manually clean up redundant memberships (group and individual) |
? | Add high level help or how tos | For admins or users etc |
? | Auto build TIER structure | Auto build TIER structure |
2.4 patch | Auto-create application | Application security model auto create (readers, updaters, admins, inherited privs). Application template. UI to create the structure. |
? | Direct/indirect should show on policy group | |
? | Security model - documentation and UI opportunities - wizard? | |
? | Can application owners see reference group? via attributes | |
On-going | Update third party libraries | Update third party libraries to the latest version |
On-going | Update training videos | Go through training videos and either keep, re-record, annotate, or delete. Identify new training videos to make |
On-going | Refine next generation provisioning | Take PSPNG and feedback from the field and add more features, refine it, improve it, etc |
On-going | Grouper Core enhancement | Continue adding capabilities to meet requirements from the field. |
On-going | Solicit and publicize community contributions of extensions and complements to Grouper. | |
2.4 patch | Register for notifications | Add ability for users to register to be notified of changes to specified objects. Note, there are rules to email users about changes to memberships |
Not yet assigned | More provisioning connectors | Add further connectors to reflect specified group, membership, role, and permission information into external systems and services. Include Google provisioning (from the Unicon contribution to the PSPNG) |
Not yet assigned | Scaling REST webservice | A page in the Administration guide, Grouper always available web services and client, demonstrates one way to provide always available services using a specialized client. The CIFER REST web service will need the server-side capability to provide that always-available functionality. In addition the REST API should be able to access multiple, read-only caches so it can efficiently handle any increase in query requests, most of which will not need to directly access the primary database. PSPNG should be able to provision to a database table, and WS should be able to read from that table (or tables) for simple operations. |
Not yet assigned | Improve grouper startup time | Grouper takes a while to startup in webapp or gsh command line. Some ideas were nailgun for GSH, javassist byte code enhancement with gradle, profiling, making sure grouper starts in webapp before first request. |
Not yet assigned | Rules on individual membership | An individual membership could have a rule that it is dependent on memberships in another group for example |
Whatever happened to ... ?
A brief explanation of why some things seem to have disappeared from earlier versions of this roadmap.
What Happened? | Item | Description |
---|---|---|
Completed in 2.4 | Finish the new UI, replace admin and lite UI | Add features into the new Grouper 2.2 UI so that everything from the admin UI and the lite UI can be performed in the new UI. Remove the admin and lite UIs (redirect outdated links). Add user based auditing and overall auditing. Add new features like the ability to easily configure "rules" in the UI |
Completed in 2.3 | Require Java8, Tomcat8 | Standardize and require java8 |
Completed in 2.3 | Add new messaging strategies | Add new messaging strategies in the Grouper Messaging system for ActiveMQ, AMQP (e.g. RabbitMQ), AWS |
Completed in 2.3 | Attestation | Groups and folders can be marked to require periodic membership review. Reminders will be emailed to group owners |
Completed in 2.3 | TIER API in installer | The TIER API Tomee service is installed with the grouper installer |
Completed in 2.3 | Grouper loader in UI | User interface to show loader configuration, diagnostics, logs, wizard editor |
Completed in 2.3 | Subject source diagnostics in UI | User interface to analyze, diagnose, and recommend improvements for subject source configuration |
Completed in 2.3 | Harmonize configuration | Convert sources.xml and ehcache.xml to be cascaded properties files |
Completed in 2.3 | Grouper loader real time updates | Allow a change log table (SQL triggers) or messages to trigger loader updates for a partial population or single user |
Completed in 2.3 | Grouper instrumentation | Improve and standardize Grouper logging to provide centralized metrics at an institution and the ability to upload stats to a central Internet2 server
|
Completed in 2.3 | TIER packaging for 2.4 | In the TIER packaging for Grouper, create Grouper docker container, integrate Grouper with Shibboleth, configure PSPNG, configure user registration with COmanage |
Completed in 2.3 | UI accessibility | Incorporate recommendations from Colorado UI accessibility review |
Completed in 2.3 | Improve gsh by adding readline like capabilities (line editing, tab completions, history, etc). Use groovysh instead of beanshell. | |
Completed in 2.3 | Inbound messages | Allow Grouper to read a message queue and act on messages (e.g. membership changes etc) |
Completed in 2.3 | Update third party dependencies | Update third party dependncies and have strategy to easily do this on each release. Document which libraries are used and licenses. |
Completed in 2.3 | upgrade vt-ldap | to ldaptive (PSPNG to use ldaptive). Use adaptor |
Completed in 2.2 | Built-in support for managing unix GIDs by assigning a numeric ID to each group and folder. | |
Completed in 2.2 | Migrate from legacy attributes to the new attribute framework in a transparent way. The old API and WS and UI should still work correctly. Plan to migrate lists and hooks as well. | |
Completed in 2.2 | COmanage integration | Work cooperatively with the COmanage project to integrate Grouper within COmanage. Integer group ID's, WS operation tweaks |
Completed in 2.2 | Subject security realms | Differently users might have different privacy requirements for the Subject API. Security by realm is implemented in the JDBC2 source adapter. Callers pass in which "realm" the search should take place in, and the source can adjust how the search takes place, what attributes look like, etc. |
Completed in 2.2 | Grouper user data | Store information about a user in grouper in a generic way. e.g. recently used objects. favorites, etc. |
Completed in 2.1 | In-built load-balancing to enable highly available read-only access to the Groups Registry via web services. | |
Completed in 1.6-2.1 | PSP, formerly Ldappc NG | Complete work on the new provisioning connector, built from the Shibboleth Attribute Resolver and SPML components. Integrate with Grouper notifications for asynchronous, incremental updating in addition to periodic batch style updating. Includes specific support for Active Directory. Package a Shibboleth DataConnector for Grouper. |
Completed in 2.1 | Dynamic group membership | Dynamically maintain groups and memberships based on LDAP-resident attributes. |
Completed in 2.0 | Point in Time Audit | Query the state of the groups registry at a prior point in time. |
Completed in 2.0 | Rules | Declarative triggers that perform changes to the Grouper Registry. |
Completed in 2.0 | Federated group membership and privileges | Built-in support for memberships and Grouper privileges to be assigned to federated identities. |
Completed in 2.0 | Federated group management | Enable groups from autonomous Grouper instances to be referenced by and incorporated into another Grouper instance. |
Completed in 2.0 | PDP | The Grouper permissions web service takes into account allow/disallow and limits to give the decision of access back to the requestor |
Completed in 2.0 | Lite UI enhancement | Support easier to use end-user UI components in addition to the existing administrative UI. Initial component, for managing membership of a single group, is in v1.5. |
Completed in 2.0 | Integrate with VOOT | Integrate Grouper with VOOT (group protocol for cloud webapps), experimental... |
Completed in 1.6-2.1+ | Notification of changes | In v1.6, build on the initial implementation of incremental group, membership, and folder (or namespace) change notifications in v1.5 to provide notification based on flattened group membership to more efficiently enable relying parties to maintain membership lists. Also in v1.6, partner with a deployment using an asynchronous messaging infrastructure (perhaps an ESB) to drive enhancement of the toolkit for that style of data integration. |
Completed in v1.6 | Attribute framework | Complement the existing ad hoc attribute on groups with the ability to define and associate attributes of various types to groups, memberships, and folders. Initial release was in v1.5, comprising marker attributes. Additional attribute types in v1.6. Expose attribute framework suitably through web services interfaces in v1.6. |
Completed in v1.6 | Kuali Identity Management integration | A connector that enables Kuali Rice to delegate group management to Grouper. |
Completed in v 1.6 | Subject Web Service | Expose Subject API methods suitably via Grouper Web Services so that clients don't have to build their own way to reference Subjects. |
Completed in v 1.6 | External workflow integration | Integrate Grouper with Kuali Enterprise Workflow (v1.6), and maybe other implementations. |
Completed in v1.5 | Namespace Transition Support | The hierarchy of folders (or naming stems) in a deployment will change over time. This supports the ability to logically move or copy a group, a selection of groups, or a folder from one folder to another. This complements the capability of the XML Import/Export tool for prune & graft operations for large scale changes. |
Completed in v1.5 | User Audit | Report on who took which administrative action when. |
Completed in v1.4 | Extension hooks | Implement infrastructure within the Grouper API to enable independent extension of key internal events. Pre- and post-processing hooks will be provided for each "primitive API operation". This would make certain other tasks more feasible, notably "Notification of changes" in this roadmap and incorporation of a site's business rules. |
Completed in v1.4 | Enhance Web Services | Solidify the experimental Web Services support released in 1.3.0 based on field experience. |
The issue has been resolved with improved Grouper configuration and the cessation of the Signet project. | Configuration and binding framework for I2MI | Identify and implement a framework in which combinations of I2MI components (currently Grouper API, Grouper UI, Grouper Web Services, Signet API, Signet UI, Ldappc, and Subject source adapters) can be easily integrated (not just in a single JVM). This is largely an issue of managing configuration and 3rd party libraries. The Spring application framework is an example of what might be used to address this need. |
This was overtaken by the "Enhance Web Services" item in the roadmap. | Web service interface facades | Determine which subsets of native API capabilities should be exposed through more focused end points to facilitate access by applications to Grouper- and Signet-provided access management capabilities. Also investigate how facades may be used to manage access to underlying group and privilege management and query capabilities. |
Not yet assigned | Further KIM-Grouper integration | Refine the Kuali KIM services interfaces and extend existing integration beyond group-level into roles & permissions. |
Not yet assigned | Further uPortal-Grouper integration | Complete Phase II deliverables. Time frame for Phase III deliverables still to be determined in concert with uPortal team. |
Not yet assigned | Security plugins | Spring security, Shiro, .NET plugins for Grouper WS that might be able to be distributed with the plugin itself. Initial proof-of-concept code available: https://spaces.at.internet2.edu/display/Grouper/Unicon+Grouper+Contributions. |