Grouper Call of Feb. 14, 2024


  • Chris Hyzer, Penn, Chair
  • Chad Redmond, Unicon
  • Jim Beard, Unicon
  • Vivek Sachdiva, independent
  • Shilen Patel, Duke
  • Carey Black, Purdue
  • Liam Hoekenga, UMich

  • Gail Lift, UMich
  • Kellen Murphy, Univ of Virginia

  •  Daniel Fisher, Va Tech
  • Drew Aschenbrener, Internet2


New Action Item from this call 


  • AI Daniel  - will review  LDAP external system page in Grouper wiki for config issues

and send to Chris

The doc must work for both new and older Grouper versions. Chris will make the doc work for both v4 and v5


Grouper Doc team mean recently

Grouper Training prep work for march 12-15, 2024 is ongoing 

Current Work


  • Vivek is working on a Grouper rules screen for Grouper v5
  • So you can see, add, edit and delete rules
  • It’s complex, and that is why it has not been done yet
  • Good progress being made
  • Rules can be assigned to groups and folders, sometimes to attribute definitions for permissions
  • Need to work on the exact privileges needed to view and edit rules
  • Each rule may impact other things, so you need to be able to see other things
  • To edit a rule, you need admin and must be in the rules editor population
  • All the things you are using in the rule you need privileges on
  • If dealing with things in your own folder, you will be able, but if you are dealing with things in a reference group folder, you will need permissions
  • Rules have built-ins and have expression language
  • There is a concept of check type, what happens when the rule gets fired
  • When rule fires, there is a condition
  • result is what the rule does
  • If rule is daemonable, it will run on the daemon
  • Still need to figure out details of how folder permissions will work
  • View on folder is not super private
  • Using a power users group can be helpful
  • Proposed direction: if you can view a rule it will generally show you the components of that rule
  • When adding the rule, if putting in a group name you don’t have access to, this won’t be allowed
  • We will honor the read and update privileges
  • To know if someone is removed, you need read on that, etc
  • May reduce the Grouper sysadmin needs for creating rules
  • Comment: this work will be helpful


  • Work on stopping daemons, handling timestamps
  • Next: changing maintenance jobs to be “other” jobs


  • Working  on new release with
  • Virginia tech request for roles in Groups
  •      Mostly implemented
  •      Still working on getting unit tests to work
  •      DDL changes are needed
  •      To make roles work, we needed 2 more tables  
  •      Sync dependency
  •     Captures groups used in a user translation
  •     Running daemons on multiple servers, the static caches are not good enough
  •     So we have a new static cache, it’s a lightweight table using UUIDs 
  • DDL
  • There are 3 ways to get DDL in grouper
    • 1.   Clean install
    • 2.   Haven’t been up to the version where DDL was introduced and you are upgrading
    • 3.  You did get the DDL update and the new v4 DDL introduced after that
      • Want to edit with new DDL
      • Use an upgrade task
      • It will detect if you have the latest DDL
      • If you have updated DDL it does nothing
      • Otherwise it performs surgery

  • Suggested to put more info in upgrade steps
  • With views it’s hard to do an upgrade task
  • This should be documented better
  • Anyone with suggestions on better, clearer info to present, please send them to Chris

  • Deactiviate SCIM provisioned users as opposed to deleting them, some SCIM endpoints can’t delete

  • Would be nice to know how many sites are running more than one daemon

  • Chris worked on unit tests


  • Touch base on patch for configuration for handlers in page results client for LDAP searches
    •    There was problem in V5 w AD and getting attributes from LDAP more than 1500 (or 1000?)
    •    Something in ldaptive needed a patch
    •     Shilen   can test in AD
    •    Chris will incorporate that 
  • Daniel is looking into an issue related to timeouts
  • Default behavior should change in how it’s handling timeout in ldaptive
  • Liam noted it would help if Grouper documentation covers adjusting timeout and references how to tune appropriate ldaptive settings

 Snapshots etc.

  • When pulling the Grouper 5 branch, the POM says 5.0.0.snapshot
  • All new branches have a snapshot with .0.0 
  • Need something in POM that is not dynamic
  • Need a version
  • Daniel will tag so there is a stable version

  • Re profiling ldaptive, looking for memory issues - Shilen and Chris will talk about this
  • Something to run in v4 and v5
  • Memory is an issue discussed on Grouper Slack, especially large LDAP jobs 
  • Hope to make things in Grouper take less space. In v7 we will redo the DDL
  • Moving from Java 8 to Java 17 could have had an impact

Issue Roundup

Wiki updates


Next Grouper call:  Wed. Feb 28, 2024


  • No labels