23-June-2021

Attending

Chris Hyzer, Penn, Chair
Shilen Patel, Duke
Chad Redman, University of North Carolina Chapel Hill
Vivek Sachdiva, independent
Carey Black, the Ohio State University
Emily Eisbruch, Internet2

New Action Item

AI Chris and Shilen - chat about duplicate subject identifiers

Discussion

Shorter than usual Grouper call today, just to catch up, and touch bsae

due to Chris and Chad being busy with Grouper Training

Administrivia

https://internet2.edu/community/about-us/policies/internet2-intellectual-property-policy/
Approve minutes
Review AIs Grouper Project Action Items (Google Doc)
Agenda bash

Grouper Training June 22-25, 2021

https://www.incommon.org/academy/grouper/

Current Work

Vivek

Provisioning and Configuration work
Changes on UI
Loader options
SQL display names config
Sync display extensions for folders
Group sync display name
Chris: SQL feature is extremely useful

Shilen

Last week looked at duplicate subject identifiers
Solve that by new member being added or subject identifier updated , check to see if it exists on a deleted member, if yes, clear it on the deleted member. Not sure if that solved the issue. Duplicated subject ID could still be added.
Should USDU do a full check on that?
Could still have a few days where duplicates exist
AI Chris and Shilen will chat on duplicate subject identifiers
Waiting on retrieve memberships, Chris will do framework changes

Chris

Doing Grouper Training, going well so far
Worked on loader security
Spoke w Vivek about provisioning
With every implementation of provisioning, we are almost there but not quite
There are tasks remaining
But need to get useful product out there
Trying not to do recalcs on incremental provisioning
Make it faster
For LDAP must do individual membership provisioning
When debugging this, on DUO provisioner, things are complex and not 100% correct
Need plan
Full sync is decent now
Incremental is more complex
Events come in where we are sure we know what to do
It’s a non recalc
Data comes in that conflicts
That is a recalc
Both processes have same workflow
Grouper not always doing correct thing as far as what to recalc and what is an event to send to target
If group needs to have recalc,
Now it recalcs all the individual subjects too
Vivek and Chris will take those cases and put them into until tests
And interrogate
Two workflows, one for recalc, one not for recalc?
Shilen: sounds good, having unit tests will be helpful
Vivek: unit tests will help
Can refactor and make changes with confidence
Matt: its complex
Like the changelog consumer
- Less magic going on
It’s ambitious to use the approach being used
When all else fails, treat it like an event queue
Changelog model is the model that works best
Security on the UI has been mentioned as an issue
Provisioning will help this
In Grouper training doing entity attribute LDAP provisioning
Put a bunch of validations on the screen
Need to configure groups to say what part is entity attribute but we are not doing anything w groups on the target
Hard to make a generic solution
Chad: provisioning to LDAP is basic
- If we have a template or mapping for these basic things, then not everyone needs to understand the details
- Currently you get as far as you can and you get errors and are not sure what to do
Better examples on the wiki will help
LDAP provisioning UI is quite overwhelming and can get confusing
Matt: could help to use a table for mapping
- A goes to B
- Visualization of provisioning config
- Can picture some easy wizards to help get started
Next pass: LDAP examples that work
Duo provisioner
Someone wants SCIM provisioner that goes to GITHUB
Need to provide examples on the wiki
We are making progress