Grouper Call of April 24, 2024

Attending 

• Chris Hyzer, Penn, Chair
• Vivek Sachdiva, independent
• Shilen Patel, Duke
• Carey Black, Purdue
• Gail Lift, University of Michigan
• Bert Bee Lindgren, GA Tech
• Daniel Fisher, Va Tech

• Chris Hubing, Internet2

• Drew Aschenbrener, Internet2

DISCUSSION

Administrivia

• Internet2 Intellectual Property Policy
• Review AIs  Grouper Project Action Items (Google Doc)

InCommon Basecamp is June 3-7, 2024 (online only)

Current Work

Vivek

• For Rules UI, Vivek improved externalized text
• Improved the wiki doc on Rules
• Discovered some rules patterns were not implemented and corrected that
  
  
• Vivek has been testing privileges for rules
• Hope to wrap up this work within about one week
• Note: Grouper team establishes Grouper rules, this is not simple for a community member to do
• Suggestion that we document the process for community members to add a rule (the necessity to request this from the Grouper team)
• Chris has reached out and asked the community what rules they need
• Once we get this Rules UI framework in place the team can more quickly implement more rules
• Concept of “assignment owner” can be a bit confusing at first

• Delegation feature will be helpful
• Goal: Want things viewable and usable but DO NOT WANT a security issue where people are seeing things that will not help them out and that they do not need to know.
•  Need to protect certain things, see this section of the doc
• https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+UI#GrouperrulesUI-Privileges
• Some  concern around “fires when” rules situations and privileges
• We want power users to be able to manage those rules, but they won’t have admin on the folder, Should be context specific
• Hidden rules are not a good idea
• Some concern that exposing more rules to more people could be extra noise?
• There may be cases where we don’t want people to see the name of a folder or group
• If through the rules UI, you expose something the user should not be able to see, then you open up to potential phishing attack
• Rules can lead to improved access management, so we want to promote rules
• Like the idea of access to rules being connected to Grouper privileges
• It should be clear to the user how things are behaving, could be challenging to communicate in the UI 
• Difference between read and attribute read, but don’t want to go down that path, it’s confusing
• Suggestion, if something is a ref group or a basis group, then handle it differently regarding rules UI and privileges?
•  Suggestion: do the visibility behavior in phases.
•  Default on easier side and tighten up later where needed
• Vote for simplicity open
• future : close it down if needed, this is inherently more complex
• Chris: if you can see the rules of the group (READ), you see all the references to other things, in the names, can view the building blocks that the rules rely on
• For viewing rules on a folder , keep that at CREATE
• Perhaps in future have inherited group read
• If group is basis or reference group you are not an admin of, it may hide some
• Inherited read on a group or folder (top down) is the key 
• Using a group or folder as a reference for a group you are creating somewhere else, needs to be by context.  
• Will add another subtable to the table to explain 
• Bert: potentially implement this in the rule UI superclass, so a rule can override this approach in the future, if it needs to have tighter control
• ACL list
• Chris: we will refactor  in the future if tighter controls are needed
• Shilen: should be just make the privileges for the rules UI configurable?
• Chris: Like to make things configurable, BUT with training and documentation hat on, this becomes too confusing to say “It depends how you configured it” 
• Wish Global view was not configurable…. It becomes confusing to explai

Shilen

• Did Grouper visualization updates 
• If you select text display instead of D3, it shows if entity is a member of the group
• Still need to make changes to colors for increased accessibility
• AI Chris  and Shilen will discuss colors in Grouper visualization
  
  
• Looking at memory issues with LDAP provisioner
• Did not get good snapshot of memory
• Using UCLA set up
• Changing ldaptive data structures may help
• Making progress and will report back after more work on this

Group Attributes

• Drew: has a use case around Grouper Loader Job and group attributes.  
• Bert: GA Tech has experience with  ABAC and course enrollment groups  
• There is SQL query, to populate SQL list
• Metadata Query
• Want a field in the view populated w specific value for groups
• You’d want to add attributes to those groups
• Want to know what attributes to assign to the group
• Each field is an attribute name in the view
• Wants all in one loader for memberships, attributes and metadata
• A 3rd query of the loader
• Currently up to 2 queries per loader
• Chris:  Maybe need a 4th 
• Chris Hyzer : will add for Grouper v5 
• AI Chris: Add Drew’s request re Grouper attributes and one loader for memberships, attributes and metadata  to Grouper roadmap or JIRA for Grouper v5 

Issue Roundup

Jiras in past 2 weeks

• GRP-5407
  add newlines to gsh template summary toString()
  
  
• 
  GRP-5406
  show error message in report daemon clear daemon
  
  
• 
  GRP-5405
  make provisioning expression a textarea
  
  
• 
  GRP-5404
  provisioning metadata on groups which cannot change, are readonly even if not set
  
  
• 
  GRP-5403
  cannot edit metadata in provisioning
  
  
• 
  GRP-5402
  provisioning folder metadata which is marked as not updateable or changeable cannot be entered
  
  
• 
  GRP-5401
  Visualization with member criteria
  
  

Wiki updates in past two weeks

• Grouper rules UI

• Example Zabbix rules

• Grouper rules pattern - Inherited privileges on groups

• Grouper custom template via GSH

• Grouper rules pattern - Veto if too many members

• Grouper rules pattern - Veto if new membership is not a group or in certain subject sources

• Grouper rules pattern - Send email membership add due to folder

• Grouper rules pattern - Veto if not eligible due to group

• Grouper rules pattern - Send email due to disabled date

• Grouper rules pattern - Remove invalid membership due to group

• Grouper rules pattern - Send email after new membership

• Grouper rules pattern - Send email after membership remove

• Grouper rules pattern - Remove invalid membership due to folder

• Grouper rules pattern - Add self privileges to new groups

• Grouper Administration Guides

• Install the Grouper container with maturity level 0

• v2.2 Upgrade Instructions from v2.1

• Install the Grouper container maturity level -1 quick start v2.6.4 and prior (quickstart)

• Grouper Book - Monitoring and Reporting

• Grouper local entities

• Grouper book - Installation of core components

• Grouper Book - Find a group

• Release steps

• GrouperBook

• Grouper book - Deployment and testing in live

• Customizing the Grouper UI

• Bad Membership Finder

• Grouper UI - Check version

• API Building & Configuration

• Grouper SQL interface

• Grouper - Import to SQL

• Grouper deprovisioning getting started

Next Grouper Call:  Wed. May 8, 2024