Grouper Call of April 24, 2024
Attending
- Chris Hyzer, Penn, Chair
- Vivek Sachdiva, independent
- Shilen Patel, Duke
- Carey Black, Purdue
- Gail Lift, University of Michigan
- Bert Bee Lindgren, GA Tech
- Daniel Fisher, Va Tech
Chris Hubing, Internet2
- Drew Aschenbrener, Internet2
DISCUSSION
Administrivia
InCommon Basecamp is June 3-7, 2024 (online only)
Current Work
Vivek
- For Rules UI, Vivek improved externalized text
- Improved the wiki doc on Rules
- Discovered some rules patterns were not implemented and corrected that
- Vivek has been testing privileges for rules
- Hope to wrap up this work within about one week
- Note: Grouper team establishes Grouper rules, this is not simple for a community member to do
- Suggestion that we document the process for community members to add a rule (the necessity to request this from the Grouper team)
- Chris has reached out and asked the community what rules they need
- Once we get this Rules UI framework in place the team can more quickly implement more rules
- Concept of “assignment owner” can be a bit confusing at first
- Delegation feature will be helpful
- Goal: Want things viewable and usable but DO NOT WANT a security issue where people are seeing things that will not help them out and that they do not need to know.
- Need to protect certain things, see this section of the doc
- https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+UI#GrouperrulesUI-Privileges
- Some concern around “fires when” rules situations and privileges
- We want power users to be able to manage those rules, but they won’t have admin on the folder, Should be context specific
- Hidden rules are not a good idea
- Some concern that exposing more rules to more people could be extra noise?
- There may be cases where we don’t want people to see the name of a folder or group
- If through the rules UI, you expose something the user should not be able to see, then you open up to potential phishing attack
- Rules can lead to improved access management, so we want to promote rules
- Like the idea of access to rules being connected to Grouper privileges
- It should be clear to the user how things are behaving, could be challenging to communicate in the UI
- Difference between read and attribute read, but don’t want to go down that path, it’s confusing
- Suggestion, if something is a ref group or a basis group, then handle it differently regarding rules UI and privileges?
- Suggestion: do the visibility behavior in phases.
- Default on easier side and tighten up later where needed
- Vote for simplicity open
- future : close it down if needed, this is inherently more complex
- Chris: if you can see the rules of the group (READ), you see all the references to other things, in the names, can view the building blocks that the rules rely on
- For viewing rules on a folder , keep that at CREATE
- Perhaps in future have inherited group read
- If group is basis or reference group you are not an admin of, it may hide some
- Inherited read on a group or folder (top down) is the key
- Using a group or folder as a reference for a group you are creating somewhere else, needs to be by context.
- Will add another subtable to the table to explain
- Bert: potentially implement this in the rule UI superclass, so a rule can override this approach in the future, if it needs to have tighter control
- ACL list
- Chris: we will refactor in the future if tighter controls are needed
- Shilen: should be just make the privileges for the rules UI configurable?
- Chris: Like to make things configurable, BUT with training and documentation hat on, this becomes too confusing to say “It depends how you configured it”
- Wish Global view was not configurable…. It becomes confusing to explai
Shilen
- Did Grouper visualization updates
- If you select text display instead of D3, it shows if entity is a member of the group
- Still need to make changes to colors for increased accessibility
- AI Chris and Shilen will discuss colors in Grouper visualization
- Looking at memory issues with LDAP provisioner
- Did not get good snapshot of memory
- Using UCLA set up
- Changing ldaptive data structures may help
- Making progress and will report back after more work on this
Group Attributes
- Drew: has a use case around Grouper Loader Job and group attributes.
- Bert: GA Tech has experience with ABAC and course enrollment groups
- There is SQL query, to populate SQL list
- Metadata Query
- Want a field in the view populated w specific value for groups
- You’d want to add attributes to those groups
- Want to know what attributes to assign to the group
- Each field is an attribute name in the view
- Wants all in one loader for memberships, attributes and metadata
- A 3rd query of the loader
- Currently up to 2 queries per loader
- Chris: Maybe need a 4th
- Chris Hyzer : will add for Grouper v5
- AI Chris: Add Drew’s request re Grouper attributes and one loader for memberships, attributes and metadata to Grouper roadmap or JIRA for Grouper v5
Issue Roundup
Jiras in past 2 weeks
- GRP-5407
add newlines to gsh template summary toString()
GRP-5406
show error message in report daemon clear daemon
GRP-5405
make provisioning expression a textarea
GRP-5404
provisioning metadata on groups which cannot change, are readonly even if not set
GRP-5403
cannot edit metadata in provisioning
GRP-5402
provisioning folder metadata which is marked as not updateable or changeable cannot be entered
GRP-5401
Visualization with member criteria
Wiki updates in past two weeks
Grouper rules pattern - Veto if new membership is not a group or in certain subject sources
Grouper rules pattern - Send email membership add due to folder
Grouper rules pattern - Remove invalid membership due to group
Grouper rules pattern - Remove invalid membership due to folder
Grouper Administration Guides
Install the Grouper container maturity level -1 quick start v2.6.4 and prior (quickstart)
Next Grouper Call: Wed. May 8, 2024