Grouper Call of April 24, 2024


  • Chris Hyzer, Penn, Chair
  • Vivek Sachdiva, independent
  • Shilen Patel, Duke
  • Carey Black, Purdue
  • Gail Lift, University of Michigan
  • Bert Bee Lindgren, GA Tech
  • Daniel Fisher, Va Tech
  • Chris Hubing, Internet2

  • Drew Aschenbrener, Internet2



InCommon Basecamp is June 3-7, 2024 (online only)

Current Work


  • For Rules UI, Vivek improved externalized text
  • Improved the wiki doc on Rules
  • Discovered some rules patterns were not implemented and corrected that

  • Vivek has been testing privileges for rules
  • Hope to wrap up this work within about one week
  • Note: Grouper team establishes Grouper rules, this is not simple for a community member to do
  • Suggestion that we document the process for community members to add a rule (the necessity to request this from the Grouper team)
  • Chris has reached out and asked the community what rules they need
  • Once we get this Rules UI framework in place the team can more quickly implement more rules
  • Concept of “assignment owner” can be a bit confusing at first

  • Delegation feature will be helpful
  • Goal: Want things viewable and usable but DO NOT WANT a security issue where people are seeing things that will not help them out and that they do not need to know.
  •  Need to protect certain things, see this section of the doc
  • Some  concern around “fires when” rules situations and privileges
  • We want power users to be able to manage those rules, but they won’t have admin on the folder, Should be context specific
  • Hidden rules are not a good idea
  • Some concern that exposing more rules to more people could be extra noise?
  • There may be cases where we don’t want people to see the name of a folder or group
  • If through the rules UI, you expose something the user should not be able to see, then you open up to potential phishing attack
  • Rules can lead to improved access management, so we want to promote rules
  • Like the idea of access to rules being connected to Grouper privileges
  • It should be clear to the user how things are behaving, could be challenging to communicate in the UI 
  • Difference between read and attribute read, but don’t want to go down that path, it’s confusing
  • Suggestion, if something is a ref group or a basis group, then handle it differently regarding rules UI and privileges?
  •  Suggestion: do the visibility behavior in phases.
  •  Default on easier side and tighten up later where needed
  • Vote for simplicity open
  • future : close it down if needed, this is inherently more complex
  • Chris: if you can see the rules of the group (READ), you see all the references to other things, in the names, can view the building blocks that the rules rely on
  • For viewing rules on a folder , keep that at CREATE
  • Perhaps in future have inherited group read
  • If group is basis or reference group you are not an admin of, it may hide some
  • Inherited read on a group or folder (top down) is the key 
  • Using a group or folder as a reference for a group you are creating somewhere else, needs to be by context.  
  • Will add another subtable to the table to explain 
  • Bert: potentially implement this in the rule UI superclass, so a rule can override this approach in the future, if it needs to have tighter control
  • ACL list
  • Chris: we will refactor  in the future if tighter controls are needed
  • Shilen: should be just make the privileges for the rules UI configurable?
  • Chris: Like to make things configurable, BUT with training and documentation hat on, this becomes too confusing to say “It depends how you configured it” 
  • Wish Global view was not configurable…. It becomes confusing to explai


  • Did Grouper visualization updates 
  • If you select text display instead of D3, it shows if entity is a member of the group
  • Still need to make changes to colors for increased accessibility
  • AI Chris  and Shilen will discuss colors in Grouper visualization

  • Looking at memory issues with LDAP provisioner
  • Did not get good snapshot of memory
  • Using UCLA set up
  • Changing ldaptive data structures may help
  • Making progress and will report back after more work on this

Group Attributes

  • Drew: has a use case around Grouper Loader Job and group attributes.  
  • Bert: GA Tech has experience with  ABAC and course enrollment groups  
  • There is SQL query, to populate SQL list
  • Metadata Query
  • Want a field in the view populated w specific value for groups
  • You’d want to add attributes to those groups
  • Want to know what attributes to assign to the group
  • Each field is an attribute name in the view
  • Wants all in one loader for memberships, attributes and metadata
  • A 3rd query of the loader
  • Currently up to 2 queries per loader
  • Chris:  Maybe need a 4th 
  • Chris Hyzer : will add for Grouper v5 
  • AI Chris: Add Drew’s request re Grouper attributes and one loader for memberships, attributes and metadata  to Grouper roadmap or JIRA for Grouper v5 

Issue Roundup

Jiras in past 2 weeks

Wiki updates in past two weeks

Next Grouper Call:  Wed. May 8, 2024


  • No labels