Grouper Call of March 27, 2024

Attending 

  • Chris Hyzer, Penn, Chair
  • Chad Redmond, Unicon
  • Vivek Sachdiva, independent
  • Shilen Patel, Duke
  • Carey Black, Purdue
  • Liam Hoekenga, UMich

  • Gail Lift, UMich
  • Kellen Murphy, Univ of Virginia

  • Drew Aschenbrener, Internet2



Administrivia

InCommon Basecamp is June 3-7, 2024 (online only)


DISCUSSION


Current Work


Vivek worked on  JIRAs including:


  • GRP-5336 when deleting groups/folders, check for rules, and let user know, and delete those rules too
  • Need to think about other related improvements around deleting things

  • GRP-5308 Provisioning entities not filtering objectClass when Select All Entities is false.  Chris and Vivek worked on this.    If you configure an object class, not selecting all entities at once, it tries to get all in batches, now it uses object class. Realized you can pick which search attributes you want, the DOA is provided with which search attributes to search on. ISSUE FOUND:  If you write your own filter, and configure multiple search attributes, it will not work. Took out the filter that was not working.  

  • Vivek worked on GRP-5385
    add multiple check options for certain rules


 Shilen 

  • Added static method to call from GSH script to get change log cleared
  • Adjusted daemon screen to fix status

  • Visualization:
    •   https://spaces.at.internet2.edu/x/Nwd0C
    •  Goal is to add an option to select a user
    • this led to discussion on how colors are used. 
    • Use two border colors?
    • Use different shapes?
    • Shilen will experiment with different border colors


Chad working on:

  • GRP-5104
  • Provisioner retrieve AD objectSid and objectGuid as string instead of binary


  • GRP-5307

  • Provisioner case sensitive compare wants to change value only differing in case



Chris worked on JIRAs , including:


Group Roles

add a provisioning group roles method

Chris worked on this and updated the provisioning translation wiki 

https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+translations

To translate from an entity, call isingroup or ishasprivilege

This returns a boolean.  

For a group, you can request a  list of users for a role.

Limited to the items in the member table. 

JEXL allows you to loop through and edit.  

We need to think about that how to resolve attributes

Entity wrapper.is in group is fragile.

 If group doesn’t exist the error message is not clear.

 Chad has been working on an issue found by a community member.   

Ugly stack trace.

Some object is making calls. Hard to debug

AI - For   https://todos.internet2.edu/browse/GRP-5305 Chris will try to get JEXL script tester working and get better error message 

  Chris also worked on:


Adding Built in Grouper Types    

From Slack on March 26, 2024

We would like to some built-in "types" to Grouper (like policy, intermediate, manual, etc).  This is for Grouper v5+.  


  1. "automatic" this is the opposite of a manual group.  This signifies a group that you shouldn't be changing the membership of since it is managed by some process.  Either a loader, or a WS, or a GSH daemon, or a grace period ("recent membership") group, or an ABAC group.  We considered "loaded", but this type would be for more than just the Grouper Loader, its any automatic process that manages the memberships of a group.

  2. "flag" this is a group that should be empty new near-empty, and if it is not, then someone needs to take some action.  e.g. a composite intersection of a group with a reference population (who has access who is not an employee).  e.g. a group loaded with people who have access whose jobs have changed recently.  the action is either to ignore and re-attest later, or revoke access or add them to an ignore group (maybe with an auto-end date) so they are not flagged again (for a while).

  3. "eligibility" this is a group where people need to be in this population to be eligible for a policy or something else.  This could be for manual or automatic (de)provision. 



 Note: this is not like types that were used in Grouper previously and since deprecated.  Regarding types: See also

https://spaces.at.internet2.edu/x/5QI3C

https://spaces.at.internet2.edu/x/QIbd

Misc: 

  • Openshift issue, Chad reports it seems OK in Grouper 4.11.2

  • Need another tomcat upgrade 8.5 is end of life, need to move to 9

  • Chris: will announce latest stable release (flag) when a new release is announced.

Issue Roundup 


Jiras in past two weeks

 
GRP-5391
Foreign key constraint missing from Oracle upgrade DDL


Grouper wiki updates in past two weeks


    • Universal Subject Daemon Utility (USDU)


Grouper Emails in past two weeks

  none


Next Grouper Call: Wed. April 10, 2024



 

 

  • No labels