Grouper Call of June 5, 2024


  • Chris Hyzer, Penn, Chair
  • Vivek Sachdiva, independent

  • Shilen Patel, Duke

  • Carey Black, Purdue

  • Gail Lift, University of Michigan

  • Henry Hyzer, intern

  • Emily Eisbruch, Independent



InCommon Basecamp is June 3-7, 2024 (online only)

Internet2 Technology Exchange 2024 is in Boston Dec 9-13

Current Work


  • SCIM 

    •  For Service Now, requirement to sync custom attributes, service now employee number

    • Have added more options for SCIM based provisioners

    • Can specify an Expression Language

    • Give me a list of users , etc.

    • Want to sync a nested attribute

    • Use JSON pointer

  • Grouper Rules (in Grouper v5)

    • Looking at some edge cases, various scenarios around permissions



  • Each one has a wrapper

  • You can drill down into each parameter

  • Harry changed each version so they are in numeric order and alpha order

  • Did wrappers for the responses

  • In Grouper Web Services, in source

  • Working on v4 branch

  • In Grouper v5, the generation of the swagger JSON is a manual process.

  • If we add a new operation we will manually kick that off again

  • Same operational library for v4 and v5

  • How hard will it be to catch up to v5 branch when work gets ported forward? 

  • Challenge: with Swagger it is intended to be restful

  • Grouper is plain old JSON

  • We have some more restfulish operations 

  • We can document those in swagger more specifically

  • Version that any web services sends to server is intended to be what version you are calling

  • We pioneered this before the standard was developed

  • Need to make a fix in Grouper, only works in a certain version

  • Leave Sagger in v4 static

  • Search and replace in v5

Grouper Rule Discussion

  • Carey: Looking for a Grouper rule for removing someone from a group when added to a different group

  • Did not find this

  • Seems like a common pattern, should likely be added

  • Carey will ping Chris about this


  • Grouper rules patterns

  • There is a recent addition of this, according to Vivek

  • AI Vivek will improve this rules documentation, (in response to Carey’s question) Grouper rules pattern - Remove invalid membership due to group

  • Chris: Rules are actions that happen when other things happen

  • Membership lifecycle , deprovisioning, reminder to attest or review something

  • With new Rules UI easier to use and to delegate to admins , can be assigned

  •   Many requests from GA Tech; Great ideas on membership life cycle

  • Bert pointed out some gaps

  • Even though the rules UI is a step in right direction, it’s not the final goal

  • Grouper membership eligibility


  •  Chris and Emily are working on an InCommon Trust and Identity Newsletter blog (for June or July likely)

  • The planned blog will be about RULES:  past, present and also about the future plans

  • There are exciting plans for future of rules

  • Attributes on stems

  • Keeping track of life cycle events

  • Having the timeline on a person available for attestation

  • UI can say “you have these people, 5 people w life cycle event, review them”

  • Hope to put resources towards that for Grouper v5

  • Chris plans to update the Grouper roadmap

  • Currently in planning stages

  • Carey: Would be helpful to have improvements around point in time queries?

  • Be able to dive all the way to the bottom quickly

  • As valuable as the higher level archetype 

  • There are tons of paths to query point in time

  • Vision for v5: if you are SQL cachable we want to keep flattened membership and flattened point in time memberships in a table


  • Grouper HTTP client

    • Lead operations being doing like HTTP delete, not cleaning up resources 

    • You can easily run out of resources 

    • Fix was put in

    • Flag to re use connections was an issue

    • There is a flag to re use HTTP client 

    • Goal: Always have re use of Grouper client

    • Chris will not for next release, upgrade instruction to remove that flag

    • Don’t set that flag moving forward

  • OIDC updates

    • Integration for UI and web services, only found claims thru user info endpoint

    • Need to find thru ID token

    • Added some new configs

    • Not it asks for needed info

    • Will commit for V5 

    • Shilen will cherry pick this back to v4

    • OIDC is best option

    • Proxy settings for OIDC were not working

    • Shilen made an adjustment on this

    • Needs to do more testing

    • Shilen will look at HTTP proxy issue


  • Chris worked on: Programmatic access to the Grouper user interface with Playwright
  • Playwright does work in the Grouper container in Rocky 9, and that plan to upgrade from 8 is in the works.  
  • Will be turned off by default in production
  • The jars are there for you, but not enabled by default
  • Chris put this in Grouper POM
  • Only 4 libraries for dependencies
  • When we build container, we move those jars to another container
  • If you set environment variables
  • Wiki shows things being done at Penn
  • Validates that a group updated successfully
  • Slack Chris if you want more functionality
  • Chris wrote standards for what we should be doing in the UI
  • UI is intended to be browsed by a browser
  • Will follow some standards so when we implement builder pattern classes it will be consistent
  • A new environment variable for the container
  • Will make a bash script

Issue Roundup



Wiki updates

Next Grouper Call: Friday, June 21, 2024 (instead of Wed. June 19)

Next Grouper meeting: will discuss Grouper documentation

  • No labels