Child pages
  • 18-Dec-2019
Skip to end of metadata
Go to start of metadata




  • Chris Hyzer, Penn, Chair
  • Chad Redman, University of North Carolina Chapel Hill
  • Shilen Patel, Duke
  • Carey Black, the Ohio State University
  • Vivek Sachdiva, independent
  •  Bill Thompson, Lafayette College
  • Jeff Williams, University of North Carolina Greensboro
  •  Emily Eisbruch, Internet2

Action Items


Techex / ACAMP debrief

  • Thanks to everyone who participated.
  • Lots of energy around Grouper at ACAMP 2019
  • Matt :
    • interesting questions in the hallways about Grouper issues 
    • permissions talk was a good conversation. 
    • Some people did not know Grouper could handle permissions so well 
    • Chris is reviewing the permissions features in Grouper, it has been there for 8 + years
    • It’s a fairly advanced application that would need permissions
    • Fun conversation, if people can use permissions it’s great
    • Loading attributes ? needs work


  • Many people are on same page around how to design groups, thanks to Grouper Deployment Guide
  • ACAMP session talking about containers, 
  • 2 camps: 
  •    A. Back  in config into a Docker File 
  •    B. Start  w single image and inject config at runtime
  • Both are supported 

More discussion

  • Some say Grouper should be easy to use
  • Some say Docker file is not going to be there forever
  • We can set the default so you can spin up a container without Docker file
  • Can have a quickstart and get people up and running w a container
  • We can require a container for Grouper 2.5
  • It’s easy to use container
  • Like Tomcat
  • Chris will make a wiki on moving in container direction for Grouper 2.5
  • Change directory structure so just 1 directory
    • Will  make it easier
  • Want to support containers and NOT the one off patching and OS level support
  • Chris: we support a directory structure 
  • Bill: we can to reduce the development overhead by supporting fewer deployment models
  • Regarding config approach: Don’t want so many external dependencies
  • Chris: levels of maturity issue
  • Assume you are on a certain server and running directory structures
  • Bare  minimum is database URL and …. password
  • Can pass in using a filename , location of log for J
  • Specify location of config file in params to docker
  • Must have this minimum
  • But even better to have Docker container
  • Bill: local server deployment model should have a recommended path
  • Matt: on startup have flag for autoload files
    • You manage file system the way  you normally would
    • Based on Which commit got pushed to prod last
    • Chris: could be a good idea, but could be chaotic when things happen automatically
    • Issue: You could never remove a config file, in case you want to revert
    • Be sensitive to those who want to keep configs in source control
    • Separate git repo that can be pulled in?
    • Jeff: that is what UNCG does 
    • Bake GIT client into container
    • Chris : could be an option we offer
    • Maybe we need better versioning in database config
    • Thing more about this in future
  • UI wizards  assume using database config
  • There is auditing in database config
  • It’s not point in time
  • It’s not part of attributes, did not want it exported
  • Chris will add to roadmap about rolling back


    • This year at TechEx more Grouper related sessions and topics
    • Many different levels of maturity out there in the community
    • Discussed PSPNG with Bert at TechEx


  • Agree many interesting Grouper sessions at 2019 TechEx
  • Permissions and hierarchy discussion was interesting
  • Duke uses permissions a lot, for Dukes internal applications, web services, calling Grouper web services
  • Mostly focus on policy groups 

Grouper Dev Team are thought leaders and team members should use Grouper features even if whole community is not using it

Some of the Grouper advanced features are not  easy to find in the documentation

But we are surfacing more info on the Grouper features via community contributions and elsewhere

Shilen: more UI enhancements around permissions would help

Make the permissions easy to view and update, now you need to know what you are doing in the UI

Each Tech Ex  there is more mention of the Grouper Deployment Guide, which is great

Duke’s Paranoid IAM session  and curated groups got a lot of buzz

Access  control models and properly using policy groups so they are useful long term


  • Encouraging to see uptick in Grouper interest and adoption
  • Grouper Academy and Campus Success Program were a plus
  • In access governance discussions, could be the community is tired or talking about federated access. Now authentication can be assumed. And access governance is where the action is.
  • Interesting cloud discussions at TechEx
  • GDG got a lot of discussion
    • Do a community review of how campuses are using ref groups and hierarchies
    • Distill into a model for the GDG
    • May have some additions to JIRA, Bill will look at this
  • Duke’s presentation on paranoid IAM was great. Fodder for additions to GDG
  • No unmanaged access policy
  • No unmanaged groups

How can other parts of Grouper support the GDG?

  • Policy group template is used often at Penn
  • If we want to add AD HOC types or other types..
  • How can the UI help out encouraging/enforcing GDG suggestions?
  • Well curated groups
  • Description on a membership assignment could be helpful
  • Bill: suggest to have one iron in the fire (one focus) at a time for the GDG 
  • Where there are obvious next steps and community engagements
  • Models for ref groups and organizations
  • Working model to help people get further along
  • Grouper security model , could be a gap
  • How to do access control within Grouper
  • Grouper privileges need to be managed appropriately
  • Working model for feedback
  • Chris: Keep thinking what the Grouper product can do to support what’s in the GDG
  • Making Grouper more consistent between institutions
  • Grouper Administrative Security Model: perhaps have a Security Gatekeeper class
  • See all attestations, point in time, 
  • One report or screen showing all technical control abilities for a user
  • Table Bill developed makes the head hurt
  • Confidence in implementing security controls
  • Wonder if Grouper permissions model can be used for the security model
  • Have a ref group tree and need to be sure right people have access
  • Some of this is already in the templates
  • Matt: The GDG needs to have a How to Audit Grouper section
  • Chris: the GDG folder structure may need security groups built in
  • Security groups are built into the app template

Organizational structures and class lists -  often asked about in training

Have options on a loader, use templates?

What’s next with Grouper

Possible new features discussed:

  • Containers
  • Permissions
  • New new UI
    • Visualization
    • Task oriented screen
    • Make things lighter for end users
    • Suggested for a UI driven from visualization
    • It’s ambitious
    • Non starter for accessibility?
    • Folder navigation menu in a cooler matrix way
    • Visualization for permissions helps
    • We need to simplify the Grouper UI
    • More action focus
    • Better strategy for more button and for tabs
    • Entry points to group , using icons?
    • Need for an end user interface, about managing your own self stuff
    • Shilen has something like that
    • Opt in / Opt out
    • Customize the way certain things display
    • Finding group you are in
    • Join things, Manage myself
    • Summary: Can do some of this in patches to Grouper 2.5
  • Services
    • GA tech is interested
    • Being able to configure groups of apps or services
    • Organize things in the UI as services
    • Have metadata on a service
    • Services can have multiple apps
    • Think about services in GDG?
  • Curated groups
    • Penn is dealing with MFA and Office 365 
    • Grouper , LDAP, DUO and O365
    • Would be good to have attributes on a group
    • Troubleshooting, analyze my membership
    • Is user in the group?
    • Is user trained?
    • Is user enrolled in DUO
    • Quick callout to LDAP
    • Good idea, can help with handling support calls
    • Single Provisioning call from the UI to help troubleshoot
    • Attributes to configure   on a group to help troubleshooting page have what it needs
    • So much time spent passing tickets around for troubleshooting now, this feature could help
    • Perhaps not on every group
    • Could Use EL script
    • To be in group A must be in another group B (have taken training) and group C
    • Could automatically  check all the requirements to be a group A 
    • If following the GDG  group structure, this will help in the troubleshooting
    • Diagnostic process on a service
    • Bill: this is a  good direction 
    • Get question about an individual user
    • Want to be sure the provisioning has happened correctly for that user
    • Useful for visualization  to take a user and do call for memberships and see what is happening
    • Visualization is driven by an engine in the API , not the UI
    • Trace  membership is less robust than the visualization

  • AI Chris create   JIRA for post Grouper 2.5 for the visualization aspect of tracing membership and their provisioning

  • Pull up a policy 
  • Enter a user
  • See green and red
  • This is a new visualization feature
  • Visualization could have sub menus 
  • Box above saying focus on this user

Q Upgrade to DOJO for all HTML components? 

A Chad: needed this for folder  tree, but did this a different way

  • Built in date and time pickers
  • Chris: customize the comma box, it was not working well
  • Chad: started to look at that

Current work tasks, and next tasks

Need to focus on last few items for  the Grouper 2.5 release

At  Grouper BOF at TechEx, we said about 2 months of work for Grouper 2.5 release

Vivek – Web service updates for 2.5 (audits, pit, new paging), more attribute screens

  • Hoping to finish this work by end of this week

Chris –  SQL sync, bugs, paging

Bert – Bugs

Shilen – Group enabled/disabled

Chad – Bugs, libraries in 2.5, gantt chart?  Tree on left of UI with more than X children

Bill – GDG, dev env

Issue Roundup



centralize all priv requests into one class and integration with UI


add page in group "troubleshoot access" which has a EL to check access


get the root cause of exception in grouper loader log message


diagnostics with automatic quartz cron parsing and better thresholds


Graph UI


remove warn message for PSPNG specific configuration coordinationTimeout


Enable template use in GSH


Adding Groups does not add new group to selectedGroups


strategy for images and editing... gliffy?


attestation coverage report(s)


error in obliterate stem if too many levels and delete pi



Dec 4 scheduling a loader job (Mark D)

Dec 6 attestation coverage report(s) - Carey created JIRA

Dec 6 Restart Loader issue (Sudheer)

Dec 6 separate sources in grouper for application service accounts as opposed to your main IdM namespace (J Crawford)

Dec 6 grouperLoader that loads groups from ldap based on attribute where member is returned (DNs)

The UI suggests that we make the subject expression … (Rachel)

Dec 7 GDG (Chris)

Dec 9 Error on container Karl B  (John Gasper replied)

Dec 9 U Minn performance issues w large groups loading (Paul)

Dec 10 --change the   default? (Rachel)

Dec 11   deploying the tier docker containers and actively contributing to the codebase, how are you keeping your local grouper codebase in sync with the open source project (AlexP)

Dec 12 did the Grouper SCIM Client code ever come out of beta? (Jon M)

Dec 12 anyone run their school BANNER on PostgreSQL (Thomas H)

Dec 13 permission changes are not showing up in the changelog or at the very least it's not sending the message. (J Crawford) (Shilen and Chris and Bert replied)

Dec 13 GRP-2484 for a Graph UI as discussed at Advanced CAMP. (MichaelG) (Chris Replied)

Dec 13 minimal containers.  What the minimal steps to take to go from tomcat to docker?  i.e. maybe you dont even need a Dockerfile (ChrisH)

Dec  16 we have a readAll group called grouper audit that gets "reader" privileges on every group in the tree through a grouper rule. However, this prevents me from creating a localEntity, because localEntities cannot have "reader" privileges. (AlexP)

Dec  16 request for resources on “grouper designing role access in hierarchy”  (Michael G) Bill and Chris replied and discussed Grouper Managed Permissions.

Dec 17 setting up the ATTR_SQL_SIMPLE shows up in the "All Daemon Jobs" list, I like to schedule for "59 59 23 31 12 ? 2099" and run as needed from the damon list.   I have to kick off ad hoc sync runs via gsh (J Crawford)

Dec 18 request for better wiki doc on web service calls (J Crawford)


WIKI Updates (partial list)

  • Grouper roadmap (Chris)

  • Grouper Role and Permission Mgmt (Chris)

  • Grouper Documents and Presentations

  • GDG: Access Control Models


RE: [grouper-users] "cursor" based paging, Hyzer, Chris, 12/04/2019

[grouper-users] Grouper resources from 2019 TechEx in New Orleans, Emily Eisbruch, 12/17/2019

Next Grouper Call: Wed. Jan 8, 2020 at 11:30am ET

  • No labels