Attending
- Chris Hyzer, Penn, Chair
- Chad Redman, University of North Carolina Chapel Hill
- Shilen Patel, Duke
- Carey Black, the Ohio State University
- Vivek Sachdiva, independent
- Bill Thompson, Lafayette College
- Jeff Williams, University of North Carolina Greensboro
- Emily Eisbruch, Internet2
Action Items
===========
Techex / ACAMP debrief
RESOURCES OF INTEREST FROM TECH EX 2019 |
---|
Here are resources from Grouper presentations and discussions at TechEx 2019 in New Orleans. Running the InCommon Trusted Access Platform in the Cloud, Dec. 11, 2019 Paranoid IAM: Process and Architecture, Dec. 11, 2019 Provisioning and Access Management Case Studies with Grouper and COmanage, Dec 10, 2019
|
- Thanks to everyone who participated.
- Lots of energy around Grouper at ACAMP 2019
- Matt :
- interesting questions in the hallways about Grouper issues
- permissions talk was a good conversation.
- Some people did not know Grouper could handle permissions so well
- Chris is reviewing the permissions features in Grouper, it has been there for 8 + years
- It’s a fairly advanced application that would need permissions
- Fun conversation, if people can use permissions it’s great
- Loading attributes ? needs work
Chad:
- Many people are on same page around how to design groups, thanks to Grouper Deployment Guide
- ACAMP session talking about containers,
- 2 camps:
- A. Back in config into a Docker File
- B. Start w single image and inject config at runtime
- Both are supported
More discussion
- Some say Grouper should be easy to use
- Some say Docker file is not going to be there forever
- We can set the default so you can spin up a container without Docker file
- Can have a quickstart and get people up and running w a container
- We can require a container for Grouper 2.5
- It’s easy to use container
- Like Tomcat
- Chris will make a wiki on moving in container direction for Grouper 2.5
- Change directory structure so just 1 directory
- Will make it easier
- Want to support containers and NOT the one off patching and OS level support
- Chris: we support a directory structure
- Bill: we can to reduce the development overhead by supporting fewer deployment models
- Regarding config approach: Don’t want so many external dependencies
- Chris: levels of maturity issue
- Assume you are on a certain server and running directory structures
- Bare minimum is database URL and …. password
- Can pass in using a filename , location of log for J
- Specify location of config file in params to docker
- Must have this minimum
- But even better to have Docker container
- Bill: local server deployment model should have a recommended path
- Matt: on startup have flag for autoload files
- You manage file system the way you normally would
- Based on Which commit got pushed to prod last
- Chris: could be a good idea, but could be chaotic when things happen automatically
- Issue: You could never remove a config file, in case you want to revert
- Be sensitive to those who want to keep configs in source control
- Separate git repo that can be pulled in?
- Jeff: that is what UNCG does
- Bake GIT client into container
- Chris : could be an option we offer
- Maybe we need better versioning in database config
- Thing more about this in future
- UI wizards assume using database config
- There is auditing in database config
- It’s not point in time
- It’s not part of attributes, did not want it exported
- Chris will add to roadmap about rolling back
Jeff
- This year at TechEx more Grouper related sessions and topics
- Many different levels of maturity out there in the community
- Discussed PSPNG with Bert at TechEx
Shilen:
- Agree many interesting Grouper sessions at 2019 TechEx
- Permissions and hierarchy discussion was interesting
- Duke uses permissions a lot, for Dukes internal applications, web services, calling Grouper web services
- Mostly focus on policy groups
Grouper Dev Team are thought leaders and team members should use Grouper features even if whole community is not using it
Some of the Grouper advanced features are not easy to find in the documentation
But we are surfacing more info on the Grouper features via community contributions and elsewhere
Shilen: more UI enhancements around permissions would help
Make the permissions easy to view and update, now you need to know what you are doing in the UI
Each Tech Ex there is more mention of the Grouper Deployment Guide, which is great
Duke’s Paranoid IAM session and curated groups got a lot of buzz
Access control models and properly using policy groups so they are useful long term
Bill
- Encouraging to see uptick in Grouper interest and adoption
- Grouper Academy and Campus Success Program were a plus
- In access governance discussions, could be the community is tired or talking about federated access. Now authentication can be assumed. And access governance is where the action is.
- Interesting cloud discussions at TechEx
- GDG got a lot of discussion
- Do a community review of how campuses are using ref groups and hierarchies
- Distill into a model for the GDG
- May have some additions to JIRA, Bill will look at this
- Duke’s presentation on paranoid IAM was great. Fodder for additions to GDG
- No unmanaged access policy
- No unmanaged groups
How can other parts of Grouper support the GDG?
- Policy group template is used often at Penn
- If we want to add AD HOC types or other types..
- How can the UI help out encouraging/enforcing GDG suggestions?
- Well curated groups
- Description on a membership assignment could be helpful
- Bill: suggest to have one iron in the fire (one focus) at a time for the GDG
- Where there are obvious next steps and community engagements
- Models for ref groups and organizations
- Working model to help people get further along
- Grouper security model , could be a gap
- How to do access control within Grouper
- Grouper privileges need to be managed appropriately
- Working model for feedback
- Chris: Keep thinking what the Grouper product can do to support what’s in the GDG
- Making Grouper more consistent between institutions
- Grouper Administrative Security Model: perhaps have a Security Gatekeeper class
- See all attestations, point in time,
- One report or screen showing all technical control abilities for a user
- Table Bill developed makes the head hurt
- Confidence in implementing security controls
- Wonder if Grouper permissions model can be used for the security model
- Have a ref group tree and need to be sure right people have access
- Some of this is already in the templates
- Matt: The GDG needs to have a How to Audit Grouper section
- Chris: the GDG folder structure may need security groups built in
- Security groups are built into the app template
Organizational structures and class lists - often asked about in training
Have options on a loader, use templates?
What’s next with Grouper
Possible new features discussed:
- Containers
- Permissions
- New new UI
- Visualization
- Task oriented screen
- Make things lighter for end users
- Suggested for a UI driven from visualization
- It’s ambitious
- Non starter for accessibility?
- Folder navigation menu in a cooler matrix way
- Visualization for permissions helps
- We need to simplify the Grouper UI
- More action focus
- Better strategy for more button and for tabs
- Entry points to group , using icons?
- Need for an end user interface, about managing your own self stuff
- Shilen has something like that
- Opt in / Opt out
- Customize the way certain things display
- Finding group you are in
- Join things, Manage myself
- Summary: Can do some of this in patches to Grouper 2.5
- Services
- GA tech is interested
- Being able to configure groups of apps or services
- Organize things in the UI as services
- Have metadata on a service
- Services can have multiple apps
- Think about services in GDG?
- Curated groups
- Penn is dealing with MFA and Office 365
- Grouper , LDAP, DUO and O365
- Would be good to have attributes on a group
- Troubleshooting, analyze my membership
- Is user in the group?
- Is user trained?
- Is user enrolled in DUO
- Quick callout to LDAP
- Good idea, can help with handling support calls
- Single Provisioning call from the UI to help troubleshoot
- Attributes to configure on a group to help troubleshooting page have what it needs
- So much time spent passing tickets around for troubleshooting now, this feature could help
- Perhaps not on every group
- Could Use EL script
- To be in group A must be in another group B (have taken training) and group C
- Could automatically check all the requirements to be a group A
- If following the GDG group structure, this will help in the troubleshooting
- Diagnostic process on a service
- NOT CRAZY COMPLICATED 😀
- Bill: this is a good direction
- Get question about an individual user
- Want to be sure the provisioning has happened correctly for that user
- Useful for visualization to take a user and do call for memberships and see what is happening
- Visualization is driven by an engine in the API , not the UI
- Trace membership is less robust than the visualization
- AI Chris create JIRA for post Grouper 2.5 for the visualization aspect of tracing membership and their provisioning
- Pull up a policy
- Enter a user
- See green and red
- This is a new visualization feature
- Visualization could have sub menus
- Box above saying focus on this user
Q Upgrade to DOJO for all HTML components?
A Chad: needed this for folder tree, but did this a different way
- Built in date and time pickers
- Chris: customize the comma box, it was not working well
- Chad: started to look at that
Current work tasks, and next tasks
Need to focus on last few items for the Grouper 2.5 release
At Grouper BOF at TechEx, we said about 2 months of work for Grouper 2.5 release
Vivek – Web service updates for 2.5 (audits, pit, new paging), more attribute screens
- Hoping to finish this work by end of this week
Chris – SQL sync, bugs, paging
Bert – Bugs
Shilen – Group enabled/disabled
Chad – Bugs, libraries in 2.5, gantt chart? Tree on left of UI with more than X children
Bill – GDG, dev env
Issue Roundup
JIRAs
GRP-2488
centralize all priv requests into one class and integration with UI
GRP-2487
add page in group "troubleshoot access" which has a EL to check access
GRP-2486
get the root cause of exception in grouper loader log message
GRP-2485
diagnostics with automatic quartz cron parsing and better thresholds
GRP-2484
Graph UI
GRP-2483
remove warn message for PSPNG specific configuration coordinationTimeout
GRP-2482
Enable template use in GSH
GRP-2481
Adding Groups does not add new group to selectedGroups
GRP-2480
strategy for images and editing... gliffy?
GRP-2479
attestation coverage report(s)
GRP-2478
error in obliterate stem if too many levels and delete pi
========
Slack
Dec 4 scheduling a loader job (Mark D)
Dec 6 attestation coverage report(s) - Carey created JIRA
Dec 6 Restart Loader issue (Sudheer)
Dec 6 separate sources in grouper for application service accounts as opposed to your main IdM namespace (J Crawford)
Dec 6 grouperLoader that loads groups from ldap based on attribute where member is returned (DNs)
The UI suggests that we make the subject expression … (Rachel)
Dec 7 GDG (Chris)
Dec 9 Error on container Karl B (John Gasper replied)
Dec 9 U Minn performance issues w large groups loading (Paul)
Dec 10 grouper-loader.base.properties --change the default? (Rachel)
Dec 11 deploying the tier docker containers and actively contributing to the codebase, how are you keeping your local grouper codebase in sync with the open source project (AlexP)
Dec 12 did the Grouper SCIM Client code ever come out of beta? (Jon M)
Dec 12 anyone run their school BANNER on PostgreSQL (Thomas H)
Dec 13 permission changes are not showing up in the changelog or at the very least it's not sending the message. (J Crawford) (Shilen and Chris and Bert replied)
Dec 13 GRP-2484 for a Graph UI as discussed at Advanced CAMP. (MichaelG) (Chris Replied)
Dec 13 minimal containers. What the minimal steps to take to go from tomcat to docker? i.e. maybe you dont even need a Dockerfile (ChrisH)
Dec 16 we have a readAll group called grouper audit that gets "reader" privileges on every group in the tree through a grouper rule. However, this prevents me from creating a localEntity, because localEntities cannot have "reader" privileges. (AlexP)
Dec 16 request for resources on “grouper designing role access in hierarchy” (Michael G) Bill and Chris replied and discussed Grouper Managed Permissions.
Dec 17 setting up the ATTR_SQL_SIMPLE shows up in the "All Daemon Jobs" list, I like to schedule for "59 59 23 31 12 ? 2099" and run as needed from the damon list. I have to kick off ad hoc sync runs via gsh (J Crawford)
Dec 18 request for better wiki doc on web service calls (J Crawford)
=======
WIKI Updates (partial list)
- Grouper roadmap (Chris)
https://spaces.at.internet2.edu/display/Grouper/Grouper+Product+Roadmap
- Grouper Role and Permission Mgmt (Chris)
https://spaces.at.internet2.edu/display/Grouper/Grouper+Role+and+Permission+Management
- Grouper Documents and Presentations
https://spaces.at.internet2.edu/x/Gobd
- GDG: Access Control Models
https://spaces.at.internet2.edu/x/vYc5CQ
Emails
RE: [grouper-users] "cursor" based paging, Hyzer, Chris, 12/04/2019
- Re: [grouper-users] "cursor" based paging, Michael Gettes, 12/05/2019
- [grouper-users] Check out new blog on Grouper Reporting!, Emily Eisbruch, 12/02/2019
- Re: [grouper-users] AD Provisioning not working on delete, Oliver Trieu, 12/03/2019
- Re: [grouper-users] AD Provisioning not working on delete, Jeffrey Williams, 12/10/2019
- Re: [grouper-users] sending messages to AWS SQS, Ben Beecher, 12/03/2019
- Re: [grouper-users] sending messages to AWS SQS, Ben Beecher, 12/04/2019
- Re: [grouper-users] sending messages to AWS SQS, Ben Beecher, 12/04/2019
- RE: [grouper-users] sending messages to AWS SQS, Hyzer, Chris, 12/03/2019
- [grouper-users] Looking for feedback/interest in an idea... "attestation coverage report(s, Black, Carey M., 12/06/2019
- [grouper-users] Build isn't working right now, Richard Frovarp, 12/12/2019
- Re: [grouper-users] Build isn't working right now, Richard Frovarp, 12/16/2019
- Re: [grouper-users] Build isn't working right now, Richard Frovarp, 12/16/2019
- RE: [grouper-users] Build isn't working right now, Redman, Chad, 12/16/2019
[grouper-users] Grouper resources from 2019 TechEx in New Orleans, Emily Eisbruch, 12/17/2019
Next Grouper Call: Wed. Jan 8, 2020 at 11:30am ET