Attending

Chris Hyzer, Penn, Chair
Chad Redman, University of North Carolina Chapel Hill
Shilen Patel, Duke
Carey Black, the Ohio State University
Vivek Sachdiva, independent
Bill Thompson, Lafayette College
Jeff Williams, University of North Carolina Greensboro
Emily Eisbruch, Internet2

Action Items

Grouper Action Items are here

===========

Techex / ACAMP debrief

RESOURCES OF INTEREST FROM TECH EX 2019

Here are resources from Grouper presentations and discussions at TechEx 2019 in New Orleans.

Grouper BOF, Dec. 11, 2019

Running the InCommon Trusted Access Platform in the Cloud, Dec. 11, 2019

Paranoid IAM: Process and Architecture, Dec. 11, 2019

Provisioning and Access Management Case Studies with Grouper and COmanage, Dec 10, 2019

Advance CAMP unconference sessions on Grouper, Dec 12-13, 2019

Thanks to everyone who participated.
Lots of energy around Grouper at ACAMP 2019
Matt :

interesting questions in the hallways about Grouper issues
permissions talk was a good conversation.
Some people did not know Grouper could handle permissions so well
Chris is reviewing the permissions features in Grouper, it has been there for 8 + years
It’s a fairly advanced application that would need permissions
Fun conversation, if people can use permissions it’s great
Loading attributes ? needs work

Chad:

Many people are on same page around how to design groups, thanks to Grouper Deployment Guide
ACAMP session talking about containers,
2 camps:
A. Back in config into a Docker File
B. Start w single image and inject config at runtime
Both are supported

More discussion

Some say Grouper should be easy to use
Some say Docker file is not going to be there forever
We can set the default so you can spin up a container without Docker file
Can have a quickstart and get people up and running w a container
We can require a container for Grouper 2.5
It’s easy to use container
Like Tomcat
Chris will make a wiki on moving in container direction for Grouper 2.5
Change directory structure so just 1 directory

Will make it easier

Want to support containers and NOT the one off patching and OS level support
Chris: we support a directory structure
Bill: we can to reduce the development overhead by supporting fewer deployment models
Regarding config approach: Don’t want so many external dependencies
Chris: levels of maturity issue
Assume you are on a certain server and running directory structures
Bare minimum is database URL and …. password
Can pass in using a filename , location of log for J
Specify location of config file in params to docker
Must have this minimum
But even better to have Docker container
Bill: local server deployment model should have a recommended path
Matt: on startup have flag for autoload files

You manage file system the way you normally would
Based on Which commit got pushed to prod last
Chris: could be a good idea, but could be chaotic when things happen automatically
Issue: You could never remove a config file, in case you want to revert
Be sensitive to those who want to keep configs in source control
Separate git repo that can be pulled in?
Jeff: that is what UNCG does
Bake GIT client into container
Chris : could be an option we offer
Maybe we need better versioning in database config
Thing more about this in future

UI wizards assume using database config
There is auditing in database config
It’s not point in time
It’s not part of attributes, did not want it exported
Chris will add to roadmap about rolling back

Jeff

This year at TechEx more Grouper related sessions and topics
Many different levels of maturity out there in the community
Discussed PSPNG with Bert at TechEx

Shilen:

Agree many interesting Grouper sessions at 2019 TechEx
Permissions and hierarchy discussion was interesting
Duke uses permissions a lot, for Dukes internal applications, web services, calling Grouper web services
Mostly focus on policy groups

Grouper Dev Team are thought leaders and team members should use Grouper features even if whole community is not using it

Some of the Grouper advanced features are not easy to find in the documentation

But we are surfacing more info on the Grouper features via community contributions and elsewhere

Shilen: more UI enhancements around permissions would help

Make the permissions easy to view and update, now you need to know what you are doing in the UI

Each Tech Ex there is more mention of the Grouper Deployment Guide, which is great

Duke’s Paranoid IAM session and curated groups got a lot of buzz

Access control models and properly using policy groups so they are useful long term

Bill

Encouraging to see uptick in Grouper interest and adoption
Grouper Academy and Campus Success Program were a plus
In access governance discussions, could be the community is tired or talking about federated access. Now authentication can be assumed. And access governance is where the action is.
Interesting cloud discussions at TechEx
GDG got a lot of discussion

Do a community review of how campuses are using ref groups and hierarchies
Distill into a model for the GDG
May have some additions to JIRA, Bill will look at this

Duke’s presentation on paranoid IAM was great. Fodder for additions to GDG
No unmanaged access policy
No unmanaged groups

How can other parts of Grouper support the GDG?

Policy group template is used often at Penn
If we want to add AD HOC types or other types..
How can the UI help out encouraging/enforcing GDG suggestions?
Well curated groups
Description on a membership assignment could be helpful
Bill: suggest to have one iron in the fire (one focus) at a time for the GDG
Where there are obvious next steps and community engagements
Models for ref groups and organizations
Working model to help people get further along
Grouper security model , could be a gap
How to do access control within Grouper
Grouper privileges need to be managed appropriately
Working model for feedback
Chris: Keep thinking what the Grouper product can do to support what’s in the GDG
Making Grouper more consistent between institutions
Grouper Administrative Security Model: perhaps have a Security Gatekeeper class
See all attestations, point in time,
One report or screen showing all technical control abilities for a user
Table Bill developed makes the head hurt
Confidence in implementing security controls
Wonder if Grouper permissions model can be used for the security model
Have a ref group tree and need to be sure right people have access
Some of this is already in the templates
Matt: The GDG needs to have a How to Audit Grouper section
Chris: the GDG folder structure may need security groups built in
Security groups are built into the app template

Organizational structures and class lists - often asked about in training

Have options on a loader, use templates?

What’s next with Grouper

Possible new features discussed:

Containers
Permissions
New new UI
- Visualization
- Task oriented screen
- Make things lighter for end users

Suggested for a UI driven from visualization
It’s ambitious
Non starter for accessibility?
Folder navigation menu in a cooler matrix way
Visualization for permissions helps
We need to simplify the Grouper UI
More action focus
Better strategy for more button and for tabs
Entry points to group , using icons?
Need for an end user interface, about managing your own self stuff
Shilen has something like that
Opt in / Opt out
Customize the way certain things display
Finding group you are in
Join things, Manage myself
Summary: Can do some of this in patches to Grouper 2.5

Services

GA tech is interested
Being able to configure groups of apps or services
Organize things in the UI as services
Have metadata on a service
Services can have multiple apps
Think about services in GDG?

Curated groups

Penn is dealing with MFA and Office 365
Grouper , LDAP, DUO and O365
Would be good to have attributes on a group
Troubleshooting, analyze my membership
Is user in the group?
Is user trained?
Is user enrolled in DUO
Quick callout to LDAP
Good idea, can help with handling support calls
Single Provisioning call from the UI to help troubleshoot
Attributes to configure on a group to help troubleshooting page have what it needs
So much time spent passing tickets around for troubleshooting now, this feature could help
Perhaps not on every group
Could Use EL script
To be in group A must be in another group B (have taken training) and group C
Could automatically check all the requirements to be a group A
If following the GDG group structure, this will help in the troubleshooting
Diagnostic process on a service
NOT CRAZY COMPLICATED 😀
Bill: this is a good direction
Get question about an individual user
Want to be sure the provisioning has happened correctly for that user
Useful for visualization to take a user and do call for memberships and see what is happening
Visualization is driven by an engine in the API , not the UI
Trace membership is less robust than the visualization

AI Chris create JIRA for post Grouper 2.5 for the visualization aspect of tracing membership and their provisioning

Pull up a policy
Enter a user
See green and red
This is a new visualization feature
Visualization could have sub menus
Box above saying focus on this user

Q Upgrade to DOJO for all HTML components?

A Chad: needed this for folder tree, but did this a different way

Built in date and time pickers
Chris: customize the comma box, it was not working well
Chad: started to look at that

Current work tasks, and next tasks

Need to focus on last few items for the Grouper 2.5 release

At Grouper BOF at TechEx, we said about 2 months of work for Grouper 2.5 release

Vivek – Web service updates for 2.5 (audits, pit, new paging), more attribute screens

Hoping to finish this work by end of this week

Chris – SQL sync, bugs, paging

Bert – Bugs

Shilen – Group enabled/disabled

Chad – Bugs, libraries in 2.5, gantt chart? Tree on left of UI with more than X children

Bill – GDG, dev env

Issue Roundup

JIRAs

GRP-2488

centralize all priv requests into one class and integration with UI

GRP-2487

add page in group "troubleshoot access" which has a EL to check access

GRP-2486

get the root cause of exception in grouper loader log message

GRP-2485

diagnostics with automatic quartz cron parsing and better thresholds

GRP-2484

Graph UI

GRP-2483

remove warn message for PSPNG specific configuration coordinationTimeout

GRP-2482

Enable template use in GSH

GRP-2481

Adding Groups does not add new group to selectedGroups

GRP-2480

strategy for images and editing... gliffy?

GRP-2479

attestation coverage report(s)

GRP-2478

error in obliterate stem if too many levels and delete pi

========

Slack

Dec 4 scheduling a loader job (Mark D)

Dec 6 attestation coverage report(s) - Carey created JIRA

Dec 6 Restart Loader issue (Sudheer)

Dec 6 separate sources in grouper for application service accounts as opposed to your main IdM namespace (J Crawford)

Dec 6 grouperLoader that loads groups from ldap based on attribute where member is returned (DNs)

The UI suggests that we make the subject expression … (Rachel)

Dec 7 GDG (Chris)

Dec 9 Error on container Karl B (John Gasper replied)

Dec 9 U Minn performance issues w large groups loading (Paul)

Dec 10 grouper-loader.base.properties --change the default? (Rachel)

Dec 11 deploying the tier docker containers and actively contributing to the codebase, how are you keeping your local grouper codebase in sync with the open source project (AlexP)

Dec 12 did the Grouper SCIM Client code ever come out of beta? (Jon M)

Dec 12 anyone run their school BANNER on PostgreSQL (Thomas H)

Dec 13 permission changes are not showing up in the changelog or at the very least it's not sending the message. (J Crawford) (Shilen and Chris and Bert replied)

Dec 13 GRP-2484 for a Graph UI as discussed at Advanced CAMP. (MichaelG) (Chris Replied)

Dec 13 minimal containers. What the minimal steps to take to go from tomcat to docker? i.e. maybe you dont even need a Dockerfile (ChrisH)

Dec 16 we have a readAll group called grouper audit that gets "reader" privileges on every group in the tree through a grouper rule. However, this prevents me from creating a localEntity, because localEntities cannot have "reader" privileges. (AlexP)

Dec 16 request for resources on “grouper designing role access in hierarchy” (Michael G) Bill and Chris replied and discussed Grouper Managed Permissions.

Dec 17 setting up the ATTR_SQL_SIMPLE shows up in the "All Daemon Jobs" list, I like to schedule for "59 59 23 31 12 ? 2099" and run as needed from the damon list. I have to kick off ad hoc sync runs via gsh (J Crawford)

Dec 18 request for better wiki doc on web service calls (J Crawford)