Child pages
  • 22-July-2020
Skip to end of metadata
Go to start of metadata



  • Chris Hyzer, Penn, Chair
  • Chad Redman, University of North Carolina Chapel Hill
  • Shilen Patel, Duke
  • Carey Black, the Ohio State University
  • Vivek Sachdiva, independent
  • Jeff Williams - University of North Carolina Greensboro

  •  Emily Eisbruch, Internet2

Intellectual Property reminder:

 Grouper Action Items are here  

 New Action Items from this call


Upcoming Training:


Grouper School  in Oct 6-9, 2020 (online)

  • Moving beginning sections of Grouper training to Canvas LMS
  • Promote this at your institutions
  • Some people are initially “afraid” of Grouper but embrace it after training
  • Penn has had 8 people do Grouper training and it’s been helpful

 Current work tasks, and next tasks

Vivek –Provisioning configuration

See diagrams:

  • Define subject sources to provision, add the ID
  •  options about mapping to target
  • User and group settings, how to resolve things
  • Half is provisioner generic and half is LDAP specific (if you are provisioning to LDAP)
  • Base provisioner has a lot of logic
  • Base config class can manage settings
  • LDAP config class that subclasses that and does LDAP specific stuff
  • Base target DAO specifies signatures
  • There is BASE target DAO and Custom target DAO
  • Use target beans for compare

  • Provisioning Framework strives to be flexible, customizable, configurable
  • Comment: it’s the right amount of extensibility
  • How much of the pieces are re-usable directly?
  • LDAP, AD, OpenLDAP
  • Non relational database, use subclass?
  • Can inherit and wire things together
  • Multiple universities might use same target but use it differently
  • Use one DAO or multiple
  • Multiple provisioner instances
  • For example, 3 ways to provision to DUO so 3 provisioner instances?
  • Shilen: included to have multiple provisioners
  • Carey: Great to be able to provision Grouper privileges for access management on target systems
  • Will make the screens more complex, but that’s OK
  • Depending on what you select in the membership fields, you are provisioning privileges to a target.  
  • Could have two provisioners, one for memberships, another for privileges?
  • Privilege provisioner could detect if an object is not there, and mark it
  • Provisioners create a group in the target system
  • Provisioner creates privileges in the target system?
  • Three ways to get events in real time model:
    1.  change log
    2. Grouper messages from the UI
    3. In object model there are sync tables, sync tables have a state in them, such as if there is an error, trying to provision
  • Keeps track if you are in the target or not, using a flag
  • Anything in Grouper can send a message to a provisioner
  • A membership provisioner can create a group, send a message to a privilege provisioner
  • What about error handling?
  • Membership provisioner and privilege provisioner
  • Concern that the membership provision won’t know all users
  • Needs to work with full syncs
  • Maybe use one big group 
  • Carey: Difference between message queue and synchronous message
  • This is not the current way it works
  • Interrupt flow
  • Chris: hoping for everything asycn so use a flag
  • Flag it pending completion of another message
  • Sounds like a skip
  • But this may be an edge case
  • Discussion of 2 provisioners
  • Shilen and Chris will talk about Grouper DAO part
  • Moving in right direction
  • Almost ready to work on other provisioners
    • Zoom, Box, Duo
  • See how they fit into the model
  • Look at the UI screens that Vivek is working on
  • Shilen: what would Azure provisioner look like?
  • Have a marker attribute to provision to Azure for teams?
  • Change log would trigger off of assignments
  • How to mark things as provisionable?
  • Different model
  • Carey: Outlook impacts AD, could be same in Azure layer,
  • There can be chaos
  • In AD there are several types of groups
  • Can’t always convert a group to mailing list, might be wrong type of group
  • Provisioner might not be agnostic of the details
  • You might need to reprovision to make something a different thing
  • Shilen: if you create a unified group in Azure, you have option to make it into a team, should this be a flag in Grouper?
  • Chris: one tool is how things are assigned to be provisionable
  • Change the provision model 
  • What options should be built ins?
  • Attribute specification for group or folder that you don’t want in the generic bushy structure in ldap
  • Mapping
  • To flip flags or have multi assign
  • Translation into provisioning framework
  • Queries to get attributes are complex 
  • Get transformed into flags on tables Which do not go away
  • Carey: Attribute handling can be frustrating in writing change log consumers
  • Use a planned sub system, to make things extensible, use provisioning framework
  • Chris: also have extra built ins
  • But there will always be unique needs for a certain application
  • Chris: a problem of deleting groups, you need to know is it in the target or not
  • But keep that info in the attributes
  • Carey: auditing does not keep 100% and that causes some issues
  • Chris: a lot of work to do but there will be momentum. Once we get the base classes  it will move along. 
  • Carey: we have existing change log consumers that we may want to change to the new provisioning model.  (Chris: LDAP comes first )

 Chris – 2.5.33 release

  • TomEE upgrade was an issue
  • Chris updated the wiki with  best practices
  • Try for release bi weekly
  • Chris has been helping with provisioning

Shilen – provisioning, vacation

  • Added LDAP configuration class
  • Chris and Shilen discuss Grouper DAO work

 Chad – pspng

  •  Heard from MichaelG regarding performance issues
  • New provisioning framework will help

  • Erik trying to get Azure changelog consumer working
  • Getting error on ESB event type not right
  • Chris: ESB is layer on top of changelog consumer
  • Changelog consumer Object model is generic
  • You specify event types: membership add, membership delete, etc

  • Github pull requests for library upgrades
  • You should upgrade message
  • Could be a waste of time in some cases
  • When we are just using interally


  • Recent discussion on courses in Grouper, was discussed on a software call last Friday
  • We support 3 versions of Grouper, Perhaps change it to 2.
    • It’s a problem that people do new installs with an old version

Issue Roundup

JIRAs over last 2 weeks

  •            Chad found this does not work, but earlier version also did not work
  •           Chris: keep deleting, sometimes works, removed it from the POM
  •           Take that code from Grouper 2.4 ?   
  •            OK to take p6spy out of Grouper

  •           Chris: there is now a table in Grouper , Grouper Cache Overall

    • Has one row?   Update the cache instance and flag to look for something that changed. 

  •          Consider using this , clears cache more quickly

SLACK over last 2 weeks

Matthew B- Is there a way to get Grouper to recalculate a user's membership in a group when the user name changes in the subject source?

Nicholas R  -Maybe the subject source view(s)/search filter(s) should prevent anyone who doesn’t have a username from making it in to grouper? Then when they get a username, they show up?

Matthew B -Grouper is used to decide who is eligible to register an account.  Hiding unregistered users would not help.  The old IDM uses large chunks of java and groovy to figure out if a user is eligible, Grouper does a bit a group math to figure out the state of the user.


Chris Hyzer - The "recent memberships" aka "grace periods" feature is revamped for 2.5.30  

Chris Hyzer  - @channel the current plan is to release 2.5.30 on monday-ish.  If there are small non-pspng jiras that arent done and you want them done let me know and I will try to complete them

Jeffrey  W    Limited-rights account can manage a group it has admin privs on.  HOWEVER...  If said user searches for a subject of the group and tries to revoke their membership that way, they get a 'cannot find group' error.   


Michael G - do you ever notice grouper loader getting  “wedged/stuck” and you have to restart the loader?  

Andy Mo - We have a SQL_GROUP_LIST loader job that ended up removing (emptying) the membership of a number of groups even though the removal exceeded the failsafe threshold.   

Carey   - Grouper+deprovisioning :


  An existing group ( "bob's group" ) that has memberships that were created by hand over time.

  Along comes a new deprovisioning group…….

Erik - beginning  the process of converting our .properties files to database configs.   

Bill T - Lafayette is working on getting our course rosters into Grouper. If you’ve already done this and have advice/regrets/pointers on things like naming convention, grouper privilege management, exception handling, course roster group lifecycle, etc please let me know. 2


Erin M - We're excited to announce that registration is open for Grouper School! Join us from October 6 - 9th  

Jeffrey W  Has anyone done user resolution for an attribute in for someone that wasn't the subject e.g Manager, Reports, etc?  

Sean M -  completed upgrading our production Grouper service to 2.5.29  

I missed one   detail: some language file changes that we were managing with to override   

Drew A - attempting  test of removing the direct memberships of group 'Test A', by anyone who is in group 'group b'.  Zachary Hanson-Hart  1:02 PM

joined #incommon-grouper.

Jeffrey C - started playing with the "permissions" structure again and we are getting messaging when a permission changes via RabbitMQ. However I'm not sure I'm seeing audit log entries related to permission changes. Do permission changes get audited currently?


Erin M -  we have opened Expression of Interest for the Collaboration Success Program (CSP).  

Erik C Been testing our upgrade to 2.5.29 containers, and previously in 2.4.x I was setting a local CATALINA_OPTS=-Duser.timezone=America/Chicago in order to set the local timezone on the application.  It seems my variable is not getting picked up any longer, so how best to set the timezone so that Grouper QuartzCron is using local times?

Erik   in an LDAP_SIMPLE Loader, does this Subject ID JEXL do what I think it does:   

Sean M - an example of a "connector" that is using the new Grouper provisioning strategy?  

Chris Hyzer  Grouper 2.5.31 is ready to be used

Paul R   Just for our own sanity when creating new groups via a grouperLoader process, we cannot seem to figure out how to give a distinct NAME and a DISPLAY_NAME value when creating those groups.  We want a different format for the ID versus what the user sees as the DISPLAY NAME.  

Beth H -  Our team is working on a Grouper PoC/Pilot.  As we are going to be moving from multiple SQL databases and LDAP directories which currently support access management to Grouper, we are going to have multiple data "warehouses" 


Chris Hyzer -

  •  databases and ldaps and other things are "external systems" now, and we have configuration and management of those in the UI.  This is a new feature so if you try it out, check the resulting configs in the database and confirm its what you want.  

  • In order to support complex relationships between prod/test/dev envs, all the external systems support multiple connections of the same type (e.g. multiple database warehouses).  with the exception of smtp, you get one email provider :slightly_smiling_face:

  • Can announce another enhancement too, if you go to the daemon screen, you will see an edit button

  • You can configure each daemon in a context specific way.  Thanks @Vivek Sachdeva!

  • this part isnt ready to use, but this is all for provisioning (and other things).  1. Configure an external system, 2. Configure a provisioner (below), 3. Configure the realtime and full sync daemons.

Here is the provisioner screen (which doesnt do anything, but you can see the UI).  Again context specific


Erik - What a great improvement! Looking forward to this! What version will this be release on? 2.5.31?


Michael   on 2.5.32 in my dev environment and working on getting .32 into test.  Great work - as always - to the entire Grouper Dev team!   


Carey   Change Log Consumer...   don't see an easy way to find out who "caused the event"? 


Chris Hyzer    this tomee upgrade was a pain.   

Beth  - New Grouper Admin Question:  We are currently building course composite groups (using addIncludeExclude), etc.  We have over 4000+ groups.  That is awesome.  However, when one goes away in the system of record, we want them to be deleted.    In the Loader configuration tiny text for "Groups like..."  it says, "Note, if the group is used anywhere as a member or composite member, it won't be removed.".  Our groups that we are provisioning in Office 365 are composite groups (systemOfRecord + include - exclude).  What is the best means by which to automate the deprovisioning and deletion of the composite (and its member groups)?  

WIKI updates


Next Grouper  Call : Wed August 5, 2020

  • No labels