Child pages
  • 27June-2018
Skip to end of metadata
Go to start of metadata


Grouper Call 27-June-2018  


  • Chris Hyzer, Penn, Chair
  • Shilen Patel, Duke
  • Chad Redmond, UNC
  • Carey Black, The Ohio State  University
  • Bert Bee  Lindgren, GA Tech
  • Vivek Sachdiva, independent
  • Emily Eisbruch, Internet2

Action Items: Grouper Project Action Items (Google Doc) 

Current work tasks

Vivek – Deprovisioning:

  • When we show all the privileges  a user has, still see the deprovisioined group themselves.  Vivek can work on thi

  • Working on Grouper Loader

    • when loader finds a member it says, give me all the members of all the affiliations.   Issue when a user is being deprovisioined and has mixed affiliations that make it complex.

    • Chris: Loader is a special case

    • If you are on a list of groups, go back to the group that manages the job and use the settings from there.

    • See which affiliations are being deprovisioned

    • See deprovisioned subjects

    • Go thru each one and their affiliations for that owner

    • Logic tells you which users should be deprovisioned

Chris – Deprovisioning

  • Deprov patch not done yet, patch has about 100 files, Chris needs to review the commits and add the new files and then put on test server and test. It will be good to have other team members helping to test

  • 3 types of groups for deprovisioning

    • Group Users who have been deprovisioned in the last N days ( N default = 14 )

    • Group of Admins for an affiliation (HR person can remove a contractor)

    • Group of users who have an affiliation,  this is an affiliation setting (“affiliations group”)

      • edge case  for overlapping affiliations. Example:  If you deprovision an employee but they are still a student, you don’t necessarily want to take away their VPN group membership. It’s a list of overrides.  

      • example :

        • Example group is “vpn”.  That allows “Students” or “Staff” to be members.

        • The “Students” and “Staff” groups should be members of this “affiliations group” so that when a member of “vpn” ( who was a Student and a Staff) loses one of their two memberships they are not removed from the “VPN” group. However, when the “vpn” member loses both Student and Staff then they would be deprovisioned from vpn.

        • NOTE: Manual deprovisioning by a member of the Admin group is not guarded by this “affiliations group” membership check.

  • Grouper will cache those 3 groups for default of 5  minutes

  • Attempt to be quick and not hurt Grouper performance

  • Deprov Logic is designed To be used with the Deprovisioning report

    • Works for a group, some work left for attributes

    • Report lists members with privileges on an object

    • Checkboxes  are used

    • Managers of a group should get an email with link to the Deprovisioning report

  • Chris will add button on report

  • Need to put deprovision settings on deprov group, maybe on startup

Bert – PSPNG

  • Tracking down false positives between full sync and incremental sync coexisting

  • Looking to see if changes have been put in place

  • Full sync was acting like an external actor

  • Separate in time, fallback ldap changes on the right level of recovery

  • Bert wil reply to emails, make patch, handle special characters issue

  • Will look at Justin Robinson issue and respond

Shilen – Release, performance issue

  • Will start running the and Performance API tests

  • Ran these a few weeks ago and most was working well

  • Upgrade works

  • Grouper Release steps

  • Please keep record of steps that are done on that wiki page.   

  • Once the Deprov patch is released, we will be close

Chad – Grouper 2.4 Release

  • Finished commits for removing lite ui

  • Both admin and lite uis are out of master

  • Zip file to create that file and keep it updated

    • Ant build file to create the file

  • [AI for Chad]: describe how users would restore the UIs, and section for grouper developers on how to create the zip

  • Invite external users (before and after removing lite UI)

    • Upgraded mail API

    • Broken mailing

    • Can’t find SMTP class

    • This was fixed, mail works again

    • Everything should use the GrouperEmail class

    • There is no new UI version of invite external users


 Issue roundup

·         Loader diagnostics fixed in patch, thanks Shilen

·         Added cron schedule to loader jobs on ui in patch

·         Dean Guenther PSPNG AD, Bert will reply

·         What’s cool in Grouper, session at Techex ChrisH proposed. Hope institutions will share their Grouper neat stories. Keep your ears out. Please suggest. Will compile content closer to Oct.

·         One day training at techex - This is on Monday Oct. 15, 2018 in Orlando. Will include the GTE, Grouper Training environment, developed by John Gasper and Bill Thompson

·         Videos on deploying TIER grouper image   New Identity and Access Management Video Series by Unicon Now Available: "Deploying the TIER Grouper Image"

·         No jansi in java.library.path (resolved?)

·         Lite UI removal complet

·         Membership finder to find privs example

·         Enhancement request to enable/disable loader job

·         PSPNG wasn’t provisioning folder, but then kicked in

·         Group of groups in LDAP loader

·         When Grouper born on wiki

·         Web services act as groups required to exist

·         Web service to get attributes on groups, thanks Shilen for posting example

·         when a Membership is expired it should be entered into the audit log

·         Message queue with grouper discussion, lots of ways to do messaging, Amazon has Active MQ in cloud,

·         Privileges/memberships assigned to person or account, discussed in TIER API group

·         Dave Churchley PSPNG errors

·         DB performance issues

·         Shaun Koh ENTRY_EXISTS

·         Dave Robinson fix and patch (and pull request?)

Grouper Tutorial at 2018 Tech Ex

  • TIER Access Governance with Grouper and Friends Tutorial

Next Grouper Call : July 11, 2018


  • No labels