Child pages
  • 4-Dec-2019
Skip to end of metadata
Go to start of metadata




  • Chris Hyzer, Penn, Chair
  • Chad Redman, UNC
  • Shilen Patel, Duke
  • Carey Black, the Ohio State University
  • Vivek Sachdiva, independent
  • Alex Poulos, Univ MD
    Sudheer Slngidi, U Minnesota
    Paul Rubin,  U Minnesota
  •  Emily Eisbruch, Internet2

Action Items


Congrats Chris Hyzer on the blog on Grouper Reporting



U Minnesota is interested in attestation during deprovisioning, and WS

  • Expired attestation could be treated like a disabled group?
  • Use case: when  a transition happens such as from employment to terminated U Minnesota would like to,for example, immediately remove them from a group, or add an end date, trigger an immediate attestation for that group, notify the group managers that have admin priv.
  • To validate that the group is still correct, someone with authority will attest that the group membership is correct.
  • Event based triggering attestation rather than time based
  • Grouper rules could be a good way to implement that

Q: about how many terminations per month?

A: probably dozens, with large spikes at certain points such as end of school year when 9 month appointments end

Q: What percent of time is attestation needed?

A: there are some security provisions, need for review

  • Security levels:  
    • High might mean immediate removal
    • Medium security might mean attestation from the manager
    • Low security, could just have an email, no attestation needed


  • Grouper has attestation, has rules
  • Feature where if someone is removed from   a group there is an email generated
  • New feature,  Shilen added, you can click Advanced, and get a report of  non employees in the group?
  • Currently, Attestation is NOT triggered by change of attributes

Grouper Deprovisioning is a good approach

  • Feature released in 2018 
  • HR person goes to Grouper, to deprovisioing screen, puts the user in, gets a screen showing all the assignments in Grouper of that individual, then HR can remove them all, can put meta data on certain folders or groups saying DO NOT AUTOmatically deprovision, review is needed
  • Could configure a deprovisioning item for employee. Go thru Grouper Tree. Decide what groups get dropped from when not an employee anymore. (Alumni group perhaps should be kept in) 
  • May need to keep membership in some groups to get paid thru last paycheck even though they no longer have access to internal resources
  • If employee is getting deprovisioned, can control email lists they are part of

  • ChrisB: this is helpful, it is event based
  • Moving towards the Grouper Deployment Guide approach using reference groups
  • Focus on manually managed reference groups (example: studentness)
  • Those automatically  managed  ref groups will be OK
  • ChrisH: for next version of GDG hope to add  an ad hoc type for manually managed.
  • ChrisB; that would be helpful
  • ChrisH: deprovisioning is a manual process.   To avoid mishaps
  • U Minn would need to Identify a deprovisioning manager who can handle and run the Grouper deprovisioning feature
  • Or we could add an enhancement if automatically remove is needed
  • Even using a rule, it’s not removal across the board
  • Chris B: In general at U Minn  there will be an office to create groups
  • ChrisH demonstrates how this deprovisioning is used at U Penn
  • Chris B: Central HR at U Minn won’t know about groups and access and show should have access to what depending on their status (student or not)
  • ChrisH: only Grouper Admins can edit the deprovisioing settings
  • There  are groups at Penn where 12 people can edit settings, but not all get emails when someone leaves
  • ChrisB: would be good to be able to specify who gets the emails for deprovisioning notices. Create a deprovisioning email group.  
  • ChrisH: that could work
  • Carey: if there’s a group called employee and  one is removed, it might not show up. There is manual process.  Carey: timeline issue, when someone is removed at 2pm , when do they show as deprovisioned?   ChrisH: when someone pulls them up on the deprovisioning page. 
  • There is delay in getting into the deprovisioned users group.  Would need a rule and have an email. There is a gap to get them automatically on a list. 
  • ChrisB: Would want that step to happen based on change in membership
  • Having web service that kicks it off during the day is a possible enhancement, so no need to wait until evening for the email
  • Certify like attestations to stop getting the emails
  • Useful to notify a user’s manager 
  • But may be cases where manager does not know all the rules
  • You identify groups that should be in the group filter
  • There is a list of people in the deprovisioned group
  • Must be able to read the group to use it.  Could grant read access to a certain list of Grouper users
  • Can make a composite group
  • NEXT STEP :  U Minn to kick the tires on the existing deprovisioning
  • They will report back on any enhancements needed to meet their use case
  • Note: UMD is also thinking about deprovisioning. People fall out of LDAP when they leave and become unresolvable . Perhaps will put them in an archive folder. In house tool manages non people identities, migrated group function out of that, but still some issues around web services and resolving subjects.  UMD has Grouper 2.4 in production. 
  • ChrisH: there  may be a bug around resolving subjects that the Grouper Team could fix.

 TechEx 2019 Planning

Grouper BOF

Wed Dec 11, 2019 at 4pm

  • Summary of Grouper 2.5 plans..
  • Chad: getting close 
  • Need 2 months to finish and release Grouper 2.5 … Chris will announce as the plan 
  • Vivek: attributes and web services screens
  • Shilen: disabling groups? Web services changes later


Provisioning and Access Management: Case Studies With Grouper and COmanage

Dec 10, 2019 at 10:20am


Running the InCommon Trusted Access Platform in the Cloud

Wed Dec 11, 2019 at 2:40pm

Current work tasks, and next tasks


  • Web service updates for 2.5 (audits, pit, new paging), more attribute screens
  • Audits done in WS, new paging
  • PIT changes to membership and web services
  • When you have PIT changes on UI you can ask for point in time changes. If there’s a group member  who joined and left and joined and left… previously only one row in web services. Now with PIT there are 3 rows in web services w the time stamp.
  • That is in the GET MEMBERSHIPS service
  • Q: how to deal with things in point in time and they are deleted but they are not in the real tables?
  • You don’t know if it’s an immediate membership or composite
  • A: data not there, is left blank
  • If you pass in the inputs to GET MEMBERSHIPS, you are not calling the normal memberships, you are calling this new one
  • Need to explicitly call GET  MEMBERSHIPS so users understand
  • Will start on attribute screens

Chris –  SQL sync, bugs, paging

  • Paging is working fine
  • Only a few types of queries work with paging
  • Chris will take Chad’s commit and do a 2.4 patch
  • Bootstrapping and passwords fixes will be in that patch
  • Anyone on team have Time to look at GDG?   And knock off a few JIRAs, that would be great,  by Friday. 

  • PAGING, Chris implemented this  
  • We were  asked for this a while back
  • Downloading 70K users and resolving attributes
  • If you page thru w page # and page size, if someone deletes a record in the meantime, creates problem
  • Solution ,  just use page size
  • Called cursor paging, you have a point in the data and want everything after that
  • AI Vivek:   implement cursor based paging, this not just for auditing, but for all areas that use paging
  • Can just pass in which type it is , will convert the field to that type
  • If it’s a unique field the include is false
  • Vivek: implementing this is simple, but wonder about testing all of it… 
  • Yes must run thru the tests. Easy test is to get the 1st page
  • ChrisH looked at GET MEMBERS. Dont return member UUID to caller
  • Would work on subject ID
  • To be correct, need  to add UUID
  • Need whatever  you are sorting on
  • If it’s an indexed column it will be more efficient. Subject ID might not be efficient.
  • If trying to run multiple web service calls with same end point in concurrent calls , then cursor based ???? is not a good option
  • ChrisH: good reminder, not sure how to handle that
  • If doing this w memberships, is membership ID concatonated  so it would be efficient?
  • Must handle on client side
  • Tests by membership ID or immediate membership ID
  • Still some uncertainty and some work. We will iron it out
  • Chris H must solve this at Penn to prevent timeout issue
  • Start offering auto page option in Grouper 2.5?
  • Internally there is some paging through
  • Carey: An OSU user who is a member  of several thousand groups, found paging thru their groups very slow, This is in Grouper 2.3
  • If subjects coming from a database maybe its not a big issue, but subjects coming from LDAP can be slow. OPEN LDAP seemed to help.
  • Perhaps Carey will open a JIRA

 Shilen – Group enabled/disabled

  • Memberships are done
  • Working on Attributes, so when you disable a group it will find attributes and disable and  etc. and etc
  • Not as many queries need to be changed
  • Small number of queries may need to be changed
  • Searching for objects in top right
  • Click on a subject, memberships disabled,
  • Need something that jumps out at user , This is a Disabled Group
  • For editing , enabled and disabled dates should pop out
  • Shilen still needs to update one or two views
  • Just change the select
  • Then will work on web service and UI
  • Shilen will email Vivek and Vivek  will work on the web service aspects

 ChadBugs, libraries in 2.5, gantt chart?  Tree on left of UI with more than X children

  • LIbraries: quartz we are running 2.3.0, and 2.3.2 got released a month ago.  
  • Making progress on Visual GANTT Chart
  • Did a demo on the call 
  • Can do filtering
  • Was created several years ago and subsequently improved in github
  • ChrisH : need info architecture: Daemons link, all Daemon  jobs, job history, could get too cluttered, make a Daemon link and put sub options under
  • Should harmonize the jobs, loader jobs and daemon jobs
  • Check box to filter?
  • Chad will make more enhancements


  • Chad will look at the hibernate issue
  • Quartz, Chad will look at a few issues
  • 2.3.2 maven released in Oct, AI Chad will get on the Quartz email list

Bill – GDG, training, pspng, dev env

Backburner: container discussion with Chris Hubing

Issue Roundup


Nov 14 2019: PSPNG question, I have a rule that I've applied to 53 folders, and that translates to 3498 groups. However the pspng process seems to be stuck.  (J Crawford)

Nov 14: would it be useful for the container to have a url so its easy to know the server? (Chris Hyzer)    Suggestion to Chris to share this contrib on the users list (EE) 

Nov 15, 2019: want to start using the "folder type" attributes in v2.3.  Is it possible to export/import the attributes and use them in 2.3? (without the fancy UI stuff, and without breaking my upgrade path?)   (Carey) OSU hopes to shift to containers and upgrade to 2.4 by April 2020 

Nov 18, is there a way we can add a group as a member of another group from either API call or from GSH? (Sudheer)

Nov 20 performance implication of large group changes, (Chris Hyzer)

  • Need to look at PSPNG performance.  
  • ChrisH is doing midpoint training, interesting approach to provisioning,

Nov 20 desire to have "auto add a direct membership" to GroupB anytime a membership (direct or indirect) is added to Group A.  Can that be done with a Rule? (Carey) UPDATE: Carey did not get the rule working, Carey will email the grouper core list. Syntax issue perhaps

Nov 20 Does the Grouper UI allow for attribute assignment on a membership? If not, is that planned at some point?

Reply:  no Chris added it to the roadmap for a 2.5 patch…Vivek working on this

Nov 20 UI does support attributes on memberships (Carey)

Nov 20 Has anyone ran into any issues using regex in their LDIFCreationTemplates (JeffW)

Closed curly bracket in scriptlet causes issue…. ChrisH opened a JIRA for  this

 Nov 22 a situation where users with membership expirations show up as deleted in the audit log but remain as active members in the groups. (GregH)  

Nov 25 delete memberships for unresolvable subjects through the WS?  (AlexP)

Nov 26   "lite" ui ..I have a request to make a simple page so people can check their two-step/o365 status, and enable or disable it.   ChrisHyzer

  • Chris H may work on this for Penn

Nov 26 Initial wiki version port of the Grouper Deployment Guide is complete. You can view the current/latest version here: (Bill T)

Nov 26 I am trying to figure out system passwords in Grouper. Also can I place the encrypted value in an environment variable and have the system take that somehow? It does take plain text password environment variables already.  (Rachel L)

Grouper allows scriptlets

Nov 27  assessing options for our grouper cloud deployment, specifically looking at AD setup. has anyone experience with running across forest boundaries, or are we limited to staying within? (Joe S)


Nov 27 building a hierarchy for applications, in our non production sometimes that means testing the processes to import it.   Problem with deeper than 6 levels, (J Crawford)

  • AI Chris will   create  a patch for   building a hierarchy and issue of deeper than 6 levels per Nov 27 Slack from J Crawford


Dec 1 Attestation and Local Entity (Carey)

  • Attestations  w one principal is OK but people get tired of attestation emails.
  • Maybe use a report?
  • OSU using local entities for service accounts
  • Timeline less important than ensuring that someone handles it.
  • Use Grouper Disable feature 
  • List of local entities and send it to someone? Is that an OK workaround?
  • When  OSU gets to Grouper 2.4, plan is to will use a report for this, need to be able to attest

Dec 3 do we need to do the PIT "set" delete not in a tx?   we need to not have unscalable transactions (ChrisHyzer)

Grouper Wiki Updates

  • Grouper Shell (Chris)

  • Grouper Provisioning Strategy (Chris)

allow getMembers paging to get all members with no gaps from client
add autopage option to grouperClient so it will handle large requests

cursor based paging to download large amounts of data without missing records during inserts/deletes
LoaderLog getGroupNameFromJobName not consistent among different job types

PSPNG cannot parse Regex containing {}, while contained in ${}

Update and expand access control models

Operational Considerations needs attention

New Content - Expanded examples of ACMs

New Content - Grouper Security Model

New Content - ABAC, RBAC, and Grouper

New Content - Guidance on ref groups for courses, students, departments, etc.

New Content - Attestation Patterns

make grouper box user last longer and be configurable

Expand provisioning models to included WS

Add example of service specific reference groups anti-pattern

Add discussion on XACML model components (PAP, PDP, etc)

Diagram access control model overview

Describe uses of the "test" folder in production

Further describe how to use standard folders

Deploy GDG top level folders in TAP distribution

Add illustration of standard folder set

Add high level discussion on ways to get data in and out of Grouper

Update Folder and Group Privileges illustration

Add discussion on complex group math 
Add Grouper Rules discussion to Understanding Grouper

Grouper WS /grouperPrivileges fails to remove privilege from unresolvable subject

allow grouper box to have pem in database config
improve error handling of box integration and have stats in full sync loader logs

when reports are deleted they need to get unscheduled in quartz

keeping in database causes not to load jdbc source

endless loop if morph password is in external file

grouper installer doesnt put jars in right place in webapp

better error handling and logging in remedy integration

schedule a CSV file to be SFTP'ed to server

run bad membership finder more than once daily? or more than 3 times?

loader summary doesnt match number of members in group

tree display performance with permissions turned on

cache some memberships in a local table so complex queries that use memberships are faster

pspng should log that subjects not in target system once

Add time picker UI component

option for loader job to exit on connection failure

when removing loader the recent activity says "Added attribute legacyGroupType_grouperLoader"

attribute drop down in membership attributes (from member screen) doesnt filter by attributes assignable only to memberships

attribute assignments on memberships (both types)

change attribute name loader to have better attribute structure and UI

if multiple matches delete one?

Add functionality to trigger group specific attestation job from API call

add audit in membership drop down for memberships

add sftp support in grouper

config items that dont have private or pass in the name but which are encrypted might show raw data on ui

Upgrade java-mysql-connector to support new server authentication

can we have container daemon running as not root? i suggest grouper user or tomcat even?

if you remove a group's loader config, it should remove the loader metadata

if you configure an existing loader job to not have loader config, it should blank out screen before submitting

Grouper-User list Emails 

Upcoming Grouper Call Schedule:

  • Today’s Dec 4 call was an off-week call due to Thanksgiving last week
  • Next Grouper Call , Wed Dec 18, 2019 (off week call to keep things on track)
  • Note: Dec 25 cancelled due to holiday

  • No labels