Grouper
Child pages
  • 4-Dec-2019
Skip to end of metadata
Go to start of metadata

  

 

Attending 

  • Chris Hyzer, Penn, Chair
  • Chad Redman, UNC
  • Shilen Patel, Duke
  • Carey Black, the Ohio State University
  • Vivek Sachdiva, independent
  • Alex Poulos, Univ MD
    Sudheer Slngidi, U Minnesota
    Paul Rubin,  U Minnesota
  •  Emily Eisbruch, Internet2

Action Items

===========

Congrats Chris Hyzer on the blog on Grouper Reporting

https://www.incommon.org/news/grouper-reporting-addresses-multiple-needs-even-sends-emails/

=============

Discussion

U Minnesota is interested in attestation during deprovisioning, and WS

  • Expired attestation could be treated like a disabled group?
  • Use case: when  a transition happens such as from employment to terminated U Minnesota would like to,for example, immediately remove them from a group, or add an end date, trigger an immediate attestation for that group, notify the group managers that have admin priv.
  • To validate that the group is still correct, someone with authority will attest that the group membership is correct.
  • Event based triggering attestation rather than time based
  • Grouper rules could be a good way to implement that

Q: about how many terminations per month?

A: probably dozens, with large spikes at certain points such as end of school year when 9 month appointments end


Q: What percent of time is attestation needed?

A: there are some security provisions, need for review

  • Security levels:  
    • High might mean immediate removal
    • Medium security might mean attestation from the manager
    • Low security, could just have an email, no attestation needed


ChrisH: 

  • Grouper has attestation, has rules
  • Feature where if someone is removed from   a group there is an email generated
  • New feature,  Shilen added, you can click Advanced, and get a report of  non employees in the group?
  • Currently, Attestation is NOT triggered by change of attributes

Grouper Deprovisioning is a good approach

  • Feature released in 2018 
  • https://www.internet2.edu/blogs/detail/16562
  • https://spaces.at.internet2.edu/display/Grouper/Grouper+deprovisioning+getting+started
  • HR person goes to Grouper, to deprovisioing screen, puts the user in, gets a screen showing all the assignments in Grouper of that individual, then HR can remove them all, can put meta data on certain folders or groups saying DO NOT AUTOmatically deprovision, review is needed
  • Could configure a deprovisioning item for employee. Go thru Grouper Tree. Decide what groups get dropped from when not an employee anymore. (Alumni group perhaps should be kept in) 
  • May need to keep membership in some groups to get paid thru last paycheck even though they no longer have access to internal resources
  • If employee is getting deprovisioned, can control email lists they are part of


  • ChrisB: this is helpful, it is event based
  • Moving towards the Grouper Deployment Guide approach using reference groups
  • Focus on manually managed reference groups (example: studentness)
  • Those automatically  managed  ref groups will be OK
  • ChrisH: for next version of GDG hope to add  an ad hoc type for manually managed.
  • ChrisB; that would be helpful
  • ChrisH: deprovisioning is a manual process.   To avoid mishaps
  • U Minn would need to Identify a deprovisioning manager who can handle and run the Grouper deprovisioning feature
  • Or we could add an enhancement if automatically remove is needed
  • Even using a rule, it’s not removal across the board
  • Chris B: In general at U Minn  there will be an office to create groups
  • ChrisH demonstrates how this deprovisioning is used at U Penn
  • Chris B: Central HR at U Minn won’t know about groups and access and show should have access to what depending on their status (student or not)
  • ChrisH: only Grouper Admins can edit the deprovisioing settings
  • There  are groups at Penn where 12 people can edit settings, but not all get emails when someone leaves
  • ChrisB: would be good to be able to specify who gets the emails for deprovisioning notices. Create a deprovisioning email group.  
  • ChrisH: that could work
  • Carey: if there’s a group called employee and  one is removed, it might not show up. There is manual process.  Carey: timeline issue, when someone is removed at 2pm , when do they show as deprovisioned?   ChrisH: when someone pulls them up on the deprovisioning page. 
  • There is delay in getting into the deprovisioned users group.  Would need a rule and have an email. There is a gap to get them automatically on a list. 
  • ChrisB: Would want that step to happen based on change in membership
  • Having web service that kicks it off during the day is a possible enhancement, so no need to wait until evening for the email
  • Certify like attestations to stop getting the emails
  • Useful to notify a user’s manager 
  • But may be cases where manager does not know all the rules
  • You identify groups that should be in the group filter
  • There is a list of people in the deprovisioned group
  •  
  • Must be able to read the group to use it.  Could grant read access to a certain list of Grouper users
  • Can make a composite group
  • NEXT STEP :  U Minn to kick the tires on the existing deprovisioning
  • They will report back on any enhancements needed to meet their use case
  • Note: UMD is also thinking about deprovisioning. People fall out of LDAP when they leave and become unresolvable . Perhaps will put them in an archive folder. In house tool manages non people identities, migrated group function out of that, but still some issues around web services and resolving subjects.  UMD has Grouper 2.4 in production. 
  • ChrisH: there  may be a bug around resolving subjects that the Grouper Team could fix.


 TechEx 2019 Planning


Grouper BOF

Wed Dec 11, 2019 at 4pm

  • Summary of Grouper 2.5 plans..
  • Chad: getting close 
  • Need 2 months to finish and release Grouper 2.5 … Chris will announce as the plan 
  • Vivek: attributes and web services screens
  • Shilen: disabling groups? Web services changes later


======

Provisioning and Access Management: Case Studies With Grouper and COmanage

Dec 10, 2019 at 10:20am

=======

Running the InCommon Trusted Access Platform in the Cloud

Wed Dec 11, 2019 at 2:40pm


Current work tasks, and next tasks

Vivek

  • Web service updates for 2.5 (audits, pit, new paging), more attribute screens
  • Audits done in WS, new paging
  • PIT changes to membership and web services
  • When you have PIT changes on UI you can ask for point in time changes. If there’s a group member  who joined and left and joined and left… previously only one row in web services. Now with PIT there are 3 rows in web services w the time stamp.
  • That is in the GET MEMBERSHIPS service
  • Q: how to deal with things in point in time and they are deleted but they are not in the real tables?
  • You don’t know if it’s an immediate membership or composite
  • A: data not there, is left blank
  • If you pass in the inputs to GET MEMBERSHIPS, you are not calling the normal memberships, you are calling this new one
  • Need to explicitly call GET  MEMBERSHIPS so users understand
  • Will start on attribute screens


Chris –  SQL sync, bugs, paging

  • Paging is working fine
  • Only a few types of queries work with paging
  • Chris will take Chad’s commit and do a 2.4 patch
  • Bootstrapping and passwords fixes will be in that patch
  • Anyone on team have Time to look at GDG?   And knock off a few JIRAs, that would be great,  by Friday. 


  • PAGING, Chris implemented this  
  • https://spaces.at.internet2.edu/pages/viewpage.action?pageId=159979041
  • We were  asked for this a while back
  • Downloading 70K users and resolving attributes
  • If you page thru w page # and page size, if someone deletes a record in the meantime, creates problem
  • Solution ,  just use page size
  • Called cursor paging, you have a point in the data and want everything after that
  • AI Vivek:   implement cursor based paging, this not just for auditing, but for all areas that use paging
  • Can just pass in which type it is , will convert the field to that type
  • If it’s a unique field the include is false
  • Vivek: implementing this is simple, but wonder about testing all of it… 
  • Yes must run thru the tests. Easy test is to get the 1st page
  • ChrisH looked at GET MEMBERS. Dont return member UUID to caller
  • Would work on subject ID
  • To be correct, need  to add UUID
  • Need whatever  you are sorting on
  • If it’s an indexed column it will be more efficient. Subject ID might not be efficient.
  • If trying to run multiple web service calls with same end point in concurrent calls , then cursor based ???? is not a good option
  • ChrisH: good reminder, not sure how to handle that
  • If doing this w memberships, is membership ID concatonated  so it would be efficient?
  • Must handle on client side
  • Tests by membership ID or immediate membership ID
  • Still some uncertainty and some work. We will iron it out
  • Chris H must solve this at Penn to prevent timeout issue
  • Start offering auto page option in Grouper 2.5?
  • Internally there is some paging through
  • Carey: An OSU user who is a member  of several thousand groups, found paging thru their groups very slow, This is in Grouper 2.3
  • If subjects coming from a database maybe its not a big issue, but subjects coming from LDAP can be slow. OPEN LDAP seemed to help.
  • Perhaps Carey will open a JIRA


 Shilen – Group enabled/disabled

  • Memberships are done
  • Working on Attributes, so when you disable a group it will find attributes and disable and  etc. and etc
  • Not as many queries need to be changed
  • Small number of queries may need to be changed
  • Searching for objects in top right
  • Click on a subject, memberships disabled,
  • Need something that jumps out at user , This is a Disabled Group
  • For editing , enabled and disabled dates should pop out
  • Shilen still needs to update one or two views
  • Just change the select
  • Then will work on web service and UI
  • Shilen will email Vivek and Vivek  will work on the web service aspects


 ChadBugs, libraries in 2.5, gantt chart?  Tree on left of UI with more than X children

  • LIbraries: quartz we are running 2.3.0, and 2.3.2 got released a month ago.  
  • Making progress on Visual GANTT Chart
  • Did a demo on the call 
  • Can do filtering
  • Was created several years ago and subsequently improved in github
  • ChrisH : need info architecture: Daemons link, all Daemon  jobs, job history, could get too cluttered, make a Daemon link and put sub options under
  • Should harmonize the jobs, loader jobs and daemon jobs
  • Check box to filter?
  • Chad will make more enhancements

Libraries:

  • Chad will look at the hibernate issue
  • Quartz, Chad will look at a few issues
  • 2.3.2 maven released in Oct, AI Chad will get on the Quartz email list


Bill – GDG, training, pspng, dev env

Backburner: container discussion with Chris Hubing

Issue Roundup

Slack

Nov 14 2019: PSPNG question, I have a rule that I've applied to 53 folders, and that translates to 3498 groups. However the pspng process seems to be stuck.  (J Crawford)

Nov 14: would it be useful for the container to have a url so its easy to know the server?   https://spaces.at.internet2.edu/display/Grouper/Display+an+SSI+and+server+label+in+UI+docker+container (Chris Hyzer)    Suggestion to Chris to share this contrib on the users list (EE) 

Nov 15, 2019: want to start using the "folder type" attributes in v2.3.  Is it possible to export/import the attributes and use them in 2.3? (without the fancy UI stuff, and without breaking my upgrade path?)   (Carey) OSU hopes to shift to containers and upgrade to 2.4 by April 2020 

Nov 18, is there a way we can add a group as a member of another group from either API call or from GSH? (Sudheer)

Nov 20 performance implication of large group changes, (Chris Hyzer)

  • Need to look at PSPNG performance.  
  • ChrisH is doing midpoint training, interesting approach to provisioning,


Nov 20 desire to have "auto add a direct membership" to GroupB anytime a membership (direct or indirect) is added to Group A.  Can that be done with a Rule? (Carey) UPDATE: Carey did not get the rule working, Carey will email the grouper core list. Syntax issue perhaps


Nov 20 Does the Grouper UI allow for attribute assignment on a membership? If not, is that planned at some point?

Reply:  no Chris added it to the roadmap for a 2.5 patch…Vivek working on this

Nov 20 UI does support attributes on memberships (Carey)


Nov 20 Has anyone ran into any issues using regex in their LDIFCreationTemplates (JeffW)

Closed curly bracket in scriptlet causes issue…. ChrisH opened a JIRA for  this


 Nov 22 a situation where users with membership expirations show up as deleted in the audit log but remain as active members in the groups. (GregH)  


Nov 25 delete memberships for unresolvable subjects through the WS?  (AlexP)


Nov 26   "lite" ui ..I have a request to make a simple page so people can check their two-step/o365 status, and enable or disable it.   ChrisHyzer

  • Chris H may work on this for Penn


Nov 26 Initial wiki version port of the Grouper Deployment Guide is complete. You can view the current/latest version here: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide (Bill T)


Nov 26 I am trying to figure out system passwords in Grouper. Also can I place the encrypted value in an environment variable and have the system take that somehow? It does take plain text password environment variables already.  (Rachel L)

Grouper allows scriptlets


Nov 27  assessing options for our grouper cloud deployment, specifically looking at AD setup. has anyone experience with running across forest boundaries, or are we limited to staying within? (Joe S)

 

Nov 27 building a hierarchy for applications, in our non production sometimes that means testing the processes to import it.   Problem with deeper than 6 levels, (J Crawford)

  • AI Chris will   create  a patch for   building a hierarchy and issue of deeper than 6 levels per Nov 27 Slack from J Crawford

 

Dec 1 Attestation and Local Entity (Carey)

  • Attestations  w one principal is OK but people get tired of attestation emails.
  • Maybe use a report?
  • OSU using local entities for service accounts
  • Timeline less important than ensuring that someone handles it.
  • Use Grouper Disable feature 
  • List of local entities and send it to someone? Is that an OK workaround?
  • When  OSU gets to Grouper 2.4, plan is to will use a report for this, need to be able to attest

Dec 3 do we need to do the PIT "set" delete not in a tx?   we need to not have unscalable transactions (ChrisHyzer)



Grouper Wiki Updates


  • Grouper Shell (Chris)

https://spaces.at.internet2.edu/pages/viewpage.action?pageId=14517859

  • Grouper Provisioning Strategy (Chris)

https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+strategy

https://spaces.at.internet2.edu/pages/viewpage.action?pageId=159979041


JIRAS
GRP-2477
allow getMembers paging to get all members with no gaps from client
 
GRP-2476
add autopage option to grouperClient so it will handle large requests

GRP-2475
cursor based paging to download large amounts of data without missing records during inserts/deletes
 
GRP-2474
LoaderLog getGroupNameFromJobName not consistent among different job types

GRP-2473
PSPNG cannot parse Regex containing {}, while contained in ${}

GRP-2472
Update and expand access control models

GRP-2471
Operational Considerations needs attention

GRP-2470
New Content - Expanded examples of ACMs

GRP-2469
New Content - Grouper Security Model

GRP-2468
New Content - ABAC, RBAC, and Grouper

GRP-2467
New Content - Guidance on ref groups for courses, students, departments, etc.

GRP-2466
New Content - Attestation Patterns

GRP-2465
make grouper box user last longer and be configurable

GRP-2464
Expand provisioning models to included WS

GRP-2463
Add example of service specific reference groups anti-pattern

GRP-2462
Add discussion on XACML model components (PAP, PDP, etc)

GRP-2461
Diagram access control model overview

GRP-2460
Describe uses of the "test" folder in production

GRP-2459
Further describe how to use standard folders

GRP-2458
Deploy GDG top level folders in TAP distribution

GRP-2457
Add illustration of standard folder set

GRP-2456
Add high level discussion on ways to get data in and out of Grouper


GRP-2455
Update Folder and Group Privileges illustration

GRP-2454
Add discussion on complex group math 
GRP-2453
Add Grouper Rules discussion to Understanding Grouper

GRP-2452
Grouper WS /grouperPrivileges fails to remove privilege from unresolvable subject

GRP-2451
allow grouper box to have pem in database config
GRP-2450
improve error handling of box integration and have stats in full sync loader logs

GRP-2449
when reports are deleted they need to get unscheduled in quartz

GRP-2448
keeping subject.properties in database causes not to load jdbc source

GRP-2447
endless loop if morph password is in external file

GRP-2446
grouper installer doesnt put jars in right place in webapp

GRP-2445
better error handling and logging in remedy integration

GRP-2444
schedule a CSV file to be SFTP'ed to server

GRP-2443
run bad membership finder more than once daily? or more than 3 times?

GRP-2442
loader summary doesnt match number of members in group

GRP-2441
tree display performance with permissions turned on

GRP-2440
cache some memberships in a local table so complex queries that use memberships are faster

GRP-2439
pspng should log that subjects not in target system once

GRP-2438
Add time picker UI component

GRP-2437
option for loader job to exit on connection failure

GRP-2436
when removing loader the recent activity says "Added attribute legacyGroupType_grouperLoader"

GRP-2435
attribute drop down in membership attributes (from member screen) doesnt filter by attributes assignable only to memberships

GRP-2434
attribute assignments on memberships (both types)

GRP-2433
change attribute name loader to have better attribute structure and UI

GRP-2432
if multiple matches delete one?

GRP-2431
Add functionality to trigger group specific attestation job from API call

GRP-2430
add audit in membership drop down for memberships

GRP-2429
add sftp support in grouper

GRP-2428
config items that dont have private or pass in the name but which are encrypted might show raw data on ui

GRP-2427
Upgrade java-mysql-connector to support new server authentication

GRP-2426
can we have container daemon running as not root? i suggest grouper user or tomcat even?

GRP-2425
if you remove a group's loader config, it should remove the loader metadata

GRP-2424
if you configure an existing loader job to not have loader config, it should blank out screen before submitting

Grouper-User list Emails 



Upcoming Grouper Call Schedule:

  • Today’s Dec 4 call was an off-week call due to Thanksgiving last week
  • Next Grouper Call , Wed Dec 18, 2019 (off week call to keep things on track)
  • Note: Dec 25 cancelled due to holiday


  • No labels