Attending
- Chris Hyzer, Penn, Chair
- Chad Redman, UNC
- Shilen Patel, Duke
- Carey Black, the Ohio State University
- Vivek Sachdiva, independent
- Alex Poulos, Univ MD
Sudheer Slngidi, U Minnesota
Paul Rubin, U Minnesota - Emily Eisbruch, Internet2
Action Items
===========
Congrats Chris Hyzer on the blog on Grouper Reporting
https://www.incommon.org/news/grouper-reporting-addresses-multiple-needs-even-sends-emails/
=============
Discussion
U Minnesota is interested in attestation during deprovisioning, and WS
- Expired attestation could be treated like a disabled group?
- Use case: when a transition happens such as from employment to terminated U Minnesota would like to,for example, immediately remove them from a group, or add an end date, trigger an immediate attestation for that group, notify the group managers that have admin priv.
- To validate that the group is still correct, someone with authority will attest that the group membership is correct.
- Event based triggering attestation rather than time based
- Grouper rules could be a good way to implement that
Q: about how many terminations per month?
A: probably dozens, with large spikes at certain points such as end of school year when 9 month appointments end
Q: What percent of time is attestation needed?
A: there are some security provisions, need for review
- Security levels:
- High might mean immediate removal
- Medium security might mean attestation from the manager
- Low security, could just have an email, no attestation needed
ChrisH:
- Grouper has attestation, has rules
- Feature where if someone is removed from a group there is an email generated
- New feature, Shilen added, you can click Advanced, and get a report of non employees in the group?
- Currently, Attestation is NOT triggered by change of attributes
Grouper Deprovisioning is a good approach
- Feature released in 2018
- https://www.internet2.edu/blogs/detail/16562
- https://spaces.at.internet2.edu/display/Grouper/Grouper+deprovisioning+getting+started
- HR person goes to Grouper, to deprovisioing screen, puts the user in, gets a screen showing all the assignments in Grouper of that individual, then HR can remove them all, can put meta data on certain folders or groups saying DO NOT AUTOmatically deprovision, review is needed
- Could configure a deprovisioning item for employee. Go thru Grouper Tree. Decide what groups get dropped from when not an employee anymore. (Alumni group perhaps should be kept in)
- May need to keep membership in some groups to get paid thru last paycheck even though they no longer have access to internal resources
- If employee is getting deprovisioned, can control email lists they are part of
- ChrisB: this is helpful, it is event based
- Moving towards the Grouper Deployment Guide approach using reference groups
- Focus on manually managed reference groups (example: studentness)
- Those automatically managed ref groups will be OK
- ChrisH: for next version of GDG hope to add an ad hoc type for manually managed.
- ChrisB; that would be helpful
- ChrisH: deprovisioning is a manual process. To avoid mishaps
- U Minn would need to Identify a deprovisioning manager who can handle and run the Grouper deprovisioning feature
- Or we could add an enhancement if automatically remove is needed
- Even using a rule, it’s not removal across the board
- Chris B: In general at U Minn there will be an office to create groups
- ChrisH demonstrates how this deprovisioning is used at U Penn
- Chris B: Central HR at U Minn won’t know about groups and access and show should have access to what depending on their status (student or not)
- ChrisH: only Grouper Admins can edit the deprovisioing settings
- There are groups at Penn where 12 people can edit settings, but not all get emails when someone leaves
- ChrisB: would be good to be able to specify who gets the emails for deprovisioning notices. Create a deprovisioning email group.
- ChrisH: that could work
- Carey: if there’s a group called employee and one is removed, it might not show up. There is manual process. Carey: timeline issue, when someone is removed at 2pm , when do they show as deprovisioned? ChrisH: when someone pulls them up on the deprovisioning page.
- There is delay in getting into the deprovisioned users group. Would need a rule and have an email. There is a gap to get them automatically on a list.
- ChrisB: Would want that step to happen based on change in membership
- Having web service that kicks it off during the day is a possible enhancement, so no need to wait until evening for the email
- Certify like attestations to stop getting the emails
- Useful to notify a user’s manager
- But may be cases where manager does not know all the rules
- You identify groups that should be in the group filter
- There is a list of people in the deprovisioned group
- Must be able to read the group to use it. Could grant read access to a certain list of Grouper users
- Can make a composite group
- NEXT STEP : U Minn to kick the tires on the existing deprovisioning
- They will report back on any enhancements needed to meet their use case
- Note: UMD is also thinking about deprovisioning. People fall out of LDAP when they leave and become unresolvable . Perhaps will put them in an archive folder. In house tool manages non people identities, migrated group function out of that, but still some issues around web services and resolving subjects. UMD has Grouper 2.4 in production.
- ChrisH: there may be a bug around resolving subjects that the Grouper Team could fix.
TechEx 2019 Planning
Grouper BOF
Wed Dec 11, 2019 at 4pm
- Summary of Grouper 2.5 plans..
- Chad: getting close
- Need 2 months to finish and release Grouper 2.5 … Chris will announce as the plan
- Vivek: attributes and web services screens
- Shilen: disabling groups? Web services changes later
======
Provisioning and Access Management: Case Studies With Grouper and COmanage
Dec 10, 2019 at 10:20am
=======
Running the InCommon Trusted Access Platform in the Cloud
Wed Dec 11, 2019 at 2:40pm
Current work tasks, and next tasks
Vivek –
- Web service updates for 2.5 (audits, pit, new paging), more attribute screens
- Audits done in WS, new paging
- PIT changes to membership and web services
- When you have PIT changes on UI you can ask for point in time changes. If there’s a group member who joined and left and joined and left… previously only one row in web services. Now with PIT there are 3 rows in web services w the time stamp.
- That is in the GET MEMBERSHIPS service
- Q: how to deal with things in point in time and they are deleted but they are not in the real tables?
- You don’t know if it’s an immediate membership or composite
- A: data not there, is left blank
- If you pass in the inputs to GET MEMBERSHIPS, you are not calling the normal memberships, you are calling this new one
- Need to explicitly call GET MEMBERSHIPS so users understand
- Will start on attribute screens
Chris – SQL sync, bugs, paging
- Paging is working fine
- Only a few types of queries work with paging
- Chris will take Chad’s commit and do a 2.4 patch
- Bootstrapping and passwords fixes will be in that patch
- Anyone on team have Time to look at GDG? And knock off a few JIRAs, that would be great, by Friday.
- PAGING, Chris implemented this
- https://spaces.at.internet2.edu/pages/viewpage.action?pageId=159979041
- We were asked for this a while back
- Downloading 70K users and resolving attributes
- If you page thru w page # and page size, if someone deletes a record in the meantime, creates problem
- Solution , just use page size
- Called cursor paging, you have a point in the data and want everything after that
- AI Vivek: implement cursor based paging, this not just for auditing, but for all areas that use paging
- Can just pass in which type it is , will convert the field to that type
- If it’s a unique field the include is false
- Vivek: implementing this is simple, but wonder about testing all of it…
- Yes must run thru the tests. Easy test is to get the 1st page
- ChrisH looked at GET MEMBERS. Dont return member UUID to caller
- Would work on subject ID
- To be correct, need to add UUID
- Need whatever you are sorting on
- If it’s an indexed column it will be more efficient. Subject ID might not be efficient.
- If trying to run multiple web service calls with same end point in concurrent calls , then cursor based ???? is not a good option
- ChrisH: good reminder, not sure how to handle that
- If doing this w memberships, is membership ID concatonated so it would be efficient?
- Must handle on client side
- Tests by membership ID or immediate membership ID
- Still some uncertainty and some work. We will iron it out
- Chris H must solve this at Penn to prevent timeout issue
- Start offering auto page option in Grouper 2.5?
- Internally there is some paging through
- Carey: An OSU user who is a member of several thousand groups, found paging thru their groups very slow, This is in Grouper 2.3
- If subjects coming from a database maybe its not a big issue, but subjects coming from LDAP can be slow. OPEN LDAP seemed to help.
- Perhaps Carey will open a JIRA
Shilen – Group enabled/disabled
- Memberships are done
- Working on Attributes, so when you disable a group it will find attributes and disable and etc. and etc
- Not as many queries need to be changed
- Small number of queries may need to be changed
- Searching for objects in top right
- Click on a subject, memberships disabled,
- Need something that jumps out at user , This is a Disabled Group
- For editing , enabled and disabled dates should pop out
- Shilen still needs to update one or two views
- Just change the select
- Then will work on web service and UI
- Shilen will email Vivek and Vivek will work on the web service aspects
Chad – Bugs, libraries in 2.5, gantt chart? Tree on left of UI with more than X children
- LIbraries: quartz we are running 2.3.0, and 2.3.2 got released a month ago.
- Making progress on Visual GANTT Chart
- Did a demo on the call
- Can do filtering
- Was created several years ago and subsequently improved in github
- ChrisH : need info architecture: Daemons link, all Daemon jobs, job history, could get too cluttered, make a Daemon link and put sub options under
- Should harmonize the jobs, loader jobs and daemon jobs
- Check box to filter?
- Chad will make more enhancements
Libraries:
- Chad will look at the hibernate issue
- Quartz, Chad will look at a few issues
- 2.3.2 maven released in Oct, AI Chad will get on the Quartz email list
Bill – GDG, training, pspng, dev env
Backburner: container discussion with Chris Hubing
Issue Roundup
Slack
Nov 14 2019: PSPNG question, I have a rule that I've applied to 53 folders, and that translates to 3498 groups. However the pspng process seems to be stuck. (J Crawford)
Nov 14: would it be useful for the container to have a url so its easy to know the server? https://spaces.at.internet2.edu/display/Grouper/Display+an+SSI+and+server+label+in+UI+docker+container (Chris Hyzer) Suggestion to Chris to share this contrib on the users list (EE)
Nov 15, 2019: want to start using the "folder type" attributes in v2.3. Is it possible to export/import the attributes and use them in 2.3? (without the fancy UI stuff, and without breaking my upgrade path?) (Carey) OSU hopes to shift to containers and upgrade to 2.4 by April 2020
Nov 18, is there a way we can add a group as a member of another group from either API call or from GSH? (Sudheer)
Nov 20 performance implication of large group changes, (Chris Hyzer)
- Need to look at PSPNG performance.
- ChrisH is doing midpoint training, interesting approach to provisioning,
Nov 20 desire to have "auto add a direct membership" to GroupB anytime a membership (direct or indirect) is added to Group A. Can that be done with a Rule? (Carey) UPDATE: Carey did not get the rule working, Carey will email the grouper core list. Syntax issue perhaps
Nov 20 Does the Grouper UI allow for attribute assignment on a membership? If not, is that planned at some point?
Reply: no Chris added it to the roadmap for a 2.5 patch…Vivek working on this
Nov 20 UI does support attributes on memberships (Carey)
Nov 20 Has anyone ran into any issues using regex in their LDIFCreationTemplates (JeffW)
Closed curly bracket in scriptlet causes issue…. ChrisH opened a JIRA for this
Nov 22 a situation where users with membership expirations show up as deleted in the audit log but remain as active members in the groups. (GregH)
Nov 25 delete memberships for unresolvable subjects through the WS? (AlexP)
Nov 26 "lite" ui ..I have a request to make a simple page so people can check their two-step/o365 status, and enable or disable it. ChrisHyzer
- Chris H may work on this for Penn
Nov 26 Initial wiki version port of the Grouper Deployment Guide is complete. You can view the current/latest version here: https://spaces.at.internet2.edu/display/Grouper/Grouper+Deployment+Guide (Bill T)
Nov 26 I am trying to figure out system passwords in Grouper. Also can I place the encrypted value in an environment variable and have the system take that somehow? It does take plain text password environment variables already. (Rachel L)
Grouper allows scriptlets
Nov 27 assessing options for our grouper cloud deployment, specifically looking at AD setup. has anyone experience with running across forest boundaries, or are we limited to staying within? (Joe S)
Nov 27 building a hierarchy for applications, in our non production sometimes that means testing the processes to import it. Problem with deeper than 6 levels, (J Crawford)
- AI Chris will create a patch for building a hierarchy and issue of deeper than 6 levels per Nov 27 Slack from J Crawford
Dec 1 Attestation and Local Entity (Carey)
- Attestations w one principal is OK but people get tired of attestation emails.
- Maybe use a report?
- OSU using local entities for service accounts
- Timeline less important than ensuring that someone handles it.
- Use Grouper Disable feature
- List of local entities and send it to someone? Is that an OK workaround?
- When OSU gets to Grouper 2.4, plan is to will use a report for this, need to be able to attest
Dec 3 do we need to do the PIT "set" delete not in a tx? we need to not have unscalable transactions (ChrisHyzer)
Grouper Wiki Updates
- Grouper Shell (Chris)
https://spaces.at.internet2.edu/pages/viewpage.action?pageId=14517859
- Grouper Provisioning Strategy (Chris)
https://spaces.at.internet2.edu/display/Grouper/Grouper+provisioning+strategy
- Cursor based paging to download large amounts of data without missing records during inserts/deletes (Chris)
https://spaces.at.internet2.edu/pages/viewpage.action?pageId=159979041
JIRAS
GRP-2477
allow getMembers paging to get all members with no gaps from client
GRP-2476
add autopage option to grouperClient so it will handle large requests
GRP-2475
cursor based paging to download large amounts of data without missing records during inserts/deletes
GRP-2474
LoaderLog getGroupNameFromJobName not consistent among different job types
GRP-2473
PSPNG cannot parse Regex containing {}, while contained in ${}
GRP-2472
Update and expand access control models
GRP-2471
Operational Considerations needs attention
GRP-2470
New Content - Expanded examples of ACMs
GRP-2469
New Content - Grouper Security Model
GRP-2468
New Content - ABAC, RBAC, and Grouper
GRP-2467
New Content - Guidance on ref groups for courses, students, departments, etc.
GRP-2466
New Content - Attestation Patterns
GRP-2465
make grouper box user last longer and be configurable
GRP-2464
Expand provisioning models to included WS
GRP-2463
Add example of service specific reference groups anti-pattern
GRP-2462
Add discussion on XACML model components (PAP, PDP, etc)
GRP-2461
Diagram access control model overview
GRP-2460
Describe uses of the "test" folder in production
GRP-2459
Further describe how to use standard folders
GRP-2458
Deploy GDG top level folders in TAP distribution
GRP-2457
Add illustration of standard folder set
GRP-2456
Add high level discussion on ways to get data in and out of Grouper
GRP-2455
Update Folder and Group Privileges illustration
GRP-2454
Add discussion on complex group math
GRP-2453
Add Grouper Rules discussion to Understanding Grouper
GRP-2452
Grouper WS /grouperPrivileges fails to remove privilege from unresolvable subject
GRP-2451
allow grouper box to have pem in database config
GRP-2450
improve error handling of box integration and have stats in full sync loader logs
GRP-2449
when reports are deleted they need to get unscheduled in quartz
GRP-2448
keeping subject.properties in database causes not to load jdbc source
GRP-2447
endless loop if morph password is in external file
GRP-2446
grouper installer doesnt put jars in right place in webapp
GRP-2445
better error handling and logging in remedy integration
GRP-2444
schedule a CSV file to be SFTP'ed to server
GRP-2443
run bad membership finder more than once daily? or more than 3 times?
GRP-2442
loader summary doesnt match number of members in group
GRP-2441
tree display performance with permissions turned on
GRP-2440
cache some memberships in a local table so complex queries that use memberships are faster
GRP-2439
pspng should log that subjects not in target system once
GRP-2438
Add time picker UI component
GRP-2437
option for loader job to exit on connection failure
GRP-2436
when removing loader the recent activity says "Added attribute legacyGroupType_grouperLoader"
GRP-2435
attribute drop down in membership attributes (from member screen) doesnt filter by attributes assignable only to memberships
GRP-2434
attribute assignments on memberships (both types)
GRP-2433
change attribute name loader to have better attribute structure and UI
GRP-2432
if multiple matches delete one?
GRP-2431
Add functionality to trigger group specific attestation job from API call
GRP-2430
add audit in membership drop down for memberships
GRP-2429
add sftp support in grouper
GRP-2428
config items that dont have private or pass in the name but which are encrypted might show raw data on ui
GRP-2427
Upgrade java-mysql-connector to support new server authentication
GRP-2426
can we have container daemon running as not root? i suggest grouper user or tomcat even?
GRP-2425
if you remove a group's loader config, it should remove the loader metadata
GRP-2424
if you configure an existing loader job to not have loader config, it should blank out screen before submitting
Grouper-User list Emails
- [grouper-users] grouper templates, Hyzer, Chris, 11/14/2019
- RE: [grouper-users] grouper templates, Redman, Chad, 11/14/2019
- Re: [grouper-users] Escaping search filter?, Jeffrey Williams, 11/14/2019
- RE: [grouper-users] "Browse folders" pane: no visual clue indicating truncated list, Redman, Chad, 11/15/2019
- Re: [grouper-users] "Browse folders" pane: no visual clue indicating truncated list, Dominique Petitpierre, 11/19/2019
- RE: [grouper-users] "Browse folders" pane: no visual clue indicating truncated list, Coleman, Erik C, 11/15/2019
- [grouper-users] sending messages to AWS SQS, Ben Beecher, 11/19/2019
- Re: [grouper-users] sending messages to AWS SQS, Ben Beecher, 11/20/2019
- RE: [grouper-users] sending messages to AWS SQS, Hyzer, Chris, 11/20/2019
- Re: [grouper-users] sending messages to AWS SQS, Vivek Sachdeva, 11/20/2019
- RE: [grouper-users] sending messages to AWS SQS, Hyzer, Chris, 11/20/2019
- [grouper-users] patch, Hyzer, Chris, 11/24/2019
- [grouper-users] Grouper Deployment Guide - wiki version update, Bill Thompson, 11/26/2019
- Re: [grouper-users] Grouper Deployment Guide - wiki version update, Bill Thompson, 11/26/2019
- [grouper-users] Updated systemd files for UI and loader, Pete St. Onge, 11/26/2019
- [grouper-users] "cursor" based paging, Hyzer, Chris, 12/02/2019
- [grouper-users] Check out new blog on Grouper Reporting!, Emily Eisbruch, 12/02/2019
- Re: [grouper-users] AD Provisioning not working on delete, Oliver Trieu, 12/03/2019
- Re: [grouper-users] sending messages to AWS SQS, Ben Beecher, 12/03/2019
- RE: [grouper-users] sending messages to AWS SQS, Hyzer, Chris, 12/03/2019
Upcoming Grouper Call Schedule:
- Today’s Dec 4 call was an off-week call due to Thanksgiving last week
- Next Grouper Call , Wed Dec 18, 2019 (off week call to keep things on track)
- Note: Dec 25 cancelled due to holiday