Child pages
  • 5-August-2020
Skip to end of metadata
Go to start of metadata



  • Chris Hyzer, Penn, Chair
  • Chad Redman, University of North Carolina Chapel Hill
  • Shilen Patel, Duke
  • Carey Black, the Ohio State University
  • Vivek Sachdiva, independent
  • Jeff Williams - University of North Carolina Greensboro

Intellectual Property reminder:

 Grouper Action Items are here  

 New Action Items from this call

  • AI Chris will add a contrib on how Penn got Zoom provisioning to work using Loader



Upcoming Training: Grouper School, Oct 6-9, 2020


Configuration for Provisioning

  • Have config files 
  • Working on intersection of code base   
  • Implementing filter ability
  •   search by keyword
  • Looks at DB Config and the base files
  • Will add an advanced option so users can specify if they want to seach in only DB Config
  • Can export config file
  • Not looking at
  • Adding properties with a large value is possible, stored in clob
  • Adding config history, to look at who made changes when
  • To see history of a config property
  • Need to add a way to revert to a previous state for the property
  • Chris: there should be a checkbox with button at top
  • Saying “revert to old value”
  • Go in order of time from oldest to newest
  • Checkbox to undo the change and go back to old value
  • Shilen: regarding filtering the DB properties
    •  Would like an option to filter everything that  is not base,  to see everything I have overwritten
    • Could be called “overwritten properties”
    • Revert to the old value
  • Feedback: Good work 
  •  auditing capability is good
    • Point in time table
    • Carey: Can audits become events as well, so change logs reflect the change
    • Want to know the timing for the JVM
    • Chris: can be on the list for the future
    • Chris and Shilen need to discuss timing for changes
    • Might not trust change log for this
    • Carey: working on change log consumer to audit events, hope to see changes in the stream

  • First time using Clobs
  • Hope to have a table for files in the future

  • Vivek would like to have the UI look better
  • Table goes outside boundary
  • HTML sucks
  • Div doesn’t expand like a table does


  • PSPNG work
  • Provisioner tries to get all groups that are provisionable
  • Gets stems and groups with the attributes
  • Those are put into interesting groups
  • Runs an expression on all of them 
  • To see if they are provisionable
  • Takes a while, it is doing attribute math
  • But already we have the attributes that are assigned
  • If you did not turn off
  • It may cache all the assignments of attributes to object
  • Two new data structures
  • If you have the default script to configure
  • Can do the calculation in memory instead of doing it for each group
  • Walk up tree and look for DO NOT PROVISION
  • Then walk up tree and look for PROVISION
  • Will filter things from change log that are not provisionable
  • Uses cache
  • Can flip the switch off
  • Will get group name, 
  • Then see if there is a cache entry
  • See time for that entry
  • If change log happened before decision if it’s provisionable
  • See if it should be skipped
  • If group is provisionable, does not mean change log item is provisionable
  •  Should span more than 1000 change log entries
  • Using cache and keeping the time, instead of hashmap
  • question about clearing the cache if it finds an attribute
  • Once attributes change you can do the logic again to see if things are provisionable
  • Local field instead of   ehcache
  • Can have multiple provisioners, should stay with the provisioner
  • Advantages of expirable caches, they go away, they are not configurable
  • Chad: boolean provisionable from cache
  • Check for true and false, check for null
  • Chris: three states, could have 2 boolean primitives
  • Chris will change the logic to match
  • Then after next commit  Jeff should run the unit tests
  • Did testing at Penn, it sped things up

  • Chris will think about the attribute part
  • Will clear it out if it’s provision to or not provision  to
  • Will add more comments
  • Will change the hierarchy logic

  Zoom provisioning work


  • UNC: 
    • List of mappings for groups to what sub account
    • It goes by whichever is first in the mappings
    • Have to carefully craft the mappings
    • People in two groups is an issue

  • Penn uses groups for common settings in a school (arts and sciences versus engineering)
    • Penn will have 12 groups, one for each of the schools
    • 4 sets of folders w same groups
    • Auto populated groups by school
    • Could be an override group for people not in the school
    • Loader job with a case statement
    • So everyone is only in one group
    • Just in time thru SAML
    • AI Chris will add a contrib on how Penn got Zoom provisioning to work using Loader
    • Doing everything with groups
    • Grouper Security: a list of admins for every school
    • Will use a case statement

  • You don’t want to do just in case provisioning to Zoom
  • That can use up licenses
  • Zoom only wants one group per person
  • Need exclusions
  • Concern about de-provisioner
  • Load from Zoom
  • So you can get your groups from Zoom
  • If managing roles in Zoom, loading those back to Grouper can be helpful
  • Auto deprovisioning can be helpful
  • Will normalize the name, if white space in the name, it puts underscore
  • Zoom also has roles: admin , owner and member
  • Can also have custom roles
  • Penn will do roles thru SAML
  • To make sure only in one
  • Zoom account has user type
  • Licensed or non licensed or on prem 
  • Can track in Grouper
  • Status can be loaded from zoom
  • Pending is when you are going to switch accounts
  • Deprovisioning of roles thru a provisioner
  • But don’t add roles or groups
  • After 3 months delete their account
  • Zoom Connector can provision, load, set status of a user account
  • Need to put more thought in this,
  • Too much like a swiss army knife

  • Carey: Group in Grouper, what does it become in the connected system
  • A provisioner to only do deletes is interesting
  • Groups here are roles and groups there are groups…
  • Not sure how this will work out

  • Chris: in this case, it works out using folders
  • Full sync can sync this thing to groups and this thing to roles
  • But how to best organize it
  • With multiple instances
  • Cross coordination, what happens in which order
  • Might need to keep synchronized

  • Azure connector is also a bit complex
  • Zoom is small and targeted
  • Azure could manage tons 
  • Every change log consumer has complications, depending on what features you are supporting of the target system
  • Chad: if UNC wanted to change to this for Zoom…. Documentation would be helpful.
  • Zoom is a problem, not handling multiple assignments.
  • Not doing roles

  • Visualization can be helpful for provisioning to Zoom


  • Provisioning work
  • Spoke w Chris about Grouper DAO and about queries added there
  • Shilen has implemented the queries
  • Implemented the base logic class
  • Derives from LDAP, creates thread, gets data from Grouper
  • Does comparisons
  • Next step is to tie in translator component
  • Chris and Shilen will discuss the translator this week
  • SQL Query to get data out of grouper. Used Grouper Memberships All
  • Chris did a view for Zoom, DON’t use grouper memberships lightweight view
  • Could have used membership finder
  •  In any target, it’s nice to load things back
  • Even just for bootstrapping (Slurp things up)
  • See a bunch of EL and try to document and make this work
  • Hope the work done for Zoom (and other targets) will fit into the new provisioning framework
  • An option to only delete and not add would be nice eventually
  • Right now just want to get going w LDAP
  • NEXT STEPS: Translation , then comparison logic for adds and removes
  • Noticed PSPNG does not in change log tell you how many adds and deletes
  • Looking forward to common stats in new provisioning framework
  • Shilen: In what component are sync objects added?
  • Full sync daemon will need to make sure that the sync objects reflect if everything is provisionable 
  • Sync objects are defined in the database and contain a mixture of Grouper and target stuff


  • RabbitMQ Implementation for UNC, 
  • Need some new functionality
  • Cluster that needs a quorum argument
  • Need to pass arbitrary arguments
  • Implemented that 
  • Vivek had implemented w trust store

  • Working on JIRAs
  • Azure provisioner
  • Documentation for graph API says you can have different visibility
  • But newer github doc says uppercase H and uppercase M
  • You can send the wrong case when creating a group
  • But when it comes back it converted and there are issues
  • Chad has done a fix to manage this
  • ESB Message publisher is needed for extra arguments
  • But there  are other places were Rabbit MQ is used
  • Chad will work on this as a Grouper task
  • GRP 2918 (extra arguments) and 2920 (SSL Support)

  • Discussion on CSV loader jobs
  • Creating a different type of job
  • Can do all the things SQL jobs can do?
  • Different table for every CSV file
  • Supporting different sources
  • Front end for an end user to be able to use
  • Spin up 15 new application control policies
  • Can import a list of 15 names
  • And have things (group formation) happen automatically
  • Instead of going thru template 15 times
  • Chris: have a folder, make query based on the columns
  • Need certain permissions to do a loader job
  • Need to get CSV to the container
  • Can have 2 jobs, one copies a files then GSH can make jobs run one after the other
  • Start from a group, import list of users from CSV
  • But have a column for the group
  • Import a list of users 
  • If an end user can do this, then it takes hassle away from the admin
  • Chris: we can do that, it’s different from a Loader
  • Good mechanism to have, add to JIRA, will have to do the work later
  • To operate in context of user
  • Should be able to import / load memberships and more

Hoping for a new 2.5 release in a week or so from now

Issue Roundup

Grouper Slack

J Stout: Memberships by stem and get error

Is there a way to return stem attributes 

J Crawford:  Setting that impacts how long the UI will wait until it does error thing with the text…

Chad: Translate what this UI status message means…

Chris Hy Custom UI example of Banner Access

ErinM: Grouper Training is open


Michael G want to show subject ID of attribute assignment in messages sent

LaceyV:  trying external systems feature in 2.5.33 , get  error

Carey:  GRP2903, All Daemon jobs filter option

 J Crawford: bug in the handling of groups from loader jobs that no longer have members

Beth: Has anyone else found a reasonable work-around (using the Docker container distribution) to manage the Office 365 unified Hiddenmembership groups

Lacey General question related to managing configs in the database…is best practice to import old config values from file and then forget about those files, so all config changes would only be in the database moving forward?


GRP-2920 RabbitMQ client support for SSL without client certificate or tls version

GRP-2919Support assigning Azure Administrative Unit in group creation

GRP-2918 rabbitMQ esb publisher support for extra arguments

add zoom user deprovisioning

  • GRP-2905Azure provisioner unable to create Unified Hiddenmembership Groups




Grouper Emails

RE: [grouper-users] Grouper Messaging with Apache Kafka, Hyzer, Chris, 07/22/2020

  • No labels