Child pages
  • Grouper 25-April-2017 BOF at Global Summit in DC
Skip to end of metadata
Go to start of metadata


Grouper BOF at Global Summit in DC

April 25, 2017



What is Grouper?
Central authorization, groups, permissions, provisioning , auditing, delegation and distributed management


Grouper and TIER
• TIER provides:

  • Requirements for development
  • Funding
  • Architectural guidance
  • Standards to harmonize with other TIER product\s
  • Contributions in areas such as: packaging, security, administrative help, etc


Grouper progress in last 6 months 

• Patches - Not making changes to core
• These things are low risk enhancements
• You can pick which patches you want to install
• The upgrades should be similar to what you are already deploying
• Instrumentation
• Real time loader
• View and edit Grouper loader in UI
• Attestation - so someone has to look every once in a while

• Subject API diagnostics - its been hard to configure , this helps you look at diagnostics and trouble shoot


• TIER interested in collecting metrics for TIER components
• If large # of institutions are changing defaults we could change how we default things
• Right now no production TIER collector, but you can enable an send to a test collector
• Things to add

◦ Counts of operations 

◦ Monitoring of adds / deletes

◦ That thread reports to database

◦ Grouper UI will show that data

◦ Demo of collection - all aviabl in a patch


Real Time Loader

  • Before this all loader jobs id full comparisons

  • Query source, get all memberships and do comparison

  • Problem for large loader jobs
  • If you want to capture changes every minute that;s a problem
  • So now with patch in 2.3 you can capture incremental


Loader in UI
• Makes queries easier 

• Only for admins or those to whom you give permission

• In on each of the items

• Doc on each of items 

• Should be in your audit log

• Now you can schedule..

• Can do logs to look at past runs of this

• Can see failures and errors; Can filter by times or status

• WIll help troubleshoot a loader job

• Hope to do a dashboard of all loader jobs , both SQL and LDAP



• Require group admins to review memberships

• Helps with deprovisioning

• Vivek has worked on this - there is now a test patch

• You go to folder or group

• Click on attestation menu item

• You can configure 

• You want this group or groups to be periodically reviewed (re-certified) by the admins


Config Migrated to Properties
• Sources.xml and ehcache.xml 

• Makes configuration more consistent 

• Upgrades easier (no merging or editing XML files) 

• TIER packaging easier (or even possible) 

• Optional for 2.3.0+patches


Subject API diagnostics

  • Config migrated to properties files
  • Migrated to be properties overlays
  • Optional for Grouper 2.3.0
  • You can run installer task


TIER API in installer

  • You can install the TIER API from the Grouper installer
  • TIER API is full J2ee, SCIM, can’t run in tomcat
  • Installs TomEE, there are a couple of issue
  • Email Chris Hyzer if you want to know when this will work


UI Accessibility

  • Report from U of Colorado was extremely helpful
  • Fixed the issues, committed to github
  • • Waiting on review from Colorado



Please see Slides on pages 15-17 here:


• Works with incremental provisioning and full sync

• If group was wrong and you want to re-sync

• Read Grouper and the target and make it correct?

• Automated Q - integrated tests (Docker)

• Makes sure the stuff still works

• Empty group issue has been fixed…

• It’s been a challenge with life cycle -- foundational improvements came up

• ScottK: Our deployment is leveraging what PSP has, but PSP NG does not

  • Munging full group name in interesting names

  • Before its provisioned to LDAP? It’s working..

  • How long will PSP continue to work before need another solution.

  • Bert: no plan to stop shipping it

  • Talk about this at 2017 TechEx?
 -Whatever feature you are using, can we add it to PSP NG

• It’s a full REGEX replace

• Finishing 2.3 and getting to 2.4 --  we hope to have answers for some of these gaps.

• As we look at 2.5 

  • Discuss on list new endpoints, absorb some of the open source code for endpoints

  • Google, Box, Office 365.. Taking on some of those and getting out of LDAP focus

  • PSP performance and simplicity… bring into other endpoints and keep them up to date.

  • Provisioning means de-provisioning too… removing groups and members

  • Need to work on Failsafe

  • How to approve 


Grouper Product Roadmap

Plans for Grouper 2.4

  • Deprovisioning in UI 
  • Replace Admin and Lite UI with “New UI” 
  • New messaging strategies (AWS, AQMP) 
  • Provisioning in UI 
  • Integrate other contributions – GSH – Unicon O365? 
  • Release this summer hopefully
  • Your item here

After Grouper 2.4

  • Provisioning – Improvements – More targets 
  • Add more WS operations 
  • Add more TIER API operations 
  • Get more institutions to use the TIER API and packaging 
  • More UIs for: – Attributes – Configuration – Rules 
  • Group expire dates 
  • your item here



Reconciling so if you provision to AD or 365 an people still using native --pull back in
• Multimaster

• AD SOR and Grouper SOR

Provisioning and target directory …  it logs that subjct does not exist
What about replicate the subject across?
There is code from a year ago that has subject creation

Replicate a subject to a target

  • Chris: if you are creating a subject with an ID it would be worthwhile to have lightweight user creation
  • We say, don’t put data in Grouper
  • But if target already in Grouper
  • Google provisioner does that

Note there have been updates to Google Grouper provisioner


Question : subset in mobile UI?
A: it is responsive now


Grouper Deployment Guide
Bill Thompson, Lafayette

  • Was a community effort
  • Thanks to all the Grouper community contribs in the wiki
  • Community came together on a model
  • Bodes well on things to come
  • identity as a domain and body of knowledge
  • Grouper is powerful and flexible
  • Lafayette took 6-8 weeks to review contribs in wiki and then to decide how to do it
  • This led to of idea of Deployment guide to reduce time needed for deployers in the future
  • Worked with Columbia University on their Grouper Deployment Guide
  • Grouper Deployment Guide focuses on a few use cases
    1. NIST doc talks about natural langage policy into digital policy that can control access to systems. Grouper Deployment Guide talks about how that works

    2. Access policy are attribute  based  , the model the guide talks about is attribute based access policies. Since Grouper is so focused on groups. People lose sight that it’s about subject attributes….. … 

    3. Keep concept of NIST doc is accommodating the unanticipated user. So if your access policy is attribute based, then when a new user comes into the system their access to systems is keep in sync and provisioned and de-provisioned as needed.



Grouper Training

For those interested in Grouper Training, please check out the
 Grouper Training at Open Apereo on June 4 2017 in Philadelphia 

  • June 4th, 2017
  • 1:30pm Grouper half-day session
  • Bill Thompson  and Chris Hyzer
  • Philadelphia Hilton Penn’s Landing (maybe?)

Please Contribute Your Grouper Deployment Story

Please contact if you can contribute a Grouper deployment story from  your campus to the Grouper Community Contributions wiki. 

Thanks for attending the Grouper BOF







  • No labels