Notes from the Grouper BOF at Internet2 2014 Global Summit
April 9, 2014
Tom Barton, U. Chicago
Michael Gettes, CMU
Allan Crossell, Columbia
Chris Dowden, Columbia
Bill Thompson, Unicon
Albert Wu, UCLA
Benn Oshrin, Spherical Cow Consulting
Scott Koranda, Spherical Cow Consulting
Eric Buckhalt, Georgia Tech
Keith Hazelton, UW-Madison
Soctt, Isaacson, Educational Service Unit Coordinating Council, Nebraska
Jordan Clark, Educational Service Unit, Nebraska
Emily Eisbruch, Internet2, scribe
Access Management and Grouper
It would be helpful to have more specific examples in the Grouper documentation of how to implement access management. To leverage the power of Grouper, currently an IDM person must map what the Grouper UI does into Access Management functionality. A good direction would be for the access management functionality in Grouper to become more obvious and easier to understand.
-Suggestion for the UI to provide check boxes for the user to put people into the right groups for the right services.
-Also, for the audit side of things , if I am a CISO, would be helpful to have specific object I am looking for, I want to see who had access and when they had it
-Would be desirable to have a simplified UI that is geared for that task with a delegated departmental admin focus. Maybe I want an email every month that shows me who has been added to whater
UCLA wants developers involved in using Web services to manage groups. It would be good to have more work on web services and make it easier to use. UCLA expresses groups thru Shib. People ask re inconsistencies between Grouper and expressing attributes in Shib.
Example: we set a group and it gets transferred into an entitlement attribute
-want to use that to look up a group; there is not one-to-one mapping
Need to know: how did this person get the entitlement?
Tom reviewed the history of the Grouper provisioning strategy
-LDAP PC, LDAPPC-NG
-provisiong service provider (PSP)
-PSP works and is supported, but is not the strategy moving forward
- In the PSP, everything must go thru SPML; that proved to be an obstacle to many provisioing requirements
-Plan is that as there are new provisioning needs we will try to write a provisioning connector that is smart on that consumer.
For example, we are writing a SCIM provisioning connector and SURFnet will use it.
-it was noted that SalesForece uses SCIM
-The Grouper dev team should not be the sole providers of connectors. Goal is to have a transparent process
And a broader set of developers/contributors in this area
Facilitating Community Contributions
Currently, taking a contribution and making it usable is not always simple.
Would be good to put requirements around making the contributions more usable by others.
Suggestion to borrow from Net+ Services and their stages of evaluation
it is a lot of stages: validation process, etc.
lends a degree of confidence
if we could know for a contributed module what status it's in, this would be helpful
See the Atlassian plug in market for an example,
Where you can tell who supports which contributions and what is experimental
Bill: like the Apereo or JASIG incubation
Suggestion to use a changelog with Apache ActiveMQ processors.
Tom: Grouper has a connection to an ESBhttps://spaces.at.internet2.edu/display/Grouper/Grouper+ESB+Connector
Comment: ESB is heavier than getting to a message bus.
There are other options, but AMQ is most generic; Red Hat and IBM are based on AMQ
CMU is going to production with ActiveMQ. CMU will share after they have a few weeks in production.
One concern is that not all schools are doing things like this.
Tom: there will be downsides for sites to have to implement AMQ in order to use Grouper
Bill: you can consider AMQ as part and parcel of Grouper; Incorporate AMQ into the changelog facility
-Queuing is going to become like databases.
-so queing connectors to prominent queuing environments can multiply
and there will always be some who are not there yet
There are places wehre LDAP will remain #1.
Suggestion that provisioning could be in Sakai
A lot of authorization happens in PeopleSoft
Demonstration of the Grouper 2.2 UI
This completely changes things; it's huge
This goes from previous UI which is beset used by a well trained admin
While with the new Group UI you can give to a logical person
- This is awesome; The community has been waiting for this
Tom: there are a few things that are not in the new UI
Editing of attributes is not in this UI, but there is a link to get to the LITE UI
It's on the roadmap