Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.



Tentative date or time frame



Released June 2010



Released September 2011



Released March 2012



Released July 2014



Released April 2016

2v2.4Released August 2018None
2v2.5Released April 2020


2v2.6Released September 2021


Has both new provisioning and subject sources as well as old
v4Released March 2023Stable releaseIs same as 2v2.6, but using semantic versioning
v5Estimated Q4 2022Experimental release

Will only have new provisioners and subject sources (data fields)


These will go away in v5

Subject source adapters (unsure about future)

Non-provisioning-framework provisioners

  • googleapps-google-provisioner
  • grouperAtlassianConnector
  • grouper-aws-changelog
  • grouper-azure
  • grouper-box
  • grouper-duo
  • grouperKimConnector
  • grouper-pspng
  • grouper-remedy
  • grouper-remedyDigitalMarketplace
  • grouperScim
  • grouper-shib
  • grouper-tierApiAuthz
  • grouper-tier-scim

These will still be in Grouper going forward

All provisioning framework connectors
Custom change log consumers
Messaging connectors

  • grouper-messaging-activemq
  • grouper-messaging-aws
  • grouper-messaging-rabbitmq

6.0Estimated Q4 2023Not releasedStable version of v5
v7Estimated Q4 2024Not releasedWill redo how data is stored in the database in order to make things faster and use fewer resources


So while the Grouper developers are coding v7 (fall 2022 to fall 2023) and supporting 2v2.6 and v5, the community can work on reconfiguring and upgrading to the new provisioners and subject sources.


What Happened?



v5 (DONE)Add Grouper data field systemManage user attributes and identifiers differently than the legacy subject source system
v5 (DONE)Single process containerOnly run Tomcat in container, not TomEE, Apache, ShibSP
v5 (DONE)Remove pspng and legacy provisionersOnly new provisioning framework, change log consumers, ESB consumers (including messaging) available
v5 (DONE)Evaluate which upstream linux container should be usedRocky linux
v4GSH loaderAllow a loader to be a GSH script to load groups and memberships (like SQL)
v4Unicon authnAdd Unicon authn in container which implements SAML in java (and other things, CAS, etc)
2v2.6 (DONE)Add remedy provisioners
2v2.6 (DONE)Box provisioner
2v2.6 (DONE)Rewrite Grouper SCIM serverReplace the current J2EE SCIM server to only need tomcat
2v2.6 (DONE)Support JSON in grouper clientgrouper client currently does XML but should do JSON (by default with option to switch back)
2v2.6 (DONE)Add OIDC UI authnOIDC UI
2v2.6 (DONE)Streamline provisioning configurationMake it easier to configure before more people start using it (v2.6 change).  There would be an upgrade instruction to run a script to help you transition (including script configs).  e.g. CRUD and validation.  Change docs/tests. 
2v2.6 (DONE)Add provisioning loaders for non generic provisionersAdd loader for provisioners (not SQL or LDAP) like Duo or Zoom
2v2.6 (DONE)Group attributes on edit screenHave some configured group attributes on the group edit screen
2v2.6 (DONE)Add provisioning config scaffoldingAdd scaffolding for provisioning configs to generate a starting point
2v2.6 (DONE)Add OSGI to GrouperAdd strategy to have plugins on their own classpath
2v2.6 (DONE)Entity global attribute resolverDefine a SQL or LDAP generic entity resolver which can be used in Grouper features like ABAC or provisioning
2v2.6 (DONE)ABAC JEXL scripted groupsJEXL based access policies based on memberships or attributes
2v2.6 (DONE)Improve folder security performanceMight need an extra table to hold part of the folder security decision
2v2.6 (DONE)Finalize LDAP provisioner
2v2.6 (DONE)Add Google provisioner
2v2.6 (DONE)Finish provisioning diagnostics
2v2.6 (DONE)Finalize Azure provisoiner
2v2.6 (DONE)Add SQL provisioner
2v2.6 (DONE)Add box provisioner
2v2.6 (DONE)Add Duo role provisionerAdmin roles
2v2.6 (DONE)Add WS authn optionsTrusted JWT WS, self-service JWT WS, OIDC WS
2v2.5 (DONE)Add database columnsAdd database columns for group expiry (membership expiry already exists), and membership notes (maybe an attribute instead). Anything else for point-in-time? "visible" flag for UI for groups.  password table for revamped WS authn.  Service account subject source table?  provisioning status.  provisioning group status?  log table?  email batching? config PIT table
2v2.5 (DONE)Revise build environment and dependency retrieval

Revising code environment to get rid of dependencies and the hybrid builds (Maven and ant builds, hard to keep everything in sync)

Possible options:

  1. Ivy: keep existing ant scripts and use Ivy for dependency retrieval
  2. Maven: Remove ant build script and let maven drive both the build and dependency retrieval. (create various profiles for each env)
  3. Gradle: Remove ant/maven build scripts. Use groovy scripts to retrieve dependencies and drive the build

Need to figure out versions for each dependency.

2v2.5 (DONE)Real time message based provisioningAllow messaging to take events to provision new netIds (pspng)
2v2.5 (DONE)Add unicon azure integration to grouperAdd the unicon azure integration to grouper.

2v2.5 (DONE)GSH templatesLook at how the community uses GSH and move those needs into the UI
2v2.5 (DONE)Subject source adapter configuration wizardHave grouper subject source adaptor configuration in the UI like the loader config. Explore including Midpoint and Comanage if useful
2v2.5 (DONE)
LDAP provisioning Improve PSPNG so it is more performant and accurate.   
2v2.5 (DONE)Provisioning in UIAdd UI elements to troubleshoot and monitor provisioning.
2v2.5 (DONE)Daemon configurationUI elements to add/edit/remove Grouper daemons including configuration specific to each type of daemon
2v2.5 (DONE)External systems wizardsWizards to guide administrators through configuring, managing, testing external systems.  External systems and things Grouper connects to and generally have endpoints, credentials, and settings.
2v2.5 (DONE)Provisioning configuration wizardUI screens to configure a provisioner and assign provisioning to folders and groups
2v2.5 (DONE)Provisioning controls on grouper objectsScreens on folders, groups, memberships, and subject to view, troubleshoot, and fix provisioning.  Reports of activity, errors, etc.
2v2.5 (DONE)Gantt chart for jobsSee when jobs have executed, job overlap, how long jobs take, success or error
2v2.5 (DONE)Update WS/UI authnBasic authn in database.  Passwordless WS authn in future
2v2.5 (DONE)Grouper installer installs containerGrouper installer wizard walks through running Grouper in container
2v2.5 (DONE)Container redesignOne servlet container, easier mounts, one directory structure, fewer processes, maven build, patchless
2v2.4 patch (DONE)attributes on membershipsallow direct and indirect attributes on memberships in UI
2v2.5 (DONE)Require containerGrouper requires a container to run.  No tarballs will be distributed.  The grouper installer will install the container easily
2v2.5 (DONE)Expire dates on groups

GRP-849: add enable/disable dates on groups like memberships and permisisons

2v2.4 patch (DONE)Custom join/leave/analyze UISimple custom join/leave UI, also analyze access
2v2.5 (DONE)Improve pagination in WSCursor based paging
2v2.5 (DONE)Add some web services

Add GRP-2153: Add audit log functions to the Web Service

Add point in time options for WS get members, get groups, group save, get memberships

2v2.4 patch (DONE)Screens to show attribute assignments from attribute def (name)

GRP-2302: create screen to show attribute assignments from an attribute def

GRP-2303: create screen to show attribute assignments from an attribute def name

2v2.4 patch (DONE)Allow configuration to be stored in databaseAllow configuration to be stored in the database so common configuration is shared among all JVMs. Of course some configuration wouldnt be eligible for this (e.g. database connection information, passwords, etc)
2v2.4 patch (DONE)TemplatesTemplates can create multiple folders / groups / privileges / etc at once based on a wizard UI. Built in template for a service/application, and TIER Grouper Deployment Guide structure
2v2.4 patch (DONE)Real time message based loading LDAP by personAllow messaging to take events to update a user in loader jobs (ldap)
2v2.4 patch (DONE)Disable loader jobsAdd ability to disable loader jobs
2v2.4 patch (DONE)Provisioning in UIManage and which folders and groups get provisioned in the UI
2v2.4 patch (DONE)Improve performanceLook at recent Grouper performance issues and make improvements
2v2.4 patch (DONE)Tag Grouper TypesAdd ability to tag Reference / Basis / Authorization groups. Show this information to describe access policy
2v2.4 patch (DONE)Visualizing GrouperAllow the ability to show a visual graph representation of group, privilege, and permission relationships
2v2.4 patch (DONE)Membership reportsSee which users in a group or a folder of groups are not active. Add other attributes. Download reports. Schedule reports.
2v2.4 patch (DONE)Membership approvalsAdd simple workflow (approval) for an OPTIN or UPDATE operation on a group
2v2.4 patch (DONE)Show disabled membershipsShow disabled memberships and privileges on demand and allow the user to configure enabled/disabled dates in more flexible way
2v2.4 patch (DONE)USDU expiration datesAllow USDU to clean up unresolvable subjects that have been unresolvable for X days
Completed in 2v2.3Provision to BMC RemedyProvision memberships into remedy and digital marketplace
Completed in 2v2.3 patchDeprovisioningUser interface to manage deprovisioning of subjects

Completed in 2v2.4

Finish the new UI, replace admin and lite UI

Add features into the new Grouper 2v2.2 UI so that everything from the admin UI and the lite UI can be performed in the new UI.  Remove the admin and lite UIs (redirect outdated links).  Add user based auditing and overall auditing.  Add new features like the ability to easily configure "rules" in the UI

Completed in 2v2.3
Require Java8, Tomcat8Standardize and require java8
Completed in 2v2.3
Add new messaging strategiesAdd new messaging strategies in the Grouper Messaging system for ActiveMQ, AMQP (e.g. RabbitMQ), AWS
Completed in 2v2.3
AttestationGroups and folders can be marked to require periodic membership review. Reminders will be emailed to group owners
Completed in 2v2.3
TIER API in installerThe TIER API Tomee service is installed with the grouper installer
Completed in 2v2.3
Grouper loader in UIUser interface to show loader configuration, diagnostics, logs, wizard editor
Completed in 2v2.3
Subject source diagnostics in UIUser interface to analyze, diagnose, and recommend improvements for subject source configuration
Completed in 2v2.3
Harmonize configurationConvert sources.xml and ehcache.xml to be cascaded properties files
Completed in 2v2.3
Grouper loader real time updatesAllow a change log table (SQL triggers) or messages to trigger loader updates for a partial population or single user
Completed in 2v2.3
Grouper instrumentation

Improve and standardize Grouper logging to provide centralized metrics at an institution and the ability to upload stats to a central Internet2 server

  • Around Dec 2016, make the patch default to on
  • Add features: Number of loader jobs, Hourly stats of number of users (UI/WS) [rate information not just count], Collect configuration (non sensitive), Performance (e.g. threadcount of loader jobs, heap size), Operations per time period for pspng / ldap server, how many messages, Subject source type

  • UI so administrators can see local stats
Completed in 2v2.3
TIER packaging for 2v2.4In the TIER packaging for Grouper, create Grouper docker container, integrate Grouper with Shibboleth, configure PSPNG, configure user registration with COmanage
Completed in 2v2.3
UI accessibilityIncorporate recommendations from Colorado UI accessibility review

Completed in 2v2.3

Improve GSH

Improve gsh by adding readline like capabilities (line editing, tab completions, history, etc).  Use groovysh instead of beanshell.

Completed in 2v2.3
Inbound messages

Allow Grouper to read a message queue and act on messages (e.g. membership changes etc)

Completed in 2v2.3Update third party dependenciesUpdate third party dependncies and have strategy to easily do this on each release. Document which libraries are used and licenses.
Completed in 2v2.3upgrade vt-ldapto ldaptive (PSPNG to use ldaptive). Use adaptor

Completed in 2v2.2

Unix GID management

Built-in support for managing unix GIDs by assigning a numeric ID to each group and folder.

Completed in 2v2.2

Legacy attribute migration

Migrate from legacy attributes to the new attribute framework in a transparent way.  The old API and WS and UI should still work correctly.  Plan to migrate lists and hooks as well.

Completed in 2v2.2

COmanage integration

Work cooperatively with the COmanage project to integrate Grouper within COmanage.  Integer group ID's, WS operation tweaks

Completed in 2v2.2

Subject security realms

Differently users might have different privacy requirements for the Subject API. Security by realm is implemented in the JDBC2 source adapter. Callers pass in which "realm" the search should take place in, and the source can adjust how the search takes place, what attributes look like, etc.

Completed in 2v2.2

Grouper user data

Store information about a user in grouper in a generic way.  e.g. recently used objects.  favorites, etc.

Completed in v2.1

GrouperWS high availability

In-built load-balancing to enable highly available read-only access to the Groups Registry via web services.

Completed in v1.6-v2.1

PSP, formerly Ldappc NG

Complete work on the new provisioning connector, built from the Shibboleth Attribute Resolver and SPML components. Integrate with Grouper notifications for asynchronous, incremental updating in addition to periodic batch style updating. Includes specific support for Active Directory. Package a Shibboleth DataConnector for Grouper.

Real-time and incremental provisioning will be added in v2.1.

Consider adding an SPML input to grouper capability.

Completed in v2.1

Dynamic group membership

Dynamically maintain groups and memberships based on LDAP-resident attributes.

Completed in v2.0

Point in Time Audit

Query the state of the groups registry at a prior point in time.

Completed in v2.0


Declarative triggers that perform changes to the Grouper Registry.

Completed in v2.0

Federated group membership and privileges

Built-in support for memberships and Grouper privileges to be assigned to federated identities.

Completed in v2.0

Federated group management

Enable groups from autonomous Grouper instances to be referenced by and incorporated into another Grouper instance.

Completed in v2.0


The Grouper permissions web service takes into account allow/disallow and limits to give the decision of access back to the requestor

Completed in v2.0

Lite UI enhancement

Support easier to use end-user UI components in addition to the existing administrative UI. Initial component, for managing membership of a single group, is in v1.5.

In v2.0, add simple management of attributes, roles, and permissions.

Completed in v2.0

Integrate with VOOT

Integrate Grouper with VOOT (group protocol for cloud webapps), experimental...

Completed in v1.6-v2.1+

Notification of changes

In v1.6, build on the initial implementation of incremental group, membership, and folder (or namespace) change notifications in v1.5 to provide notification based on flattened group membership to more efficiently enable relying parties to maintain membership lists. Also in v1.6, partner with a deployment using an asynchronous messaging infrastructure (perhaps an ESB) to drive enhancement of the toolkit for that style of data integration.

For v2.0, add flattened membership notification.
Somewhere along the line, add ability for users to register to be notified of changes to specified objects.

Completed in v1.6

Attribute framework

Complement the existing ad hoc attribute on groups with the ability to define and associate attributes of various types to groups, memberships, and folders. Initial release was in v1.5, comprising marker attributes. Additional attribute types in v1.6. Expose attribute framework suitably through web services interfaces in v1.6.

Completed in v1.6

Kuali Identity Management integration

A connector that enables Kuali Rice to delegate group management to Grouper.

Completed in v 1.6

Subject Web Service

Expose Subject API methods suitably via Grouper Web Services so that clients don't have to build their own way to reference Subjects.

Completed in v 1.6

External workflow integration

Integrate Grouper with Kuali Enterprise Workflow (v1.6), and maybe other implementations.

Completed in v1.5

Namespace Transition Support

The hierarchy of folders (or naming stems) in a deployment will change over time. This supports the ability to logically move or copy a group, a selection of groups, or a folder from one folder to another. This complements the capability of the XML Import/Export tool for prune & graft operations for large scale changes.

Completed in v1.5

User Audit

Report on who took which administrative action when.

Completed in v1.4

Extension hooks

Implement infrastructure within the Grouper API to enable independent extension of key internal events. Pre- and post-processing hooks will be provided for each "primitive API operation". This would make certain other tasks more feasible, notably "Notification of changes" in this roadmap and incorporation of a site's business rules.

Completed in v1.4

Enhance Web Services

Solidify the experimental Web Services support released in 1.3.0 based on field experience.

The issue has been resolved with improved Grouper configuration and the cessation of the Signet project.

Configuration and binding framework for I2MI

Identify and implement a framework in which combinations of I2MI components (currently Grouper API, Grouper UI, Grouper Web Services, Signet API, Signet UI, Ldappc, and Subject source adapters) can be easily integrated (not just in a single JVM). This is largely an issue of managing configuration and 3rd party libraries. The Spring application framework is an example of what might be used to address this need.

This was overtaken by the  "Enhance Web Services" item  in the roadmap.

Web service interface facades

Determine which subsets of native API capabilities should be exposed through more focused end points to facilitate access by applications to Grouper- and Signet-provided access management capabilities. Also investigate how facades may be used to manage access to underlying group and privilege management and query capabilities.

Not yet assigned

Further KIM-Grouper integration

Refine the Kuali KIM services interfaces and extend existing integration beyond group-level into roles & permissions.

Not yet assigned

Further uPortal-Grouper integration

Complete Phase II deliverables. Time frame for Phase III deliverables still to be determined in concert with uPortal team.

Not yet assigned

Security plugins

Spring security, Shiro, .NET plugins for Grouper WS that might be able to be distributed with the plugin itself.  Initial proof-of-concept code available: