...
Release | Item | Description | ||
|---|---|---|---|---|
| 2.6 | Add OIDC UI authn | OIDC UI | ||
| 2.6 | Auto-migrate subject sources | Automatic conversion from legacy subject source config to wizard config (LDAP and SQL) | ||
| 2.6 | Add remedy provisioners | |||
| 2.6 | Upgrade libraries? | 2.6 | Remove jsonlib | Migrate to jackson |
| 2.6 | Group attributes on edit screen | Have some configured group attributes on the group edit screen | ||
| 2.6 | Consolidate utils classes | JEXL translations have different utils classes in scope. These should be harmonized | ||
| 2.6 | Grouper WS OpenAPI | Document the WS API with Swagger JSON. WS will host a "dynamic" and customizable WS API page. Explore client generation. | ||
| 2.6 | Add more JEXL scripted group features | Add natural language, real time updates, visualization, self-documentation, diagnostics, attribute resolver, etc | ||
| 2.7 | Upgrade libraries | Upgrade java, JS libraries etc | ||
| 2.7 | Remove unneeded externalized text | Remove admin and lite UI externalized text | ||
| 2.7 | Single process container | Only run Tomcat in container, not TomEE, Apache, ShibSP | ||
| 2.7 | Unicon authn | Add Unicon authn in container which implements SAML in java (and other things, CAS, etc) | ||
| 2.7 | Rewrite Grouper SCIM server | Replace the current J2EE SCIM server to only need tomcat | ||
| 2.7 | Support JSON in grouper client | grouper client currently does XML but should do JSON (by default with option to switch back) | ||
| 2.7 | Remove pspng and legacy provisioners | Only new provisioning framework, change log consumers, ESB consumers (including messaging) available | ||
| 2.7 | Remove legacy subject source configs | Only new subject source available | ||
| 2.7 | Evaluate which upstream linux container should be used | Look at Rocky linux? distroless? Stay with current? | ||
| 3.0 | Add bulk operations | Make bulk operations faster, e.g. creating or deleting a list of groups, adding or removing a list of memberships. Add bulk hooks | ||
| 3.0 | Redesign Grouper DDL | Reduce size, improve efficiency, move to single purpose tables/structure. Simple integer foreign keys (sequence or auto increment). Simple integer enums. Compact core tables with external auxiliary tables. | ||
| 3.0 | Performance diagnostics | Administrative function to measure and diagnose the performance of a deployment | ||
| 3.0 | Cache redesign | Analyze and improve how Grouper caches objects in and out of Hibernate. Simply the subject API | ||
| 3.0 | Rewrite Grouper wiki | Remove old docs and make sure missing docs are added | ||
| 3.1 | Revisit Grouper service registry | Identify services in grouper. Make them easy to see, join, manage, document, attest, etc. https://docs.google.com/document/d/1zV2kuAKOwoBFIf4GIpiQt6-NFsVkdbYdagDjGcJ7efQ/edit | ||
| 3.1 | Re-write Grouper WS | Either use SCIM or more targeted REST/JSON to streamline operations. Proxy from old to new so legacy clients are supported. New operations will not have SOAP or XML. SOAP jars will no longer be in Grouper (proxy to another shim project) | ||
| ? | Migrate Grouper git | For consistency, reporting, licensing reasons, Internet2 would like the Grouper git repo to be in its enterprise account instead of public git | ||
| ? | Simplify UI | Make UI task oriented and easy to use for various types of users | ||
| ? | Integrate connid | midpoint uses connid for provisioning. This is a standard. We would like Grouper to be able to load from and provision to connid connectors. We would also like to migrate our (non-pspng) connectors (e.g. duo, box, etc) to connid (if not there already) and share with midpoint. | ||
| ? | Improve notifications | support people, groups, and email lists. Individual email addresses are problematic. Add ability to batch emails. Log emails (temporarily). User can control preferences. Notify configure on groups. Grouper email notifications | ||
| ? | Curated groups | Add features to support Duke presentation https://meetings.internet2.edu/media/medialibrary/2019/12/05/20191211-mckee-paranoidiam_1.pdf | ||
| ? | Membership constraints | Allow memberships to be able to be constrained for certain reasons, when those conditions are met, enable the membership, else disable. And keep the existing enabled/disabled dates if applicable | ||
| ? | Installer in UI container | Move or allow parts of the "install container" to be in the UI container. This should allow servlets to load without any config, and walk through the setting up of the database and other things | ||
| ? | GraphQL WS interface | Implement graphQL on web services | ||
| ? | Custom Grouper types | Allow institution specific types to be added. Get requirements from community. | ||
| ? | Daily report refactor | Refactor the Grouper "daily" report. make it a dashboard on UI. Keep calculations in attributes if they arent already there with instrumentation. See what features we can use from Michael Gettes dashboard. See what features from Chad Redman email on April 9, 2019 with his daily report features | ||
| ? | Add group graph | Add group membership graph similar to "paranoid IAM" on group screen. See trends in membership via PIT | ||
| ? | Changelog improvements | Allow change log consumers or message publishers to process messages before the single threaded "change log temp" processor completes. Or, not that change log temp is quicker, allow change log consumers to keep track of which messages they have processed so messages can be processed out of order | ||
? | Register for notifications | Add ability for users to register to be notified of changes to specified objects. Note, there are rules to email users about changes to memberships | ||
| ? | Provision lifecycle events | Events (such as admission, enrollment, new hire, etc.) must trigger lifecycle stage transitions, role changes, affiliation changes, etc. Those can then cause other events such as service eligibility. Lifecycle changes or affiliations all precipitate a need for provisioning wherein roles are mapped to services / entitlements. | ||
| ? | Workflow state groups | The solution must support high level workflows between states. Group memberships transitioning among workflow state groups | ||
| ? | Separation of duties | The solution must anticipate the possibility of conflicting roles in the case of multiple personae. Also allow overrides of separation of duties | ||
| ? | Conflicting roles | The solutions must take into consideration that conflicting grants of authority, eg, one source indicating a grant of access and another a denial of access, must be resolvable according to the needs of each application or service context | ||
| ? | Handle multiple roles | The solutions must enable individuals to have multiple roles/affiliations/relationships/whatever with the institution, each with its own lifecycle and overlapping set of access privileges needed to undertake each role. Statefulness (persistence and preservation of state) must permeate the design goals of all solution components in order to correctly and efficiently manage their access over the course of these multiple lifecycles | ||
| ? | Min group membership size | In loader jobs and just on groups have min group sizes | ||
| ? | Rules on individual membership | An individual membership could have a rule that it is dependent on memberships in another group for example | ||
| ? | Add remaining attribute/permission operations to WS | Add permission hierarchy services for roles, actions. Limits? Any other attribute permission services? | ||
| ? | Add dropbox endpoint to provisioning | |||
| ? | UI warn, restrict, or schedule large operations | If adding a group to another group, maybe warn, restrict, notify user that the operation will take a while to provision. Or schedule this for later? | ||
| ? | Copy entitlements to another user | Copy entitlements to another user. Optionally include start and end dates | ||
| ? | Automatically clean various things | If a group is marked as a composite ad hoc list (and/or maybe includes / excludes), then if the membership is no longer relevant, then set an end date for some time in the future. Optionally notify. This applies to individual permissions as well. Automatically or manually clean up redundant privs (if assigned to group and individual). Automatically or manually clean up redundant memberships (group and individual) | ||
| ? | Add high level help or how tos | For admins or users etc | ||
| ? | Direct/indirect should show on policy group | |||
| ? | Security model - documentation and UI opportunities - wizard? | |||
| ? | Can application owners see reference group? via attributes | |||
| On-going | Update third party libraries | Update third party libraries to the latest version | ||
| On-going | Update training videos | Go through training videos and either keep, re-record, annotate, or delete. Identify new training videos to make | ||
On-going | Grouper Core enhancement | Continue adding capabilities to meet requirements from the field. | ||
On-going | Solicit and publicize community contributions of extensions and complements to Grouper. | |||
Not yet assigned | More provisioning connectors | Add further connectors to reflect specified group, membership, role, and permission information into external systems and services. Include Google provisioning (from the Unicon contribution to the PSPNG) | ||
Not yet assigned | Scaling REST webservice | A page in the Administration guide, Grouper always available web services and client, demonstrates one way to provide always available services using a specialized client. The CIFER REST web service will need the server-side capability to provide that always-available functionality. In addition the REST API should be able to access multiple, read-only caches so it can efficiently handle any increase in query requests, most of which will not need to directly access the primary database. PSPNG should be able to provision to a database table, and WS should be able to read from that table (or tables) for simple operations. | ||
| Not yet assigned | Improve grouper startup time | Grouper takes a while to startup in webapp or gsh command line. Some ideas were nailgun for GSH, javassist byte code enhancement with gradle, profiling, making sure grouper starts in webapp before first request. |
...