grouper-dev - Draft Minutes: Grouper Call 15-Apr-09
Subject: Grouper Developers Forum
List archive
- From: Emily Eisbruch <>
- To: Grouper Dev <>
- Subject: Draft Minutes: Grouper Call 15-Apr-09
- Date: Tue, 21 Apr 2009 14:23:26 -0400
Grouper Call 15-Apr-09** *Attending*
Tom Barton, U. Chicago (Chair) Bob Morgan, U. Washington James Crampton, Duke Shilen Patel, Duke Chris Hyzer, U. Penn Tom Zeller, U. Memphis Steve Olshansky, Internet2 Emily Eisbruch, Internet2 (scribe) *Action Items* [AI] (TomB) will develop an agenda for the Grouper WG at SMM and send out a request to folks for additional agenda items. [AI] (Chris) will create a hierarchical org lists and user audit demo for SMM. [AI] (TomZ) will update the ldappc wiki page with new ideas expressed on the call. *Carry Over Action Items* [AI] (Gary) will investigate UI queries of user audit (when the API user audit code is available from Chris). [AI] (TomB) will start a wiki page on attribute framework for Grouper, including information on handling of custom versus non-custom fields/attributes. Discussion *Agenda for SMM Face to Face* Grouper working group session at Internet2 SMM is Monday, 27-Apr-09 9:15 – 10:15am in Salon B Suggested Agenda Items: - Real-time ldap updates - Bivalent (boolean or enumerated, perhaps) custom attribute type - User interaction scenarios - Ldappc features going forward - User audit - Highlights of Grouper v1.5. - web services: who is using them for what? - Feedback from field - Demo on hierarchical org lists - Demo on user audit [AI] (Chris) will create a hierarchical org lists and user audit demo for SMM. [AI] (TomB) will develop an agenda for the Grouper WG at SMM and send out a request to folks for additional agenda items. ldappc Assumptions TomZ requested feedback on future of ldappc. Wish list includes: - provision Active Directory (and limitedly, Exchange) -- involves dealing with special-purpose types of groups - real-time/partial provisioning - pluggable attributes (regex, script, etc.) - SPML, non-ldap targets - dry-run - monitoring, and Integration w monitoring systems - more explicit logging information. Chris: Do we want to put ldappc with other loader jobs? TomB: Yes. We should revisit that when we are clear on the features. James commented that Brown is looking at how to approach real-time provisioning and monitoring/auditing with enterprise service bus solutions. It’s institution specific but could be adapted. Chris suggested that instead of pluggable attributes, it could be beneficial to add some hooks to ldappc to avoid a very complex config file. TomZ has looked at the Shibbloeth attribute resolver and the IDP. Using this approach provides a way for Shib to use Grouper and pass on information via SAML. Rather than having to use Grouper to provision membership to ldap, perhaps we could write a connector for Shib and use Shib’s configuration language. This would be in essence a Grouper data connector inside Shib’s attribute configuration resolver. There are lots of ideas. After SMM, we’ll select a smaller group of ideas. [AI] (TomZ) will update the ldappc wiki page with new ideas expressed on the call. Recent issues: Performance: Chris noted it would be good if everything were query-able in the database. There had been discussion of using a plug-in to decide is someone has premission to do something or not, using a Java method that asks ”is the user allowed to do this?” Chris doesn’t want to use that approach. It’s better to query from the database. Chris would like to have a task for Grouper 1.5 to expand the member table. Also to have sorted, paged member lists for groups. Shilen: Are you still thinking about having a group set table? Chris: Yes, memberships table would have all immediate and all composite memberships. So effective memberships could be collapsed. Chris noted that sometimes people want another type of intersection, not a composite membership but "and"ed groups with limitations --- there should be an attribute on a group that says “if a person is out of other group then remove that immediate membership.” There are structure and order questions. The decision was to pick up the thread about composites at a later time. View/Read Privileges There was discussion of a request from Paul of N. Arizona Univ regarding view and read privileges. The request was to that a user should be able to include a subgroup but not see the members --- even if the user originally could view the users/members, and then later that user’s permission was revoked. It was noted that this request is based a different security scheme. Decision was to hold off on implementing any change in this area. *Next Meeting* Face-to-Face Session at Internet2 Spring Member Meeting Arlington Virginia Monday, 27-Apr-09 9:15 am – 10:15 am Salon B Emily Eisbruch, Technology Transfer Analyst Internet2 office: +1734-352-4996 | mobile +1-734-730-5749 Spring 2009 Internet2 Member Meeting April 27-29, Arlington, Virginia events.internet2.edu/2009/spring-mm/ |
- Draft Minutes: Grouper Call 15-Apr-09, Emily Eisbruch, 04/21/2009
Archive powered by MHonArc 2.6.16.