Skip to Content.
Sympa Menu

grouper-dev - Draft Minutes: Grouper Call 15-Apr-09

Subject: Grouper Developers Forum

List archive

Draft Minutes: Grouper Call 15-Apr-09

Chronological Thread 
  • From: Emily Eisbruch <>
  • To: Grouper Dev <>
  • Subject: Draft Minutes: Grouper Call 15-Apr-09
  • Date: Tue, 21 Apr 2009 14:23:26 -0400

Grouper Call 15-Apr-09**


Tom Barton, U. Chicago (Chair) 
Bob Morgan, U. Washington
James Crampton, Duke 
Shilen Patel, Duke 
Chris Hyzer, U. Penn 
Tom Zeller, U. Memphis 
Steve Olshansky, Internet2    
Emily Eisbruch, Internet2 (scribe) 

 *Action Items*

[AI]  (TomB) will develop an agenda for the Grouper WG at SMM and send out a request to folks for additional agenda items.

[AI]  (Chris) will create a hierarchical org lists and user audit demo for SMM.

[AI]  (TomZ) will update the ldappc wiki page with new ideas expressed on the call.

*Carry Over Action Items*

[AI] (Gary) will investigate UI queries of user audit (when the API user audit code is available from Chris). 

 [AI] (TomB) will start a wiki page on attribute framework for Grouper, including information on handling of custom versus non-custom fields/attributes.


*Agenda for SMM Face to Face* 

Grouper working group session at Internet2 SMM is 
Monday, 27-Apr-09
9:15 – 10:15am in Salon B

Suggested Agenda Items:

- Real-time ldap updates
- Bivalent (boolean or enumerated, perhaps) custom attribute type
- User interaction scenarios
- Ldappc features going forward
- User audit
- Highlights of Grouper v1.5.
- web services: who is using them for what?
- Feedback from field
- Demo on hierarchical org lists
- Demo on user audit

[AI]  (Chris) will create a hierarchical org lists and user audit demo for SMM.

[AI]  (TomB) will develop an agenda for the Grouper WG at SMM and send out a request to folks for additional agenda items.

ldappc Assumptions

TomZ requested feedback on future of ldappc.

Wish list includes:

- provision Active Directory (and limitedly, Exchange) -- involves dealing with special-purpose types of groups

- real-time/partial provisioning 

- pluggable attributes (regex, script, etc.)

- SPML, non-ldap targets

- dry-run

- monitoring, and Integration w monitoring systems

- more explicit logging information.

Chris: Do we want to put ldappc with other loader jobs?

TomB: Yes. We should revisit that when we are clear on the features.  

James commented that Brown is looking at how to approach real-time provisioning and monitoring/auditing
with enterprise service bus solutions.  It’s institution specific but could be adapted.

Chris suggested that instead of  pluggable attributes, it could be beneficial to add some hooks to ldappc to avoid a very complex config file.

TomZ  has looked at the Shibbloeth attribute resolver and the IDP.  Using this approach provides a way for Shib to use Grouper and pass on information via SAML. Rather than having to use Grouper to provision membership to ldap, perhaps we could write a connector for Shib and use Shib’s configuration language.  This would be in essence a Grouper data connector inside Shib’s attribute configuration resolver.

There are  lots of ideas. After SMM, we’ll select a smaller group of ideas.

[AI]  (TomZ) will update the ldappc wiki page with new ideas expressed on the call.

Recent issues:


Chris noted it would be good if everything were query-able in the database.

There had been discussion of using a plug-in to decide is someone has premission to do something or not, using a Java method that asks ”is the user allowed to do this?”  Chris doesn’t want to use that approach.  It’s better to query from the database.  

Chris would like to have a task for Grouper 1.5 to expand the member table. Also to have sorted, paged member lists for groups.

Shilen: Are you still thinking about having a group set table?

Chris: Yes, memberships table would have all immediate and all composite memberships. So effective memberships could be collapsed.

Chris noted that sometimes people want another type of intersection, not a composite membership but "and"ed groups with limitations --- there should be an attribute on a group that says “if a person is out of other group then remove that immediate membership.”

There are structure and order questions. The decision was to pick up the thread about composites at a later time.

View/Read Privileges

There was discussion of a request from Paul of N. Arizona Univ regarding view and read privileges. The request was to that a user should be able to include a subgroup but not see the members --- even if the user originally could view the users/members, and then later that user’s permission was revoked.  

It was noted that this request is based a different security scheme.

Decision was to hold off on implementing any change in this area. 

*Next Meeting*

Face-to-Face Session at Internet2 Spring Member Meeting
Arlington Virginia
Monday, 27-Apr-09 
9:15 am – 10:15 am 
Salon B

Emily Eisbruch, Technology Transfer Analyst
office: +1734-352-4996 | mobile +1-734-730-5749

Spring 2009 Internet2 Member Meeting
April 27-29, Arlington, Virginia

  • Draft Minutes: Grouper Call 15-Apr-09, Emily Eisbruch, 04/21/2009

Archive powered by MHonArc 2.6.16.

Top of Page