Grouper Developers Forum

[Emily Eisbruch <>]

Grouper Working Group

Internet2 2009 Spring Member Meeting

in Arlington, VA

April 27, 2009

*Attendees*

Tom Barton, U. Chicago (Chair)

RL "Bob" Morgan, U. Washington

Tom Dopirak, CMU

Roland Hedberg, SUNET

Nicole Harris, JISC

Thomas Lenggenhager, Switch

Shilen Patel, Duke

Niels Van Dyk, SURFnet

Debbie Bucci, NIH

Renee Shuey, PSU

Michael P. Pelikan, PSU

Ken Forstmeier, PSU

Randy Hegarty, PSU

Tom Golson, Texas A & M University 

Mike Grady, U. Illinois

Sandeep Sathyaprasad, NIH

David Chadwick, University of Kent

Mark Scheible, NCSU

Juhani Gurney, NORDUnet

Liela Florio, Terena

Stefan Karapetrov, Polycom

Etan Weintraub, Johns Hopkins

Milan Sova, ESNET

Adam Stone, Lawrence Berkeley National Laboratory

Nate Klingenstein, Internet2

Ann West, EDUCAUSE/Internet2

Emily Eisbruch, Internet2 (scribe)

**Discussion**

*Roadmap*

*Enhancements for Grouper v1.5*

 

(reminder: current version is Grouper 1.4.1)

- Namespace transition support, i.e. move and copy

- Audit and notification: phase I   (user auditing)

- ldappc enhancements

- Enhancement performance of indirect membership

- Attribute framework  (see discussion below)

*Enhancement to Grouper after v 1.5.0*

- Completion of audit and notification (point-in-time auditing, to answer questions like: “how did this membership get set on this group?”)

- Access management interfaces and tools  − after attribute framework is implemented.  The access management might be inside or outside of Grouper.

*Comments on Roadmap*

Grouper 1.5 will have substantial corrections in handling indirect memberships and their ramifications.

Q: What about tracking group management transactions and providing them for a listener to act on them? If there is a change at the bottom of a hierarchy, it’s important to reflect that change in all groups impacted. Will this be addressed in Grouper 1.5?  

TomB: these issues are in Phase II of Audit and Notification, which will happen after Grouper 1.5.  

For indirect consequences/ramifications of a membership change, all indirect effects will be computed up front. Composite memberships present a particular challenge. The Grouper dev team is going to solve issues related to composite memberships in a discussion later during the Spring Member Meeting.

*Attribute Framework Discussion*

Currently Grouper allows attributes on groups, which is useful.  But the attributes are ad hoc and only work on groups.  

Need:

1) a wider set of attribute types 

2) ability to attach attributes not just to groups but also to stems and memberships. 

Grouper attributes could be used as one approach to access management. An example would be to use attributes on a membership to define parameters for someone who can spend money in the financial system.  

One of the issues with the approach of Signet was that it was apparently too a huge step, whereas Grouper attributes represent a more incremental approach.

*GUI Interfaces for Grouper*

Are sites starting to experiment with GUI interfaces for Grouper?

- Brown has Faculty Gateway, with 15 different applications to support a course.  There is work underway to add a window that would give a view onto Grouper

- David Chadwick, University of Kent, commented that they have created a self- service GUI.  

- U. Washington  has a  non-Grouper based system. They are about to make transition to Grouper and their plan is to add a light weight UI .  They may decide to put their current system’s UI onto Grouper

- U Chicago has put a simple GUI on top of Grouper.

The user comes to it and focuses on a single group.   

*Demo*

Chris Hyzer provided demos of

1. User auditing 

2. How to model hierarchical org lists in Grouper

For links to the demo videos, see:

https://mail.internet2.edu/wws/arc/grouper-users/2009-04/msg00048.html

The demo shows how to load a hierarchical organizational structure from a database into Grouper.  It is a special case because the information is indirectly in the database to start out with, so a hook needs to execute before the loader job to massage the data into a flat form that the loader can deal with (expand out the hierarchies into group names).

Q: How do I know that any particular stem is following a naming convention of an org. structure?  

A: That’s in a configuration file, not in stem itself.  Choice will be present after attribute framework is built.

Suggestion: it would be nice if there was one hierarchical view of the institution, and attributes reflected that.

Comment: There is wide distribution of how notions of hierarchy are reflected.  Even if many notions, having a place to reflect them is good.  

*Importing Org Information*

Bob  RL:  We will be supporting event-based export from Grouper as part of the notification framework. Seems like that would apply equally to importing org information. For example, if I'm scheduling chon jobs but would like changes to be reflected in my system of record. Would that be build on the hooks infrastructure we have?

Chris: right now, the loader would make sure to synch up once per day. Could manually, by means of hook, do integration.  Could use Grouper web services to push the event in.

  

Steven: If a source system could achieve appropriate web services transaction, then the rest will fall into place. So need to build that into infrastructure -- the web services listener. Currently, there is no common standard. 

Need a site to lead the way by demonstrating a use case.

*Federation-Friendly Grouper*

Bob: we have an interest in having Grouper be more federation friendly, to facilitate having members from outside of from your own institution.  

TomB: This is done by the caBIG people.  Need to talk more about it. 

Emily Eisbruch, Technology Transfer Analyst

Internet2

office: +1734-352-4996 | mobile +1-734-730-5749

ESCC/Internet2 Joint Techs
July 19-23, 2009 - Indianapolis, Indiana
http://jointtechs.es.net/indiana2009/