Skip to Content.
Sympa Menu

grouper-dev - Draft Minutes: Grouper Call 8-Jul-09

Subject: Grouper Developers Forum

List archive

Draft Minutes: Grouper Call 8-Jul-09

Chronological Thread 
  • From: Emily Eisbruch <>
  • To: Grouper Dev <>
  • Subject: Draft Minutes: Grouper Call 8-Jul-09
  • Date: Wed, 15 Jul 2009 09:33:34 -0400

**Grouper Call 8-Jul-09**



Gary Brown, Bristol   (stand-in chair)
R.L. “Bob” Morgan, University of Washington  
Jim Fox, University of Washington 
Bert Bee-Lindgren, Georgia Tech
Shilen Patel, Duke  
Chris Hyzer, U. Penn 
Tom Zeller, U. Memphis 
Steve Olshansky, Internet2    
Emily Eisbruch, Internet2 (scribe)   

*New Action Items*

[AI] (Anyone) who has a use case for using the attribute framework and roles should email Chris at .

[AI] (TomZ) and (Bert) will email Chris their use cases.

[AI] (Chris) will look into handling default values for attributes.

[AI] (Chris) will look into using attributes to specify or override a quota, such as for email or file server.

*Carry Over Action Items*

[AI] (Gary) will enter a new JIRA issue related to GRP-295 and the removal of membership. 


*Attribute Framework*

Bert’s asked the reasoning behind using roles as new groups that have permissions attached.

Gary commented that a role is a special type of group that can have a privilege attached. Among other reasons, this is one way of reusing Grouper infrastructure.

Q: Why should attribute definitions (AttributeDef) be multinamed?

A: Chris: There is a lot of meta data about the attributes. Multinaming can be helpful when there are different attributes that have the same metadata and there is a desire to distinguish/separate the AttributeDefs.

In the case of privileges in an org chart, even if you want meta data for every org to be same, you can use differently named AttributeDefs for different orgs. 

Q: Is the idea of a default value for an attribute captured anywhere?

[AI] (Chris) will look into handling default values for attributes.

Q: How are valid format or valid enumerated values handled?  

A: Chris: Tables aren’t described in the wiki yet, but the attribute framework will include formatting and validation tables. They will have rules and transformations and validations, such as list of values acceptable values.

Q: What is the difference between roles and regular groups?

A: Chris: The idea is to be less chaotic than just to offer groups and attributes, to be more defined and more like RBAC. So a privilege is type of attribute. There are rules for assigning privileges, so that a privilege can only be assigned to a role or a person in a role.

Q: Is a role a group with a marker attribute that stamps it as a role?

A: Chris: Yes. This approach represents an incremental step to makes things easier to get up and running. A future enhancement may add more context to roles. 

Bert: Georgia Tech has a use case concerning file server or mail quotas. In this case, quota is a privilege with a value. We would want to give one group of people a different quota than another group. Example: a certain class needs an extra 10 Gig added to the normal quota because of extra projects.

Chris: Grouper can store the data and it should be a decision point. It may be best to use a hook and write logic. The current plan is that privileges will be booleans. So if privileges are quota values, then it might be necessary to use attributes.

[AI] (Chris) will look into using attributes to specify or override a quota, such as for email or file server.

Q: Are limits (e.g. limiting which department a group can act on) considered privileges?

A: Chris: For department access limits, it would make sense to list departments as boolean privileges and put them in a hierarchy. For dollar limits, define an attribute that is a dollar amount.  You’d define the limits and use hooks to do logic.

Q : Is the proposed attribute framework intended to replace the old attribute framework?

A: Chris: For the next few releases the plan is to have both old and new. It’s true there could be some confusion, but there is not enough time to have the new attribute framework ready -- and also have a migration path ready -- for the release of Grouper 1.5.

Note: For those using the new attribute framework, custom lists won’t be replaced.

Dates are not included in the primary key in the new attribute framework.  

TomZ noted that U. Memphis plans to use roles that end at a certain time to manage authorizations.

 [AI] (TomZ) and (Bert) will email Chris their use cases.

[AI] (Anyone) who has a use case for using the attribute framework and roles should email Chris at .


Should roles/privileges be enabled or disabled in Grouper by default? 

R.L. “Bob” noted that the plan was to use incremental strategy for adding roles and privileges to Grouper. The framework as outlined could represent too big a step. 

Chris replied that the direction is to offer a system that can solve some use cases. To address the U. Penn use case, at least the API part is required. However, the UI won’t have all the capabilities or web services, etc.

The incremental approach being used is to determine who will use the role/priv features soon, see what they need, and at least address those needs in the API. Other incremental changes can be made to the data model later on to make it more full featured.

An effort is being made to reuse things already in Grouper, so for instance roles are groups, and privileges are attributes.

For sites that want just a group management system, and don’t want to hear about roles and privileges, there will be a switch so roles/privileges can be turned off.

Bert noted that a continuum can be seen between group and privilege management. For example there can be group management with expiration dates, so a member can be added to a group for 30 days.  That sort of functionality is in line with making group management more useful and easier.

Chris observed that in  a group management system, if  privileges are hard coded in the system, then when you assign someone to a group it can be hard to know what privileges they have.

Chris noted that of the new attribute framework, only 10% is  role and privilege management.

*XML Config Parsing - Digester, XStream, Spring*

There was a question on the list about best method for parsing XML config files. 

TomZ said that he is leaning towards using Spring for Ldappc parsing, and possibly use it for source files as well.

Q: For Grouper 1.5, will deployers have to switch source XMLs?

TomZ: No, that would be in the future if we like how this works out.

*Grouper UI Lite*


Chris will work on a Lite Grouper UI for Penn.  It will possibly have just one screen. Should this Lite Grouper UI be in the existing UI but with a different URL?

Decision: for now Chris will make the new Lite Grouper UI a contrib.

Next Call: Wed. 22-Jul-09, Noon ET

Emily Eisbruch, Technology Transfer Analyst
office: +1734-352-4996 | mobile +1-734-730-5749

ESCC/Internet2 Joint Techs
July 19-23, 2009 - Indianapolis, Indiana

  • Draft Minutes: Grouper Call 8-Jul-09, Emily Eisbruch, 07/15/2009

Archive powered by MHonArc 2.6.16.

Top of Page