Skip to Content.
Sympa Menu

grouper-dev - Draft Minutes: Grouper Face-to-Face Meeting at SMM 26-Apr-10

Subject: Grouper Developers Forum

List archive

Draft Minutes: Grouper Face-to-Face Meeting at SMM 26-Apr-10


Chronological Thread 
  • From: Emily Eisbruch <>
  • To: Grouper Dev <>
  • Subject: Draft Minutes: Grouper Face-to-Face Meeting at SMM 26-Apr-10
  • Date: Wed, 5 May 2010 09:36:41 -0400

Grouper Working Group Face-to-Face Session
Internet2 Spring Member Meeting, Arlington, VA
Monday, 26-Apr-10



*Introduction* 

Tom Barton, working group chair, welcomed the attendees.


*Agenda*

  • Internet2 Intellectual Property Rights
  • Agenda bash, topics of interest
  • Duke: Delegating AD directory administration with Grouper (Rob Carter, Shilen Patel)
  • What's new in Grouper v1.6 (Chris Hyzer, Tom Zeller)
  • Roadmap (Tom Barton)

      Topics suggested by attendees:

  • Globally unique group identifiers
  • Permissions management

*Delegating AD Directory Administration with Grouper*

http://www.internet2.edu/presentations/spring10/20100426-grouper-carter.pdf

Shilen Patel and Rob Carter presented a Duke use case on using Grouper to manage Active Directory permissions. The use case involved:

  • Big Picture: Duke has a campus-wide Active Directory forest into which departmental administrators wish to migrate departmental forest assets and ZenWorks assets
    • There are IdM-maintained user identities with "mix ins" by departments
    • There are departmentally-maintained resources and ad hoc affiliates
  • It's important to be able to provision high privilege for admins and managers and constrained privileges for users

The solution:

  • In Grouper, implemented some global groups (maintained by IT) and some dept-specific groups (maintained at the dept. level)
  • Developed resrouces to map Active Directory Organizational Units (OUs) permissions into Grouper permissionSets
  • The Grouper "Actions qualifier" was used.
  • Managers can modify persmissions on their OUs.
  • Includes and Excludes are used where there is a need to provision access to someone outside of the group.

Shilen and Rob successfully walked thru a demo in their test environment.

Q: How would you handle groups already established in Active Directory OUs that you want to import into Grouper?

A: This has not yet been built.  In the future, we would like to be able to consume groups out of Active Directory into Grouper.

It was commented that Northwestern University has some similar challenges to Duke, with 20+ Active Directory forests.

*What's New in Grouper 1.6*

http://www.internet2.edu/presentations/spring10/20100426-grouper-hyzer.pdf

New Features in Grouper 1.6 (to be released in May, 2010) include:

  • XMPP Integration (messaging for "real time" updates)
  • Kuali Rice Integration
    • richer group model
    • allows addition of workflow to Grouper
    • Quickstart integration to Identity Management
  • SQL server support
  • Flattened memberships
  • Virtual subject attributes
  • Read-only mode for Grouper (for upgrades and data migrations)
  • New import/export
  • Web Services Enhancements
    • new central permissions management module
    • can assign or unassign attributes and permissions
  • UI Enhancements
  • Grouper ESB Connector (contributed by Cardiff University)
    • Cardiff use case involves using Mule and Drools
    • Events are synchronized between Grouper and LDAP (or other systems) via the ESB
    • Events are packaged as JSON and dispatched over appropriate interface - HTTP(S) or XMPP
    • The interface is defined in grouper-­‐loader.properties
  • Ldappc-NG
    • Tom Zeller presented slides on Ldappc-NG:   http://www.internet2.edu/presentations/spring10/20100426-grouper-Zeller.pdf
    • accepts input from Grouper or from Shib Data Connector
    • input passes throught the Shibboleth Attribute Resolver
    • features a generic LDAP
    • uses SPML to write to target
    • target can be LDAP or RDBMS
    • currently in batch mode; in future it will be real-time web service
    • U. Memphis will be an early user

Q: What was the problem we were trying to solve with the new Grouper permissions capabilities?

A: As one example, there is a use case at U. Chicago.  There will be a portlet that allows people to view billing statements -- the ability to view will be scoped by where someone is in the accounting authority hierarchy.


Q: Are any organizations currently using Grouper to define their assets?

A: That is planned down the road.


*Chris Hyper presented demos illustrating new features in Grouper 1.6*

https://spaces.internet2.edu/download/attachments/13534357/xmpp.wmv

https://spaces.internet2.edu/download/attachments/11075978/kualiPermissions.wmv

https://spaces.internet2.edu/download/attachments/11075978/kualiPermissions.txt

https://spaces.internet2.edu/download/attachments/11076495/rice1.wmv

https://spaces.internet2.edu/download/attachments/11076495/rice2.wmv





Emily Eisbruch, Technology Transfer Analyst
Internet2
office: +1-734-352-4996 | mobile +1-734-730-5749

Visit our website: www.internet2.edu
Follow us on Twitter: www.twitter.com/internet2
Become a Fan on Facebook: www.internet2.edu/facebook

 












  • Draft Minutes: Grouper Face-to-Face Meeting at SMM 26-Apr-10, Emily Eisbruch, 05/05/2010

Archive powered by MHonArc 2.6.16.

Top of Page