Grouper Users - Open Discussion List

[Scott Koranda <>]

> I think this will be in Grouper 2.0 or sooner (2.0 is our
> next major release since we will update the first version
> number during major releases, second digit for minor
> releases, and last digits for builds).
> 
> The stumbling block is that point in time should work off of
> a flattened membership table (as should notification/change
> log).  This means that generally in point in time, auditors
> might not care if there is an effective membership, or an
> immediate membership, or composite.  All they care about is
> if the member is in the group or not by any path.  Once we
> have a flattened membership table (which is also on the
> roadmap), then point in time will be possible.  Right now it
> is too complex to do point-in-time on all membership paths.
> I will add the caveat that this is my design, I still need
> to vet it and prove that it will work.  :)

Thanks much for the update.

We have two major use-case requirements for point in time
auditing:

1) Authorship of scientific papers written by our
collaboration is determined by who was in the collaboration on
a specific date. Collaboration membership is tracked via a
Grouper group now (a composite group). We want to be able to
write a WS query that will give us all people in that group on
a specific date.

It sounds like we will wait for that until Grouper 2.0.

2) We use memberships in groups, managed via Grouper, to
manage authorization. The group memberships are pushed into LDAP
and then on the web side Shibboleth pulls the membership as
attributes from LDAP and uses it to control access to web
pages. On the grid side a similar thing happens using
grid-mapfiles (and perhaps eventually a flavor of GridShib).
For normal machine access we use PAM/LDAP. So Grouper is right
at the center.

In the event of a security incident, we would like to be able
to go back and determine who was in (or not in) a particular
group at some point in time.

Will the auditing and change log capabilities that will be in
Grouper 1.5 allow us, if necessary, to comb through the SQL
tables and discern the group membership at a particular point
in time? We would only do this in the event of an incident,
and not routinely.

Thanks,

Scott

> 
> Thanks, Chris
> 
> -----Original Message----- From: Scott Koranda
> [mailto:]
>  Sent: Wednesday,
> December 09, 2009 9:17 PM To: 
> 
> Subject: [grouper-users] auditing point in time
> 
> Hi Chris,
> 
> I finally got a change to look at your slides from the
> October meeting.
> 
> On slide 22 you have "Auditing point in time - Point in time
> auditing is on the roadmap". 
> 
> Can you (or anybody) expand on what you mean by "on the
> roadmap"?
> 
> Thanks,
> 
> Scott