Grouper Users - Open Discussion List

[Chris Hyzer <>]

> Grouper group now (a composite group). We want to be able to
> write a WS query that will give us all people in that group on
> a specific date.

I plan on this being in scope for point in time.  We can expose it over web 
service.

> In the event of a security incident, we would like to be able
> to go back and determine who was in (or not in) a particular
> group at some point in time.

Same requirement.

> Will the auditing and change log capabilities that will be in
> Grouper 1.5 allow us, if necessary, to comb through the SQL
> tables and discern the group membership at a particular point
> in time? We would only do this in the event of an incident,
> and not routinely.

Im assuming you wont keep the change log around for too long if you have a 
lot of updates.  If you keep it around forever, you might be able to work 
back from the present state to a past state.  Basically you query the 
membership_all view for the group, then you query the change log for all 
changes to the group (which includes immediate/effective/etc).  And you work 
backwards.

If you don't keep the change log forever (common usage), then you have the 
user audit logs.  If you do simple changes to grouper (adding/removing people 
to/from groups), then you can do a similar algorithm.  However, if you are 
adding a group to another group, then it will be difficult to know who 
exactly was added, since only the high level action is audited.

Thanks,
Chris