Grouper Users - Open Discussion List

[Chris Hyzer <>]

Either sounds good to me, I like loose coupling, so something without the plone API in the change log consumer would be preferable, like the LDAP idea… but either should work.  At Penn we use XMPP messages from the change log, then the grouper client listens and does the API stuff into whatever application, or DB syncs, or whatever… fyi

 

Thanks,

Chris

 

From: Klug, Lawrence [mailto:]
Sent: Thursday, August 23, 2012 2:12 PM
To: Chris Hyzer; Tom Barton;
Subject: Plone integration design

 

Hi,

 

I’ve gotten a bit more clarification about the Plone integration requirements.  We want to manage all Plone Groups and Roles in Grouper and “Push” the data to Plone in near real time.  So data will move from Grouper to Plone only.    We figure on some custom development on both sides.  So we might develop a Change Log consumer to listen for changes on a Plone stem/group and then call Plone API to populate the changes in Plone.   Another possibility is a dedicated LDAP server – we could provision Plone data using PSP and Plone could read data from the LDAP server.  What are your thoughts about these ideas?

 

Thanks,

 

Lawrence

 

From: [] On Behalf Of Chris Hyzer
Sent: Tuesday, July 10, 2012 10:31 AM
To: Klug, Lawrence; Tom Barton;
Subject: RE: [grouper-users] Role and Permission attributes

 

I just quickly read this:

 

http://plone.org/documentation/kb/understanding-permissions/permissions-and-roles/

 

It seems like the “context” in plone, will be resources in Grouper permissions.  When someone creates objects in plone, can there be a trigger to create the resource in Grouper in the right place and assign the permission implications (parents imply children).  Note, this is now possible to do in Grouper WS 2.1.

 

The “permissions” in plone (View, Modify) could be “actions” in Grouper on the permission definition for the resources above.  These seem like they would be configured one time and not change much.

 

The roles and groups in plone are roles and groups in Grouper.

 

Finally, you need to decide when you will retrieve the user’s permissions.  I would suggest either on login or provision all the permissions to plone so plone doesn’t think they are externalized.  Similar to this:

 

https://spaces.internet2.edu/display/Grouper/Managing+unix+commands+with+Grouper+permissions+example

 

If you do it on login, it could be from Grouper WS, LDAP (concatenate the action and resource into an attribute), or SAML assertion (might still need to concatenate the action/resource). 

 

My gut feel is that to avoid performance problems and maximize uptime to just provision everything to plone and keep it in sync real time (XMPP?  Stomp?  Other messaging?).

 

Let us know what you decide to do or if you have more questions J

 

Chris

 

From: On Behalf Of Klug, Lawrence
Sent: Tuesday, July 10, 2012 12:49 PM
To: Tom Barton;
Subject: RE: [grouper-users] Role and Permission attributes

 

Hi Tom,

 

Yes, we are trying to determine how UCLA Service Providers could best leverage Grouper.  Will eduMember attributes be sufficiently fine-grained for our applications?  If not, how do we approach implementing Grouper Roles and Permissions?  Our pilot project will most likely be the Content Management System.  We are using a Zope-based product called “Plone.”  What are the steps for moving Plone Roles and Permissions management into Grouper?   LDAP delivery via Shibboleth is an elegant solution, but Roles and Permissions may require another strategy.  Thinking this through now could prevent future pain.

 

Thanks,

 

Lawrence

 

From: [] On Behalf Of Tom Barton
Sent: Saturday, July 07, 2012 1:40 PM
To:
Subject: Re: [grouper-users] Role and Permission attributes

 

Lawrence,

Glad to hear that you guys are thinking this through so thoroughly. You raise a hard question, especially when considered abstractly, about how to represent roles & permissions in an LDAP directory. Since AFAIK all OTS apps that get permission-related info from LDAP only rely on user attributes and group memberships (maybe with proprietary objectclasses), is your question more specifically aimed at how UCLA-grown apps should get role & perm info from grouper? Is it particularly desirable that that happen via LDAP?

Tom

On 7/5/2012 10:31 AM, Klug, Lawrence wrote:

Hi Chris,

 

We are defining our long-term access management strategy with Grouper.  We have tested “eduMember” for transmitting membership info through Shibboleth.   Roles and Permissions are internal Grouper attributes that would not live in the Enterprise Directory(?)   Trying to focus on exactly how Roles and Permissions attributes can be consumed by a University Web application now and in the future.

 

Thanks,

 

Lawrence

 

From: Chris Hyzer []
Sent: Saturday, June 30, 2012 6:43 AM
To: Klug, Lawrence;
Subject: RE: Role and Permission attributes

 

We have two examples where we sync all the permissions to the application since it does DB joins on the assignments, or we dont want grouper as a performance bottleneck or a runtime dependency.  The change log consumer and grouper client handle real time updates (tells it to do a full resync)

(no sound)
http://www.youtube.com/watch?v=QPL16DOb8Og

(no sound)
http://www.youtube.com/watch?v=WY9kjjyboJY

https://spaces.internet2.edu/display/Grouper/Managing+unix+commands+with+Grouper+permissions+example

Chris
 

---

From: [] on behalf of Klug, Lawrence []
Sent: Friday, June 29, 2012 5:18 PM
To:
Subject: [grouper-users] Role and Permission attributes

We created a simple demo app to consume isMemberOf attribute via Shibboleth and make a few simple Web Service calls.  It works fine.  What if we want to use Role and Permission attributes?  How would they be transmitted to the Client application?  Could they be released as Shibboleth attributes or direct Web Service call?   What are other universities doing?

 

Thanks,

 

Lawrence