Grouper Users - Open Discussion List

["Michael R. Gettes" <>]

I will be on the next dev call as you request.  Rahul will be there as well.

see below…

On Apr 3, 2013, at 12:55 PM, Chris Hyzer <> wrote:

Can you join the dev call next wed at noon to discuss this?  I think there is too much back and forth for email.  We can have an out of band call in the meantime if your timeframe cant wait a week. 

 

In the meantime, if other grouper users have some experience with this type of design where subjectId/sourceId tuples become unresolvable when inactive, please let us know on the list…  Penn has evolved to where we try to not let any subjects move out of the subject source.  Unfortunately I don’t remember the exact pain points, but it is something that I generally assume as a Grouper developer (that subjects with assignments are resolvable)

 

Also, if you could think about what your exact requirements are, more information there would help.  i.e.

 

1.       You don’t want users searchable on the UI if they are inactive unless the UI-users selects an “inactive” button.  If they search for a netId which is inactive, then do they still have to hit the “inactive” button, or is it just for freeform searches “john smith”

why would i want my users to see inactive people let alone add an inactive identity to a group?

2.       Is it a requirement that all memberships/permissions/privileges/whatever should be automatically unavailable right when the subject is unrevolvable?  i.e. Should memberships/privileges from active subject be migrated to the inactive subject?

this is a VERY good question.  thanks for asking it.

3.       I forget if the new member table columns take care of this, but if a subject is unresolvable, will the UI/WS show the name/description of the subject on the screen (or WS) from the point in time that the member table was last provisioned, or will it just show the user’s netId?

4.       If the user was mistakenly marked as inactive, and they are reactivated, should all their old memberships/privileges reappear?  What amount of time should elapse when things are permanent if any?

is there some way to say "show me all memberships/privs for a user at a point in time?  Could I then click restore-all or selectively restore?

5.       You mentioned this is at the Group level.  So some groups have this method and some don’t?

i have a use case for the group level, or we think it is at the group level, yes.  We want to have 2 groups:  1 - active Google Apps users.  2 - Former GA users.  If a user becomes suspended, they are no longer active and we would move them from the group 1 to group 2.  Group 2 would be defined to go against the same "physical" subject store but with different parameters to allow the subject store to see inactive users.  We want careful control over who (or what in the case of a group), gets to see inactive users.  I hope this helps.

6.       Other things?  J

there's always other things!

 

Thanks,

Chris

 

 

 

 

 

From: Michael R. Gettes [mailto:gettes@cmu.edu] 
Sent: Wednesday, April 03, 2013 12:11 PM
To: Chris Hyzer
Cc: Rahul Doshi;
Subject: Re: [grouper-users] multiple subject sources

 

Chris,

 

thanks for your perspective on all this… i've been reading this email every day and i think i am now at a point where i can comment.

 

it isn't clear to me that the audit-ability is so critical.  audit will show when user X is no longer resolvable and we would want to remove the unresolvable at regular intervals.  Then X would reappear, as a different user against a different source.  And thats okay too.  What you identify as a problem - I'm not seeing as a problem.  So maybe you could be a little clearer and possibly whack me upside the head to help me understand why this really would be a problem?  I agree messing with the grouper_members table isn't a good approach.

 

As for your approach at Penn regarding (ACTIVE)/(NOT_ACTIVE) - I don't think we are interested in pursuing this avenue.  We only want/need to present active users to our group managers.  If we present more, it gets more complicated do to showing more possible subjects and therefore mistakes will happen.  I guess this is one of those cases in Higher Ed where we are all similar, but not the same.

 

/mrg

 

On Mar 29, 2013, at 3:10 AM, Chris Hyzer <> wrote:

I don’t think thre is a good way to do this at the moment…

 

I don’t think you want two subject sources where users move from one to the other, since the member table will consider them two different users… the old one will be unresolvable by the id/source combination, or if you migrated, then it wouldn’t really be followable in the auditing and point in time.  Know what I mean?  I guess you could edit the grouper_members table’s source_id for a person if they move from active to inactive or visaversa, though I don’t really recommend this since it is internal to Grouper and Im not sure what could happen.

 

At Penn we solve this by having the active/inactive string in the description of the subject, which shows up on the search results, and which can be searched for.

 

My listing is:

 

Michael Christopher Hyzer (mchyzer, 10021368) (active) Staff - Isc Administrative Systems Tools And Technologies – Application Architect (also: Alumni)

 

An inactive person would display as:

 

John Smith (12345678) (NOT_ACTIVE) Student - Summer Session - No Major

 

When we search, we just show everyone, and the user can clearly see who is active or not.  If they only want active people, they can search for “john smith (active)”.  Though would be nice if they don’t specify to have the subject source add a filter for (active) being the search string.  We could do that, though there wouldn’t be an easy way for them to know that they need to enter “john smith not_active” to search the not active people…  anyways, we haven’t really had a problem with people accidentally picking the wrong person… does just showing the active state work for you?  J

 

Thanks,

Chris

 

 

From:  [mailto:grouper-] On Behalf Of Rahul Doshi
Sent: Wednesday, March 27, 2013 9:25 PM
To: 
Subject: [grouper-users] multiple subject sources

 

We are planning to have two subject sources in our environment.  One that will have all the active users and other that will have suspended and deleted users or inactive users.  We want to configure grouper so that by default it just searches active users subject source instead of all subject sources.  Is it possible to do that using simple configuration or I would have to customize the JSP?  For certain groups like group of all suspended users we want to specify default subject source to be of inactive users.  Can we specify the inactive users subject source at the group level let's say at the time of group creation so the that add member automatically only searches for users in inactive users subject source instead of first selecting inactive users subject source manually to limit the search.  If this is not already supported can it be considered as a feature request?  Also I would welcome any suggestions on how to implement this.

Thanks,
Rahul