Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] RE: Group Verification/Recertification Audit Trail -- Feature Request

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] RE: Group Verification/Recertification Audit Trail -- Feature Request


Chronological Thread 
  • From: "Black, Carey M." <>
  • To: "Hyzer, Chris" <>
  • Cc: "" <>, "Blair Christensen" <>, Shaun Koh <>
  • Subject: RE: [grouper-users] RE: Group Verification/Recertification Audit Trail -- Feature Request
  • Date: Fri, 10 Feb 2017 05:45:40 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is 164.107.81.212) smtp.mailfrom=osu.edu; auckland.ac.nz; dkim=none (message not signed) header.d=none;auckland.ac.nz; dmarc=pass action=none header.from=osu.edu;
  • Ironport-phdr: 9a23:ptGwexDYvO8YYqdKFI4XUyQJP3N1i/DPJgcQr6AfoPdwSPXyocbcNUDSrc9gkEXOFd2CrakV16yG7euwBCQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9GiTe5br5+Nha7oATeusQVgYZpN7o8xAbOrnZUYepd2HlmJUiUnxby58ew+IBs/iFNsP8/9MBOTLv3cb0gQbNXEDopPWY15Nb2tRbYVguA+mEcUmQNnRVWBQXO8Qz3UY3wsiv+sep9xTWaMMjrRr06RTiu86FmQwLzhSwZKzA27n3Yis1ojKJavh2hoQB/w5XJa42RLfZyY7/Rcc8fSWdHQ81fVTFOApmkYoUPEeQPIPpYoYf+qVsArxS+BBWjC+z0xzBSmnP72bc33/g9HQ3Y2gErAtIAsG7TrNXwLKoeX/24zK3SwjrfbPNawSr25ZbSfRA7v/6NXa97f83LxUUhCgjIiU6fqYj/MDyJ1eQBqXWX4/RuWO+0jG4nsBxxriKxycgxl4nEn4QYwU3K+yV+xYY6P9y4SEhjbN6lFptQqz+VN5FwQsw8X2Fkpjw2xaMbtp6meiUB1ZcpxwbHZvCZaYeE/g/vWeOMLTtlmX5ofby/ihmu/US8z+D8WNe73VlLoydAl9TBtG4B2wLL5sWFRfZx5Fqt1DmT2wzJ5OxIP1o4mK7FJ5I5zL4/iJkevVjGEyLzmEj5kLOZdksh9+S25OnqY6jpq5qTOoJ0iAzzPKEjldCkDusjKAcDWXWQ9/6m273550L5Ra1Hjv0onandt5DXPdwVq7K+DQNJzIov8guyATG43NgBmnkIN0xKdAiAj4j0J1HBO/f4Deq5g1uxijtr3+rGPrr9AprTMnfDjLbhfbF760JGzwoz0Mxf55ZTCrEGI/L/QFP+tNvdDhMhMgy0xfjoCMll248AQ22DHrKVPabPvVOV++4iJueMaYAJtDrhLvUl6eDhgHA4lFIYeKSk34UbZG6gEvRjOUqZYH7sgtkbEWcNuwozVPfliFmYXjFPZHa+Rb8w6i81BY+9CofDXZ2tjKaf0yimA51afnpGBUyUEXf0a4WEXO8BaC2IIs9mjzwETaauS5U42RGzrw/11aBnLvHP9y0ctJLjz8R15/bNmR0o9Dx0Cdid3H+XT2FygGwIWyE60LphrkNg11fQmZR/1rZ4BM5e/bcBeQcgNIWWh7h/ANDjSA/bVtaSQxC7WtigB3c8Qs9nkPEUZEMoUf+mhxvAm2KBCqUYhvSuQtZ8pqjY1nPyYZ8nkF7Bz7RnglU7FJgcfVa6j7JyolCAT7XClF+UwuPzLfwR
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Chris,

 

First, thanks for the write up. I think you captured the ideas very well.

 

I am not “sold” on the labeling as “attestation”. It is an accurate word that does describe the concept. But I am not sure that is the most obvious word to use in a UI/attribute names.

 

I see that the design is to apply these equally to folders and groups. ( I am not sure if there would need to be slightly different workflows/processes for the two types of attestations.)

                Folders would be to verify what about the folder?  ( my answers: Just the top level folder itself? Just groups in one level down from the folder? all sub folders and all sub groups?)

                Groups would be to verify what about the group?  ( my answer: All memberships in the group )

 

                Maybe something like AllMembersValidation instead for group entities? ( I know it is longer. Is there a length limit?)

                                                                GroupValidation (if only for the group object, as opposed to the attestation of the members of the group done by the AllMembersValidation )

                                                                FolderValidation (if only for a folder object)

 

                But maybe I am overthinking or over constraining how these attributes would be used?

 

 

A few other questions:

 

1 ) Do you expect to have a default implementation for “Daemon should run daily (via cron)” or is that planned to be an exercise for the implementers?

 

2 ) If this part remains a “future scope” (“If attestation is not done in a certain amount of time, disable the memberships or group somehow”) then maybe a similar cron daemon could also be crafted?

                or is the issue the “disable the memberships or group somehow” does not exist yet? If so, then maybe some “hack around” could be used like creating a “failing attestation” group that members could be added to until they are “attested” to again? ( I am thinking of a group who’s membership would be subtracted from the membership of the group needing attestation. …

                Maybe another attribute “grouperAttestationExpiredGroup” “to point to the group to use for this function” to auto add memberships at the expiration point, and auto remove when the membership is “attested” again.)

 

 

Also as part of the original description:

                “to know when the owners have last reviewed or updated

 

                Should the attestation date be auto set when the object is updated?

                                That way an active management of the group would never trigger the attestation process directly because it is being cared for in a BAU (business as usual)  way.

                                Or maybe there should be an attribute of AutoAttestationOnUpdate=Boolean , so that option would exists too.

 

--

Carey Matthew

 

From: [mailto:] On Behalf Of Shaun Koh
Sent: Wednesday, February 8, 2017 5:16 PM
To: Hyzer, Chris <>
Cc: ; Blair Christensen <>; Black, Carey M. <>
Subject: RE: [grouper-users] RE: Group Verification/Recertification Audit Trail -- Feature Request

 

Hi Chris,

 

That is awesome and yes, it meets our requirements. – our Security team and the Grouper PM are delighted, thanks !

 

Best Regards,

Shaun K.

 

From: Hyzer, Chris []
Sent: Wednesday, 8 February 2017 8:17 p.m.
To: Black, Carey M.; Shaun Koh
Cc:
; Blair Christensen
Subject: Re: [grouper-users] RE: Group Verification/Recertification Audit Trail -- Feature Request

 

Does this capture what people had in mind?

 

https://spaces.internet2.edu/display/Grouper/Grouper+attestation

 

Thanks,

Chris


From: Black, Carey M. <>
Sent: Wednesday, January 25, 2017 12:24:32 AM
To: Shaun Koh; Hyzer, Chris
Cc:
; Blair Christensen
Subject: RE: [grouper-users] RE: Group Verification/Recertification Audit Trail -- Feature Request

 

Another approach to “email till validated” would be to treat the group as “expired” at a “date”. 

   Like a user’s membership in a group can expire, maybe the whole group could be expired?

   ( So any query of membership for the expired group would return an empty set.)

   I would not want to “drop”(delete) the group or the members memberships, but rather, just have the group “not able to be used” until it is certified again.

 

  Sometimes sending email is not enough… Sometimes, you actually need to “turn it off”.

 

Might also be a good way to “time lock” multiple memberships. (expire a group-C that is  a members of another group-B, instead of setting the expiration date on all the “right” Members of group-B.) That way you could set it in one place and effect all of group-C being in group-B. To make extensions/early retirement easier.

 

--

Carey Matthew

Office of the Chief Information Officer (OCIO)

Identity and Access Management – Security Engineer-Lead

614-292-6079 Office

 

From: [] On Behalf Of Shaun Koh
Sent: Tuesday, January 24, 2017 5:32 PM
To: Hyzer, Chris <
>
Cc:
; Blair Christensen <>
Subject: RE: [grouper-users] RE: Group Verification/Recertification Audit Trail -- Feature Request

 

Hi Chris,

 

What you’ve outlined seem to work for us though we would prefer the emailing to be an optional flag.

 

Also, a secondary filter would probably be handy to filter grouping of groups with the recertification flag set. – e.g. to view the recertification status for all groups within a specific stem or group

 

Let me know if the above made sense.

 

Best Regards,

Shaun K.

 

From: Blair Christensen []
Sent: Wednesday, 25 January 2017 3:13 a.m.
To: Hyzer, Chris
Cc: Shaun Koh;

Subject: Re: [grouper-users] RE: Group Verification/Recertification Audit Trail -- Feature Request

 

We've had a couple of requests @ uchicago for that precise workflow.

 

 

On Mon, Jan 23, 2017 at 7:33 PM, Hyzer, Chris <> wrote:

How would that work?

 

-          Configure a group or stem with a number of days that groups need to be recertified

-          When that time elapses email the admins of the group or a specified list every day until it is done

-          Have a button in the UI to mark the group as recertified

 

Thanks,

Chris

 

From: [mailto:] On Behalf Of Shaun Koh
Sent: Monday, January 23, 2017 5:16 PM
To:
Subject: [grouper-users] Group Verification/Recertification Audit Trail -- Feature Request

 

Hi there,

 

I am wondering if there was any thought of having an audit trail for group verification/recertification ?

 

In particular, we currently have some high risk/value groups that we would like to know when the owners have last reviewed or updated (and perhaps send them a friendly reminder when required).

 

Is this something that you may be interested to implement ? – or does this feature exists and that I am just not aware of

 

Best Regards,

Shaun K.

 




Archive powered by MHonArc 2.6.19.

Top of Page