Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Grouper Deployment Guide 0.9 Beta - Community Feedback

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Grouper Deployment Guide 0.9 Beta - Community Feedback

Chronological Thread 
  • From: Julio Polo <>
  • To: "William G. Thompson, Jr." <>
  • Cc: Emily Eisbruch <>, "" <>
  • Subject: Re: [grouper-users] Grouper Deployment Guide 0.9 Beta - Community Feedback
  • Date: Thu, 16 Mar 2017 09:23:23 -1000
  • Ironport-phdr: 9a23:/8Cn+h36xujTqrbksmDT+DRfVm0co7zxezQtwd8ZseMRKfad9pjvdHbS+e9qxAeQG96KtrQa06GP6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbQhFgDqwbalzIRmqogndq9UajZd/Iast1xXFpWdFdf5Lzm1yP1KTmBj85sa0/JF99ilbpuws+c1dX6jkZqo0VbNXAigoPGAz/83rqALMTRCT6XsGU2UZiQRHDg7Y5xznRJjxsy/6tu1g2CmGOMD9UL45VSi+46ptVRTlkzkMOSIn/27Li8xwlKNbrwynpxxj2I7ffYWZOONjcq/BYd8WQGxMUcFMWSxcGYO8d5UAAPYdPehWqIn9okEBrRq4BQKxAO/ixTtFinrw0KI0yeQhFRzN0hImEdwArX/YqMz5OacXXe2z0aLGzyjMb+lO1Dj/5ojGch4vr/KRU7xubcXc0lMvGx/fg1iKtYDpIzGY2+IQuGab9epgUuevhnYjpQFspjivx8AsgZTTiIISzlDE8jhyzYE3Jd2lTE57YNmkHYBQty6AOYp5WMIiQ2BytCkk17IGpIe2cS4Xw5opwB7fbuaIc4mO4h/7UuaRICx4hG5/dLKwgBay71CsyuL7Vsmz31ZKqjRKnsPQuXAK0hzf8smHSv1h/ki/wzaP0R7c6v1aLUwui6XUNoMhzqY/lpoUtkTPBCD2mEHwgaSLdUsk4vCl5/rmb7n6pJKRMoF0hwLlPagyn8GyDvg0PhQTUGWe5euwyKDs8Ej8TblUkPE5iK/Uu43AK8sBvK62GQpV354j6xmhCzem18wVnXwdI1JEfBKLlpHpO03SLPzhAvaznUqgny1xy/DJOb3hBZrNLnzdn7v7Ybl97EtcxBIyzdBZ+Z1UFqkMLOzyV0PtttHVCxE5Pg+vzOr7Ddhw2Z8SVX6SDaKcLKzerUKH6+cqLuWSeoMaoi7xK/0/6P7viX85l0Udfa6s3ZYPanC4A/BmI0SeYXf3gtcOC2kLsRA/TOzrklGNTyNcZ2uqU6Im+j47EJ6mDZvERo21j7yBxiC7HoBOZm9YEFCACGrod56aVPcWcyKfOcthkj0fVbi9UI8tywuitA78y7p7MOXU4CsYuoz/1NRr/eHciww99SEnR/iahiuyTmVwn2oNDxBwlJx/pkll0VCFleBamboSXYhM6O9JVQISOpvVzug8ANf3DFHvZNCMHXS7RtShSQk2StV5l90TZ0d6M9WrkRnC3mynD6JDxO/DP4A97q+Jhyu5HM160XuTkfR/gg==

Hi Bill,

Yes, it's fine, and I'll be on the lookout for the next TIER API WG call.



On Thu, Mar 16, 2017 at 5:39 AM, William G. Thompson, Jr. <> wrote:
Hi Julio,

Thanks for taking the time to review the guide and for your feedback! Indeed one of the goals/challenges of the GDG is to identify similar concepts and approaches in practice with different/local names and come to some agreement on terminology. See the folder and group design comparison: which includes Hawaii's approach. At this stage in the process, my sense is to continue with the broader TIER consultation starting tomorrow and include a discussion/review of your feedback in that process knowing we'll have an opportunity to add/change before the final release. Sound fair?

Also, would you be able to make one of the TIER API WG calls in the next couple weeks?


On Thu, Mar 16, 2017 at 4:28 AM, Julio Polo <> wrote:
Hi Bill,

Apologies for the late feedback. I have some concerns about the allow/deny groups and how they are used in the access policy groups and account policy groups (I'll just refer to them as policy groups). The restriction that only reference groups be used in allow/deny groups would make it difficult to grant ad hoc inclusions/exclusions of individuals.  We would have to create a reference group with those individuals in order to add them to the allow/deny groups, and that just seems cumbersome.

I think I understand the impetus behind requiring a reference group in a policy group.  We have policy groups ourselves, but we've implemented them as composites like this:  

policy group = 
 criteria group which can only have reference groups 
 + allow group for individuals
 - deny group for individuals

This model makes it easy to make exceptions for individuals.  The allow/deny groups always exist for a policy group.  Only individuals can go into an allow/deny group.  If you need to allow or deny a reference group, that is done at the criteria group, never in the allow/deny groups.   The criteria group can be a composite or regular group of groups, but it can only be built using reference groups.  We actually don't use the term "criteria" but came up with the term "basis" a couple of years ago, as in "what is the basis of your policy group?" (more on basis below) This model also allows us to answer "what individual exceptions are allowed/denied?"

I know the GDG uses "basis" for something else. If the above model is adopted for policy groups, I would prefer to use the word basis for policy groups and come up with a different term for the other groups.  We ourselves use the term "prime" groups because they are just like prime numbers in that they cannot be reduced to anything smaller, and they are used to build bigger numbers (bigger bundle groups). The prime number can make a copy of itself when multiplied by 1, and that analogy still works for us because every prime groups has an equivalent reference group.  The reason we offer a reference group that is just a copy of a prime group is because we don't want to burden our users with having to understand the difference between prime and ref.   All they need to know is that they look in ref (groups built from prime, includes bundle groups).  All other groups go in the custom folder (policy groups go here, other app groups, etc.)

Our policy groups are actually a generic concept we call grouping.  The allow/deny groups are actually called include/exclude (works better because it doesn't hardcode the policy meaning, see mailing list example below).  A grouping can also have one ore more purposes attributed to it, and that's how we know whether a grouping is acting as an access policy group or as an account policy group (or something else).  We have also been using groupings to sync mailing lists, and the concept works just as nicely there too:

grouping of all students whose purpose is to sync a mailing list = 
 reference bundle group for all students
 + individual managers included
 - individual students who opted out of the mailing list.

Hope all of this made sense.  I was hoping to have more time to explain this more clearly, but I know you're submitting the GDG in a few hours.  I'd be happy to follow up if there are any questions.  Thanks for listening.


Julio Polo
University of Hawaii
Enterprise Middleware, Identity and Access Management

On Thu, Mar 9, 2017 at 8:17 AM, William G. Thompson, Jr. <> wrote:
Thanks, Emily. Adding the terms to the Grouper Glossary seems to make sense. Your question reminds me we need to think about where/how best to incorporate the GDG more generally with the wiki.


On Wed, Mar 8, 2017 at 9:52 AM, Emily Eisbruch <> wrote:

Bill and team,

Great work on the TIER Grouper Deployment Guide.

Thinking about the terminology introduced in section 2.4 and then discussed in section 5.1 ( basis groups, reference groups,
access policy groups, account policy groups). Would it make sense to add those terms to the Grouper Glossary?   We could add those terms to in a different table in the Grouper Glossary of "ABAC terms that may be useful and  are referenced in the TIER Grouper Deployment Guide." Or we could add a link from the Grouper Glossary to  NIST 800-162 doc

Emily Eisbruch, Work Group Lead, Trust and Identity

office: +1-734-352-4996 | mobile +1-734-730-5749


From: <> on behalf of William G. Thompson, Jr. <>
Sent: Tuesday, February 28, 2017 11:37 AM
Subject: [grouper-users] Grouper Deployment Guide 0.9 Beta - Community Feedback
The Grouper Team and the TIER API and Entity Registry WG is pleased to
present the Grouper Deployment Guide 0.9 Beta for community feedback.
The guide is not yet published or complete, and is being shared with
the Grouper community to solicit early feedback ahead of a broader
TIER community consultation scheduled for March 17 - April 14.

Grouper Deployment Guide 0.9 Beta

Feedback can be sent via email to the grouper-user list or directly to
Bill Thompson <>.


Archive powered by MHonArc 2.6.19.

Top of Page