Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Grouper Question

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Grouper Question

Chronological Thread 
  • From: "Redman, Chad" <>
  • To: "Black, Carey M." <>, "Hyzer, Chris" <>, Angel Fancher <>, "" <>
  • Subject: RE: [grouper-users] Grouper Question
  • Date: Wed, 18 Sep 2019 15:54:14 +0000
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=A3ja/AnoH8zMFi9qKkh+kjf6UsoWRywmRaBvc2MxtDk=; b=exMFxk8J3VbUxU9x+atY3vjjy5QJpDwXImh1Ah5rqtaWLtbXL1rgBH1lLSRAGYh38GmRMQLRWMa66aJO2erv0LjNgJzhN8OBtNWm/sOoHc0vzUs79dZLHlvmj4GIzvGRnPIXbDmrEANTtejAE0CN+b3lX4mBy7YheaCnw1NhGyXLr3SUHYQt6HtnL5m7YTe6slyMJdQPYdZCK0HjMskEWV1Qqw5UX38DlALvsGO2yzGNLUG9o7PtGjgUiAv3XXtcavVXmK0LyIo6eIOtY4p6MKdmDwoEoEWzXvMqrt2jWnTFW4iWNQJoAvmcZKeIFGGoOJRxQ2qY+HjMA0mmDe7rsA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=nVwa4u9sXAzBD1tlkqg0daEkqzMX3Px2f4+V3uTZKVeNGqDm3+S6T9lqAMaB0K0xGqiODGOCNGyNYxjulPuZ/X8ELcKdC0SenG0L+lHZHb+07/9xx61FXSIc7dbtiwOn1DjhT1H9FE6s1FIpDpfbJbhMFMca3THWs6n9908nKaDv4aLse8mnExFYsvQoSR5FRWmQP0e3NsAzZ6zKcaPnS8h9TFH2pYj2QNaeaSxsTQV7Vk5izaFGDB8TZY/xaQZZBz4GujV0IqazeZshdy28q0eQzQNwCLtFbPQsGJh6LwRXHA+NiatyBKwStjMt6AXP/71LESo7WAlMs80KbdQ6RQ==

I guess I've never looked at this in detail before. It looks like nothing ever gets deleted from the grouper_members table? USDU will delete memberships and privileges for members in use where it can't resolve to a subject, but doesn't affect the members themselves. So the group/stem UI still shows the user's last known name, per the last time it was resolvable.



From: [mailto:] On Behalf Of Redman, Chad
Sent: Friday, September 13, 2019 11:32 AM
To: Black, Carey M. <>; Hyzer, Chris <>; Angel Fancher <>;
Subject: RE: [grouper-users] Grouper Question


It would be an interesting thing to test. For memberships of course this happens, and that's why there is the USDU utility to clean them up. But if it's the creator attribute? It's just a foreign key field in the groups/stems tables rather than in a relation, so it would be used differently, *if* it's used. There is the UI, but also api and WS calls that may try to link it up to the unresolvable. I'm curious, so I can try this out and report back.


Carey, good find on the methods. There are setCreatorUuid methods for stems, groups, memberships, and composites. So they would all need to be fixed :)


creatorUuid looks to be using Member.getUuid(), so also correct!




From: [] On Behalf Of Black, Carey M.
Sent: Friday, September 13, 2019 9:42 AM
To: Hyzer, Chris <>; Angel Fancher <>;
Subject: RE: [grouper-users] Grouper Question




I don’t think I understand your concerns. What do you think will break?


“…and I am wondering how that will affect the folders and groups going forward? “

                To my knowledge it will not have any effect.

                I suspect the owner (display value) might be “odd”, but I would hope that would be ok too. In fact I would be a bit disappointed if the display string even changes. I would hope that enough data would be cached in the Member tables to still display something. But I have not tested that idea.


Do you have any existing examples currently?

Are you doing something “else” with your Subject API’s in the upgrade process?


FWIW: I have chosen to have a Subject source directly tied to our IDM system, and it’s primary identifier, to avoid this issue. ( Currently we do not “throw away” identities. )



As far as I know the only concern I would have would be about access controls to the folder.

                Until v2.3 patch (38?) the creator always got “admin” privileges directly assigned to them. ( In the patch Grouper stopped doing that if the creator was also in a group that had Admin.) However that “problem” would happen as soon as the individual ( assuming they were the only person who had admin to that folder ) left the organization. So that issue is not triggered by the Subject API not being able to resolve them.


I have not looked at the API for this feature before…

However a quick look…. Maybe this would work?

                Class edu.internet2.middleware.grouper.Stem


                Has a method:

                                public void setCreatorUuid(String creatorUUID) { . . . }


                                public void store() { . . . }


                So I would think that GSH ( or any other API ) could find the Stem, then call those two methods to alter the value.

                NOTE: UUID is likely the grouper ‘Member ID’ value that you see when you expand the “More” list on the member. ( But I am guessing at that. )



Carey Matthew


P.S. RE: “blind email” … Isn’t that what mailing lists were created for? 😊

P.S.S.  If you want to discuss more details off list, feel free to send directly to me.


P.S.S. I just saw that Chris also responded… So “What he said.” 😊 No wait.. I will reply to his email instead… ( copy and paste ensued…)




Carey Matthew


From: <> On Behalf Of Hyzer, Chris
Sent: Friday, September 13, 2019 9:38 AM
To: Angel Fancher <>;
Subject: RE: [grouper-users] Grouper Question


I think you will see their subject id if they are not resolvable…  right?  so you don’t need to worry about it, just do your upgrade.  If an error is thrown we can fix that.


If you want to do some sql you could change them…  otherwise theres not really a way to change the creator since the creator is the creator 😊




From: <> On Behalf Of Angel Fancher
Sent: Thursday, September 12, 2019 6:31 PM
Subject: [grouper-users] Grouper Question


I am trying desperately to find the answer in the Grouper 2.4 and 2.2 documentation but I am coming up a blank. I seem to be going around in circles and wondered if you could direct me to the right area? 


In folders in Grouper, how can the creator be changed? In this instance, as we move to upgrade from 2.2 to 2.4 we have creators of groups that are no longer with the University and so no longer on LDAP and I am wondering how that will affect the folders and groups going forward? 


Sorry to send a  blind email, but I am getting desperate!!  We don't think there is a way in the UI. I wonder if there is a way with the API? 



Angelique Fancher

Identity and Access Management Systems Analyst

West Bank Office Building, 626-A

University of Minnesota

Minneapolis, MN 55414


Archive powered by MHonArc 2.6.19.

Top of Page