Failure: test 'testNormalDryRun', Expected validation error? false, validation error count: 1, ArrayList size: 1: [0]: null: gshTemplateOwnerType is a required field.

Error: 1 tests, 1 failures!

No idea what this is. I have set the owner type:

Run template owner type: group
Run template group name or uuid: some:group:that:exists

For ServiceNow we need the following attributes provisioned based on the documentatation at https://docs.servicenow.com/bundle/washingtondc-api-reference/page/integrate/inbound-rest/concept/scim-api.html

name.givenName name.familyName emails.value phoneNumbers.value userName employeeNumber (urn:ietf:params:scim:schemas:extension:servicenow:2.0:User) manager.displayName (urn:ietf:params:scim:schemas:extension:servicenow:2.0:User) manager.value (urn:ietf:params:scim:schemas:extension:servicenow:2.0:User) department.name (urn:ietf:params:scim:schemas:extension:servicenow:2.0:User)

jQuery 1.10.2 has known vulnerabilities

Michael Gettes  2 hours ago

is there an ability to create a “read-only” version of the grouper sysadmins?  I add someone to sysadminReadersGroup and sysadminViewersGroup and they can’t view daemons or other config stuff that the sysadmins can see.
4 replies

Chris Hyzer  2 hours ago

thats the intent of those, but we need to make adjustments.  if you want to make a jira and we all agree we can start allowing more part of grouper to be seen by those folks...so for instance daemons, maybe sysadminViewers can see them but not change them?
Shilen Patel  2 hours ago

We recently changed things so that our normal NetID accounts aren't in the sysadmingroup anymore (instead they are in the sysadminReadersGroup) and we have separate privileged credentials that are in the sysadmingroup now.  Anyways, by doing that, I've noticed this issue as well and would also love to see it resolved 

The list of "Miscellaneous > GSH templates" actions buttons should have a "copy to new GSH template" option.

It should open the '.../grouper/grouperUi/app/UiV2Main.index?operation=UiV2GshTemplateConfig.addGshTemplate' UI with all of the values from the template that the copy was started from. ( Except for the Config ID value The use would need to pick a new value for that. )

Maybe an intermediate UI page would be needed to get the user to supply the new Config ID? But I hope that would not be necessary.

This would make it easier to "Clone" and "test a new idea, or change a few things" without needing to destroy/change the original template and all from the UI instead of exporting properties and such.

I guess you might even make a GSH template to list existing GSH templates and prompt the user for the new Config ID and let a GSH template copy the properties from the existing template into a new template via the Grouper properties API? ( I guess that might be another way to achieve this goal. )

From slack: https://internet2.slack.com/archives/C7V0UQDJ4/p1707755500572869

The privileges tab and the “More” tab to the right of Privileges are mostly all about Privileges.  Could/Should the Privileges tab also display the privileges related items from the More tab?  I have received questions multiple times from people who didn’t know about applying inherited privs simply because it was hidden in the More tab and not within Privileges.  I am NOT suggesting to move the items as this might break local documentation already written.  I am only suggesting to copy the priv related items into the Privileges tab page to increase the likelihood of a user finding what they need on their own.  Thanks for considering this request.

When clicking the "sync button" in the "Browse folder" UI element. The folder that is currently selected in the "work area" should be "opened/expanded" in the Browse Folder display instead of being "closed/collapsed".

incorrect ( current behavior )

New behavior

When a gsh V2 template is created, it should know its own configId. Tests in the class should use it by default. You shouldn't need to tell the running template what configId kicked it off. And is manually set it and it runs a different template, is this a feature at all, or something you don't want?

When creating a provisioner, gsh template, daemon job, etc., the value for the configId is checked for syntax. It only allows /^[a-zA-Z0-9_]+$/, which is alphanumeric or underscore. Was there any technical reason why dashes are disallowed? They are perfectly legal in Java property keys. It's a confusion for users since they usually assume dashes are ok, until they try to save and get the error.

Data fields assigned to entities: "Use this in an ABAC scripted group, e.g. ${entity.hasAttribute('aliasName')}" (this is ok)

Data row: hr_positions: no documentation; need to guess the syntax or look at the crashplan demo on the wiki

Global data fields: "Use this in an ABAC scripted group" (no syntax represented)

Data fields assigned to groups: "Use this in an ABAC scripted group" (no syntax represented)

After looking through source code, it seems a full sync and incremental sync needs to be manually created?

• Create a scripted loader group
• Run loader process to sync group

Result: flash text:

Error scheduling group to run on the daemon
java.lang.RuntimeException: Cant find grouper loader type of group: test:testGroup

When an ACL group (provisioner.{configId}.groupAllowedToAssign) is configured for a provisioner, and non-root users are put into it, they can edit the provisioning from the Provisioning actions menu. But if there is a provisioner listed, the Actions > Edit provisioning menu item returns an error: "Error: Cannot access provisioning., Problem calling method editProvisioningOnGroup2 on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Provisioning".
 
Stacktrace:

grouper_1   | grouper;grouper_error.log;dev;nothing;2023-12-30T04:12:04,309: [http-nio-8080-exec-4] ERROR GrouperUiRestServlet.doGet(372) - [] - Problem calling reflection from URL: edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Provisioning.editProvisioningOnGroup2

grouper_1   | 

grouper_1   | java.lang.RuntimeException: Cannot access provisioning.,

grouper_1   | Problem calling method editProvisioningOnGroup2 on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Provisioning

grouper_1   | 	at edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2Provisioning.editProvisioningOnGroup2(UiV2Provisioning.java:2132)

grouper_1   | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

grouper_1   | 	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)

grouper_1   | 	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

grouper_1   | 	at java.base/java.lang.reflect.Method.invoke(Method.java:568)

grouper_1   | 	at edu.internet2.middleware.grouper.util.GrouperUtil.invokeMethod(GrouperUtil.java:5784)

grouper_1   | 	at edu.internet2.middleware.grouper.util.GrouperUtil.callMethod(GrouperUtil.java:5735)

grouper_1   | 	at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doGet(GrouperUiRestServlet.java:336)

grouper_1   | 	at edu.internet2.middleware.grouper.j2ee.GrouperUiRestServlet.doPost(GrouperUiRestServlet.java:204)

grouper_1   | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:515)

grouper_1   | 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:583)

grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:212)

grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)

grouper_1   | 	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)

grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)

grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)

grouper_1   | 	at org.owasp.csrfguard.CsrfGuardFilter.handleSession(CsrfGuardFilter.java:101)

grouper_1   | 	at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:91)

grouper_1   | 	at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:63)

grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)

grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)

grouper_1   | 	at edu.internet2.middleware.grouper.ui.GrouperUiFilter.doFilter(GrouperUiFilter.java:1322)

grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:181)

grouper_1   | 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:156)

grouper_1   | 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)

grouper_1   | 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)

grouper_1   | 	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)

grouper_1   | 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)

grouper_1   | 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)

grouper_1   | 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)

grouper_1   | 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)

grouper_1   | 	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:617)

grouper_1   | 	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)

grouper_1   | 	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:932)

grouper_1   | 	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1695)

grouper_1   | 	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)

grouper_1   | 	at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)

grouper_1   | 	at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)

grouper_1   | 	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

grouper_1   | 	at java.base/java.lang.Thread.run(Thread.java:840)

When testing out whether as script using ${provisioningEntityWrapper.isInGroup('xxx')} works, it needs an instance of GrouperProvisioningTranslator to create the cache map. I don't see a clear way to set this up using the script beans

1) Go to Config history

2) Add a text filter that matches more than 50 values

3) Click next to go to the next 50 entries

Result: The filter is cleared. Confirmed by showing the total number of results on the second page, not the filtered number

When editing and saving changes to a daemon config, the user goes back to the All Daemons page and needs to find the daemon in the list again to get back to it.

Managing rules via creating attribute assignments is tedious. There should be an easier way of setting them up.

The banner in the Index jsp template currently allows only the customization of the logo. Installations may want to add more functionality, like the environment, Grouper version, special notices, etc.

The footer also has hardcoded © {institutionName}; thus the only customization option is the institution name. They may not even want a copyright notice.

If the institution wants more customization than that, the option is to fork the index.jsp page itself (there is a commonHead and commonBottom jsp, but these are for scripts and css). The risk is in technical debt of always watching for jsp changes to merge during upgrades, and of having a broken page if the change was not noticed.

If the banner and footer were extracted and made into separate partials that were included during page build, it would be a smaller risk for the maintainer.

When attestation is configured for a folder/group, the attestation attribute is assigned with a set of metadata attributes included based on user input. AttestationDaysBeforeToRemind is not included, nor is it readily apparent that it is set.

Possible Steps to remediate:
-Add attestationDaysBeforeToRemind to the set of default metadata for attestations
-Add a configurable global default value that is set in grouper.properies and default it to 14 days to coincide with the "less than 2 weeks" note in "Groups that need attestation"
-Update "Groups that need attestation" to factor in the global default when determining what to list.
-Add "Days before reminders are sent" field to "Edit group attestation" that would take user input for the attestationDaysBeforeToRemind
-Add "Days before reminders" column to Attestation Settings -> Folders and Groups with Settings to show the attestationDaysBeforeToRemind value for that object.

-Add "Days before reminders" row to Group Attestation - View attestation settings to display attestationDaysBeforeToRemind.

-Update "Attention: this group's memberships need to be attested soon." to include the number of days before attestation is required".

Report type: GSH
Config format: file

ERROR: value too long for type character varying(4000)

UI Error:

Error: org.hibernate.exception.DataException: could not execute batch, Exception in save: edu.internet2.middleware.grouper.attr.value.AttributeAssignValue, edu.internet2.middleware.grouper.hibernate.ByObject@1d5c1633, Problem in HibernateSession: HibernateSession (7825b8dd): notNew, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (23194942), Exception in saveOrUpdate: edu.internet2.middleware.grouper.attr.value.AttributeAssignValue, ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName: null, tx type: null, Problem in HibernateSession: HibernateSession (780ecde8): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (23194942), Problem calling method reportOnGroupAddEditSubmit on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2GrouperReport

This request is just for convenience. Sometimes it's hard to tell how long something runs, especially when the numbers are large. It should be something friendly, like 2h 21m or 2d3h25m if it runs that long.

This is a field that shows up in subject source configuration, but there is no explanation what a "net ID" is for. I had traced through the source code a while ago, and at that time it was only used in either the custom UI or a less common reporting setup. It would eliminate some confusion if it were just refactored to not use this custom net ID. It we do need some kind of preferred identifier, then maybe it just needs to be rebranded – renaming and adding a description.

Trying to add attribute etc:attribute:entities:entitySubjectIdentifier to a local entity per documentation in https://spaces.at.internet2.edu/display/Grouper/Grouper+local+entities.

Result is:

 Error: Not allowed to assign to member: AttributeDef[name=etc:attribute:entities:entitySubjectIdentifierDef,uuid=a4feba4da40142f19242879d9d586776], 8b220b8132c54beb95957271eb4eb803, to allow this, make sure the attributeDef has setAssignToMember(true), Problem calling method assignAttributeSubmit on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectAttributeAssignment

The attribute assignment is being treated as if it's being added to a subject, not an entity.

If I edit the assignment to allow it to be set for members, I can add the attribute. But then I can't add a value to it due to another error:

Error: Cannot invoke "edu.internet2.middleware.grouper.entity.Entity.getName()" because "entity" is null, Exception in save: edu.internet2.middleware.grouper.attr.value.AttributeAssignValue, edu.internet2.middleware.grouper.hibernate.ByObject@e0363ca, Problem in HibernateSession: HibernateSession (10bc9d8f): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (74265a05), Exception in saveOrUpdate: edu.internet2.middleware.grouper.attr.value.AttributeAssignValue, ByObjectStatic, query: ', cacheable: null, cacheRegion: null, entityName: null, tx type: null, Problem in HibernateSession: HibernateSession (5b7b04bb): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (74265a05), Problem calling method attributeAssignAddValueSubmit on edu.internet2.middleware.grouper.grouperUi.serviceLogic.UiV2SubjectAttributeAssignment

Trying to debug a Grouper UI error going to any page besides the main page. Comparing the browser headers vs. the ones seen by the server, the OWASP_CSRFTOKEN header is missing. There is an nginx front end forwarding to Grouper, but possibly another hop too.

Internet searches suggest that nginx by default doesn't pass headers containing an underscore. See https://stackoverflow.com/q/17920949 . The fix is likely to configure nignx to allow underscores:

server {

   ...

   underscores_in_headers on;

but I haven't tested this yet. Longer-term, if it's possible to change this header name to replace or remove the underscore, it means Grouper would work out of the box with nginx without customization. The header string is both in the Owasp configuration, javascript, and Java code, so it may not be a trivial change that end users can do.

As requested by a customer. Have a notes field when attesting a group. Maybe clicking the button expands to show a text field? It may be enough just to have it in the audit log, and the would see the notes in the audit history.

As requested by a customer. The button is confusing if the user isn't the manager of any groups or folders.

Similar to adding a start/end date on a new membership, have fields for membership attributes that can be added. The configuration can be similar to the Group editor page where you can configure which attributes show up.

In order to prevent users from downloading a list of all employees, etc., have some way to restrict the export functionality.

Options?
1) Restrict by object type
2) Exclude based on an attribute (create a built-in one, rather than making everyone make one up)
3) Restrict by regular expression patterns:

uiV2.group.exportDisallowedPattern.0 = ^ref:affiliation:.*

If a job is started but something happens and it exits without updating the status, it is stuck in the starting state in the loader log, and won't start again until restart (or until it gets reset in 10 minutes?). It would be good to clear out the state so it can restart normally, without needing to restart the whole daemon, or doing sql manipulation to clear out the stuck job from the log.

Something available in the API and WS as well as the UI would be good for more options.

Grouper should support theme or mood music while in UI.

It could be as simple as associating midi songs with certain activities, or as complicated as using AI to procedurally generate music appropriate for the population being managed.

Maybe it plays a little jingle when a massive group import is completed, like when my dishwasher finishes a load of dishes?

I feel that it could increase satisfaction in UAT.

In the job history chart, a job in the started state shows a very narrow box. In reality, the job is potentially still running, so the line should extend to the present time, or until the next time the job ran.

The format for subject names for the Member Add drop down list differs from how it appears everywhere else. It's also configured with a different property.

1) Subject page heading, search results, and group member list: `screenSubjectIcon2.screenHtmlEl.0 screenLabel2.screenEl.0`

This corresponds to the diagnostics value for "Short link with icon"

2) Subject breadcrumbs: `screenLabel2.screenEl.0` (basically #1 without the icon)

This corresponds to the diagnostics value for "Short link with icon"

3) The drop down names during the Member Add autocomplete field: screenSubjectIcon2.screenHtmlEl.0 subjectImgLong.screenEl.0

This corresponds to the diagnostics value for "Long label with icon", even though right after it reads "This is not used in the new UI"

4) The Member Add autocomplete after choosing a value: subjectImgLong.screenEl.0 (basically #3 without the icon)

The descriptions for the diagnostics values under "SUBJECT IN UI" should be adjusted to be more accurate. Suggested:

  Short link with icon: ...
  * Appearance of the subject in most places – its own subject page heading, in search results, in group members, etc.
  * Configured in grouper.text.en.us.base.properties with guiSubjectShortLink
  * Also configured in grouper-ui.properties
    * icon is grouperUi.screenSubjectIcon2.screenHtmlEl.X, or grouperUi.screenSubjectIcon2.screenHtmlEl.default, or default `<i class="fa fa-user"></i>`
    * label is grouperUi.subjectImgLong.screenEl.X, or default of subject name
  * tooltip is subject description
Long label with icon: ...
  * This is used in the Member Add drop down
  * Configured in grouper.text.en.us.base.properties with guiSubjectLongLinkWithIcon
  * Also configured in grouper-ui.properties
    * icon is grouperUi.screenSubjectIcon2.screenHtmlEl.X, or grouperUi.screenSubjectIcon2.screenHtmlEl.default, or default `<i class="fa fa-user"></i>`
    * label is grouperUi.subjectImgLong.screenEl.X, or default of subject description

The daemon log for a loader job shows this:

But the loader job page shows this for the same job:

The loader page should reflect the same status and counts as the actual loader log.

We have received requests from our customers to make the left hand navigational panel resizable so that they are not having to scroll back and forth constantly or search for the group instead.

from discussion in slack channel

Add an attribute to a group to cause the UI to display the group with a filter of direct memberships or indirect by default.  The absence of the attribute is all (current behavior).  There could be a system-wide default to control the default display of groups in the ui as well... but this is usually desirable for large groups for environments where the display of the large group is slow (which may in fact be a sign of a misconfigured cache and other components - but this at least allows for helping with the display of the group).

If you want to move a group, open the search form by clicking on "search for a folder where you are allowed to create new subfolders"  and enter no matter what, you will always get the error message "enter at least two characters".
 
I have already found the solution and would like to provide it here: In grouper-ui/webapp/WEB-INF/grouperUi2/group/groupMove.jsp, line 21, input name="groupSearch" is to be changed to input name="stemSearch".

We still use Version 2.4 but I've taken a look at the Grouper project at Github and it seems to me that the bug still occurs in 2.6 as well.

Is this currently supported? I didn't see it in the wiki or in the 2.6.18 source code. This would be from optional fields from workflow approval states, or from the original requestor

When a provisioner has metadata, there is no way to set the value of it unless the "Metadata xxx: can change" is set to true

In the UI for the new sql subject adapter (GrouperJdbcSourceAdapter2_5), the field for Max results size has a description "Max results size. Default value is '100'". However, if the field is left blank, there is no limit of 100, and all records are returned.

This applies to substring searches in the add member search box which looks up for every character typed after a pause, when the length is 2+. With a small search string, this could potentially return a large list of results.

The workaround is to always put a value in this field, even if you want the value to be 100.

The `subjectApi.source.genericSource.param.maxResults.value` does have a default of 100, but that may just for display. I don't see any source init functions that set the default as a fallback.

Example:
Unique ID:
002100007

The subjectId is the opaque unchanging ID of the entity
Email:
d.kwdln41@example.edu.invalid

This is the entity attribute: preferred_email
Name:
Margaret Simmons

The entity attribute 'name' is the first and last name of the entity
Description:
Margaret Simmons

The 'description' attribute differentiates entities with the same name

This is new UI behavior for 2.6.16, and may not be desirable for all institutions

The drop down list of provisioner types that can be created is a hard coded list of specific classes in ProvisioningConfiguration.provisionerConfigClassNames that is defined as final at Grouper startup. If an institution creates a custom provisioner, the classes can be supplied in a separate jar. But there isn't a way to extend the drop down list since it is sealed.

Maybe something like this in grouper-ui.properties?

additionalProvisioners.0.class = MySpecialProvisionerConfiguration

additionalProvisioners.1.class = OtherSpecialProvisionerConfiguration

The provisioners would then appear after the built-in ones, in the order enumerated in the config.

per slack conversation:
https://internet2.slack.com/archives/C7V0UQDJ4/p1664378034256609?thread_ts=1664301961.029599&cid=C7V0UQDJ4
increase or relieve the size limit of a SQL query in loader jobs.

Creation of a local entity in a folder seems to be failing due to the system attempting to assign permissions to the entity which are not allowed by the user creating the entity.  The user has Admin privs on the folder (inherited) that the entity is being created in. 

There are no explicit permissions being assigned to these entities as far as we can tell, so we are a bit at a loss as to which permissions are triggering this error.

Users in the sysadmingroup do not have this issue.

I'm attaching the stack trace which is logged when this happens.  The UI returns the usual message related to the Hibernate transaction being closed.
Error creating local entity: , stem name: 'app:adminit:api:service:consumers', group extension: 'UCD_General_Library', group dExtension: 'UCD General Library', uuid: null, typeOfGroup: entity, Problem in HibernateSession: HibernateSession (333d0b92): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (10c9553e), Problem in HibernateSession: HibernateSession (3f75ab72): notNew, notReadonly, READ_WRITE_NEW, activeTransaction, session (10c9553e), Problem in HibernateSession: HibernateSession (300ef3bb): new, notReadonly, READ_WRITE_NEW, notActiveTransaction, session (10c9553e), Problem saving group: app:adminit:api:service:consumers:UCD_General_Library, thread: c4742a7

Jeffrey Crawford Yesterday at 7:52 PM
Random question about GSH templates and gsh_builtin_gshTemplateOutput.addOutputLine it looks like the message types are only success (green), info (blue) and error (red) but when I set to error it seems to think the script failed and it rolls everything back. Is there something like “warn” (yellow) possible, or is there a way to have a error message that doesn’t make the system think there was an error we can’t handle (I’m asking for a list of users, and if any can’t be found, I just want to display a message regarding that.)

I don't know if we can make just those lines yellow, or if the whole div needs to be yellow.

IIRC these statuses are magic string values. It would be good to have an enum version of these too, which would make it more "Java-like".

Under Miscellaneous->Configuration, the option under Config actions to "Export configuration file" is really only exporting properties that are defined in the database. There is no indication that is what it is doing. It isn't intuitive, since it's not exporting what the user sees on the screen, which is the overlay of the entire hierarchy. It's also not acting on any Source type filter (e.g. non-base) or string filter, and it isn't intuitive that they will be ignored.

SQL Loader:

LDAP Loader:

https://spaces.at.internet2.edu/display/Grouper/Grouper+-+Loader+GSH

A GSH job type will allow more kinds of sources in loader jobs. The script could be written to query a REST endpoint, a flat file, or a proprietary client-server interface, and then produce either a list of subjects (GSH_SIMPLE) or groups + subjects (GSH_GROUPS_LIST). The wiki proposes the subject and group resolution be done in the script rather than outputting then as strings. This is so that the script has total control, in case it needs to do more complex logic – e.g. custom display names or descriptions for groups, or dynamic source determination for subjects.

Like gsh templates and reports, there will be specific variables passed into the script. GrouperSession and LoaderJobBean objects will be used like in the SQL and LDAP loader types, while a new GshLoaderJobResults object will hold the rows of the script results. for a GSH_SIMPLE job the rows will be Subjects, while for a GSH_GROUPS_LIST they will be Group + Subject tuples. It will not need a separate group query like the SQL loader does, because the script will be doing its own group creation as needed.

When searching for an attributeName in the combo box, the icon is one gear, not 3. It used to be a folder icon, before GRP-1780 changed both attribute defs and names to the same gear icon

For a non-root user, with the correct READ privileges on an attributeDef, and VIEW and ATTR_READ on a folder, the user can't see the attributes on the folder because the menu item isn't an option. See screenshot

When configuring the loader for a group it has been our experience that if you set the config in the UI to one thing the "view loader settings" option will show the opposite of what is selected in the "edit loader configuration" option. 

If a user has READ + UPDATE on a group, and a group is a member of that group, but the user doesn't have READ or VIEW on that member group, they can see the members of that group indirectly, but not the group name itself.
 

In the screenshot above, a user needs to attest the group, but can only see the indirect members, not the direct group member. They can't determine whether that group is appropriate in order to attest to it.

Should it be assumed that if a user has read and update on a group, they should be able to see the names of member groups? This would probably affect the API and WS as well, not just the UI. The current behavior also affects visualization, where it shows the group having members, but doesn't include the source group that is the source of those members.

The memberships tab for a subject may include a lot of intermediate groups which are not interesting to see. In order to trim the data to the more useful rows, there should be an advanced filter where you can include or exclude one (or more?) object types.

The property management page in the UI is relatively slow to appear, approximately 20 seconds at our institution for grouper.properties to be loaded. This is so slow that it not only affects the wait time for the page to appear, but also impacts properties import. When importing properties, the import results in the green status bar are immediately displayed, and the page appears to be complete. But when you go to another page, the page may initially display, but will then be redirected later back to the property management page, which took a while to generate the summary page of all the properties. Apparently the ajax isn't cancelled so is still pending 20 seconds after going to a different page.

In our configuration, the configuration pages also randomly but consistently would bring down our UI server (which was admittedly tight on memory). Doing a profile while loading the configuration page shows that it uses up 150MB of ram for temporary objects that are then released for GC once the page loads. This seems like a lot, for a page that is just loading key/value pairs.

When investigating out when a particular subject was added to a group, getting the whole audit list for the group and looking through all the pages for the subject is cumbersome. (1) The audit entry table can be very large, and may perform poorly; (2) except for date, there is no filter in the audit entry view other than by date, so the user needs to scan through pages of entries to find the target.

From the membership view, getting the membership add/change/delete audit entries for a particular user in a group should be much faster than getting all the entries for the group.

Suggested:

We can download the members of a group as a CSV file, our security team would like that expanded to the audit log. It would be useful that the same filter criteria could be used so that a CSV would only contain the time frame of interest.

Currently, long-running operations will result in an error message "×There was an error with your request. Click here to start over."  No error has occurred outside of the UI timeouts.  However, the user isn't notified that their operation is still processing, only when it completes.

A functional improvement to the UI would be a notification <div>, accessible from an icon in the upper right of the UI (similar to notification feeds in certain social platforms and admin consoles) from any page.  The feed would contain the user's recent activity(similar to that on the user's main page).  The feed would be modified to add an entry when when an operation  taking longer than a configurable amount begins, then another when an operation ends.

My users (and I ) are often frustrated by the "CSRF warning" only to click a link and SSO back into the app. It would be a much better experience if the user would come back to a "your session has expired" page and know that the first click leads to a login process instead of being surprised by the process.

I have seen "security centric" apps that have UI timeouts built in.

When the timeout expires ( due to lack of use ) the browser auto redirect the user to a page that tells them their session has timed out and gives them a link to log back in. (and start a new session.)

I think it would be a good feature for Grouper UI to implement.

Credit to Karl Amrhein for this suggestion.

If a group has a large number of groups as members, it's desirable to limit the number of siblings shown to make the drawing smaller. But there is no indication in the graph whether siblings are being truncated. So maybe add a pseudo-node indicating more groups exist? See one possibility below.

The PSPNG provisioner I guess depends on an LDAP property that ends in bindCredential instead of password, and the Configuration view in the UI of the loader properties doesn't mask it the way it does other property names it thinks are secrets. Seems like an obvious/simple fix. I'm aware that it would be masked if it were stored in the database directly, but that's not always the goal.

It would be helpful to reuse the existing 'add Member' UI structure and logic to allow a user to select a subject ( or a list of subjects) as an input to a GSH template.

Ideally the GSH template config could also add some limits/scopes to the searches too:

• check boxes for the subject sources to search 
• Maybe a "stem scope" would be helpful too ( for finding folders/groups )
• It would be useful to be able to use the "gsh_builtin_*" values in this process too.
• It would be useful to be able to use the "gsh_input_*" values in this process too.

Only being able to filter by dates is rather limiting.

Please also allow the UI user to filter by the following:

    Actor  ( grouper user/process that made the change )

    Member ( Member was affected by the change )

    Type of change ( add , delete[AKA: remove] , Exported, ... other actions??)

The filtering on the Attribute Name "view assigned owners" appears to only filter on the object names where the attribute Name is assigned.

It would be very helpful to also be able to "find" by assigned Value matching too.

Example ( but not the only one) is the UI for attribute assignments for an AttributeName.
.../UiV2Main.index?operation=UiV2AttributeDefName.viewAttributeDefNameAssignedOwners&attributeDefNameId=*

If you set a filter to get a sub set of the assignments.
Then make a change to one ( like removing one assignment).
The filter is cleared and the list is refreshed.

Either the refresh should be "optional", or the filter should be maintained and reused during the refresh.

I can see value in not doing the refresh constantly for the user. (UI performance to fetch almost the same list back each time.)  But that likely would require other UI dynamic actions for things like "remove" a row too.

The classes for the UI templates – both the original app/gdg/policy and the new gsh ones – were written to only be usable from the UI. This means that they can't be called from GSH or from WS, without creating mock HTTPRequest and HTTPSession containers. It also makes it harder to write unit tests. The classes have been added to the edu.internet2.middleware.grouper.grouperUi.beans.ui package, even though they are not beans. This makes it harder to identify which classes are related to the template functionality, since they are mixed in with container bean classes that were originally meant to be for jsp templates.

See also GRP-3041 Make the Template Feature available in the WS API

I prefer explicit permission models instead of implied.

Example: If there was a "folder view permission" then groups could be given access to see a folder. ( or "the magic All subjects thing" could be used too.)

To achieve the current implied  folder visibility design: ( or turn it off  at the root or at some level down the tree, if you don't ):

A rule (on the root folder) on folder create:
       create a "view folder group" for the new child folder.
       Add the child folder "view group" to have view to the parent folder ( by adding it to the parent folders "view folder group").

That way as folders are created and people are allowed to see a N level deep folder, they will automatically be able to see all the N-1 level deep folders above it back to the root.

Another rule could:
if a group/user can see an object in the a folder auto add them to the "view folder group" 

In this model a user might have access to something in a N level deep folder that they can not see the whole path too in the UI folder tree. ( Which is fine with me. ) They should be able to search and find, bookmark, find via services those things too.

I would expect the tree to "add parent folder(s) back up to the root" when a user "jumps" to an object from a search. ( Picture long chain of "closed" folders back to the root with only the children object(s) of the last folder being added to the tree. )

If a user selects a "higher level folder" that they don't have explicit access to, then they see nothing and nothing changes in the tree. ( no error, no message, must a "folder with a child folder".

All I am really talking about is making the permissions that drive the tree structure in the UI local to each folder so that a "search of a single folder's child folders/objects" is all that is ever needed for the "open" tree folder. 

When a folder is selected in the tree then becomes an "open folder" and then it's child objects are added to the tree and closed child folders are added to the tree as well.

It's a fairly big ask, but it makes the UI more "permission driven" and avoids "loading the whole tree" (at any time) to do it. 

And maybe other indexing approach could be done to "fix performance" too. However, this approach adds a feature that would allow users to have a simplified folder UI structure as well.  (And that could be achieved other ways too. I like using ACL's to provide the most flexibility to the deployer. )

The subject diagnostics search fields all pre-fill the subject search fields:

• subject ID: "someSubjectId"
• Subject Identifier: "someSubjectIdentifier"
• Search string: "first last"

These values are unlikely to find anyone, so the user has to go to the fields and overwrite them or delete the values, otherwise they will have errors. Why default values? If they need hints, we can add placeholder properties to the input fields (see mockup screenshot).

If log4j is set to default to INFO level, the majority of the UI logs are:

[http-nio-8080-exec-1] INFO  SessionInitialiser.init(345) - resources/grouper/ui-permissions.xml not found. Default permissions apply.

The ui-permissions.xml message this refers to is not included by default, is not mentioned in the wiki, and the format is only explained in javadoc. If anyone used it, it was only activated for the GroupMembershipMenuFilter in either the admin or lite ui. So it's highly unlikely to exist, which means it shouldn't warrant being at INFO level. Personally I vote to delete it.