Grouper Developers Forum

[Tom Barton <>]

Arnaud Deman wrote:
> > How many dynamic groups are you likely to need? Do they have to be 
> > fully enumerated i.e. will you be expecting to list these memberships 
> > or just test whether someone is a member?
>
> A lot ! ;) We don't know currently exactly how many but it is possible 
> that we have to manage several thoushands (say between 3000 and 5000). 
> And of course we would like to enumerate them ! We can't do that with 
> the PAGS groups and it was also one of our motivation to extends Grouper 
> for this purpose.

This is where dynamic and static groups mix about as well as oil and 
water. You can't know that a subject is not a member of a dynamic group 
until you evaluate the dynamic group membership filter on that subject. 
So, to enumerate a subject's memberships will require that all dynamic 
group filters are evaluated. If you have 5000 of those, they'll all need 
to be evaluated every time you need to enumerate memberships.

This type of issue is what led us early on to maintain "flattened" group 
membership information in grouper, ie, compute the indirect membership 
effects of subgroups and composite groups as they are created. That 
enables us to quickly enumerate memberships on demand. I suspect that 
only a "pre-computed" approach to dynamic group membership can scale to 
more than a handful of dynamic groups.

Something must update the attributes in the LDAP directory (or many LDAP 
directories?) that appear in the filters defining your dynamic groups. 
Can this LDAP updating process be used to trigger updating of the 
flattened membership of dynamically-defined groups?

Tom
begin:vcard
fn:Tom Barton
n:Barton;Tom
org:University of Chicago;Networking Services & Information Technology
adr;dom:1155 E. 60th St.;;Rm 309, 1155 Bldg;Chicago;IL;60637
email;internet:
title:Sr. Director - Integration
tel;work:+1 773 834 1700
version:2.1
end:vcard