grouper-users - [grouper-users] RE: Incremental memberships update in Loader jobs
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: Gagné Sébastien <>
- Cc: "" <>
- Subject: [grouper-users] RE: Incremental memberships update in Loader jobs
- Date: Thu, 21 Jun 2012 17:08:42 +0000
- Accept-language: en-US
|
Back to list for TomZ… TomZ, if there are two groups: GroupABC, which has people inside, and one other group: GroupABC_systemOfRecord, which has people inside (provisioned from external source via the loader). Can the PSP be configured to send the overall group, and not the system of record group, and when it sends the overall group, to send the immediate/effective members but not the group which is a member of the
group (since it wont be provisioned)? Thanks, Chris From: Gagné Sébastien [mailto:]
In the 2 groups scenario, I believe that when it’s going to be provisioned to LDAP, it will send the systemOfRecord group as a member of GroupABC and not the members of systemofRecord. I don’t know
if it’s going to work according to what these groups are currently used for and it will double the quantity of groups in AD. I can’t recall exactly, but I seem to remember that there was an option in the provisioning to send member-of-child-group as group
member instead group-in-group membership, this might be usefull. The 3 groups approach should work with AD provisioning IF I can only send the Composite group and somehow ignore the _include and _systemOfRecord groups
The more I think about it, the more a believe an in-house application might be needed, I could add an attribute to the membership to tag them as “system of record” members and treat them accordingly. De : Chris Hyzer []
Im not ready for a release tomorrow… hopefully soon though
J There will be an overall group, and a system of record group. So if you have GroupABC_systemOfRecord And you add the addInclude type, then it will create: GroupABC, and add GroupABC_systemOfRecord as a member. You shouldn’t ever use UNION since there is extra overhead and it is the same as adding a member. I thought that is what you wanted, just two groups? Or if you want three groups, it could create: GroupABC, and GroupABC_includes, and GroupABC would have as members GroupABC_systemOfRecord and GroupABC_includes Then your ldap provisioning hopefully you could not send the system of record or includes, just the overall… sound good? Thanks, Chris From: Gagné Sébastien
We still aren’t sure what we’ll do, I’ll have to check with the rest of the team and that could be middle of next week. I believe 2.1.1 is scheduled to release tomorrow so you don’t need to add the
feature, we can wait sometime after 2.1.1, but it’s good to know it’s an option. With a addInclude GroupType what will be created ? If I understand correctly this will happen : I create : GroupABC_systemOfRecord (type addInclude) Grouper grouptype creates : GroupABC_includes GroupABC which is GroupABC_systemOfRecord UNION GroupABC_includes If I provision GroupABC to Active Directory with the PSP, which members will be provisioned ? The indirect members of the UNION or the two groups object (sys of rec. and includes) ? On a similar topic, but not necessarily done using GroupTypes, is there a way to have something like : GroupDEF_systemOfRecord GroupDEF which has its how members UNION the members in GroupDEF_systemOfRecord It’s similar to the include type, but with only 2 groups. The goal would be to then send GroupDEF to LDAP with all the members (not have GroupDEF_systemOfRecord as a member of GroupDEF) I hope I’m clear enough, if not I’ll try to explain better. Than you De : Chris Hyzer []
I think it is doable, I will try to do it in 2.1.1. https://bugs.internet2.edu/jira/browse/GRP-809 However, if you are not going to use it, and will do your own thing, let me know and then I will not do this for 2.1.1. Thanks, Chris From: Gagné Sébastien
Yep it works now. Thanks Though it’s kind of a heavy structure having 5 groups for each group. We plan on having about 20 000 groups coming from that source. Is it possible for me to create a new 2-groups Type/process or
is it something in the Grouper Core ? Ultimately, I’d like to have GroupABC_systemOfRecord and GroupABC, which is “My members” + “Group ABC_SystemOfRecord members” and be able to provision Group ABC to AD. The provisioning should include
GroupABC members and SystemOfRecord members. Is it doable ? We were thinking about an in-house java app that would use the API to create groups and edit memberships based on the SQL source, maybe that would be quicker to create than force the SQL loader to
do something it might not be designed to do. De : Chris Hyzer []
Whoops, yes, that is another bug: https://bugs.internet2.edu/jira/browse/GRP-810 Set the require in groups in grouper.properties to true, and then it will not fail… Thanks, Chris From: Gagné Sébastien
The Loader is configured with addIncludeExclude :
And in grouper.properties I have : #if the addIncludeExclude and requireInGroups should be enabled, and if the type(s) should be #auto-created, and used to auto create groups to facilitate include and exclude lists, and require lists grouperIncludeExclude.use = true grouperIncludeExclude.requireGroups.use =
false Should I set it to True ? De : Chris Hyzer []
You have requireInGroups Not addIncludeExclude I will look into adding the other flavor of type for you, its not really documented… Chris From: Gagné Sébastien
The GroupType was successfully added, but it doesn’t seem to work, I get this exception :
http://tinypaste.com/8546b69e What would be interesting for us would be to have the option with 2 groups : the system of record and the adhoc group where we include the system of record. Is there some documentation on how to
create new type and process for them ? Thanks again De : Chris Hyzer []
You can add types to Grouper, and put hooks to do stuff for them. There is an include/exclude one built in. I think you just need an “include” one which doesn’t exist… maybe we should add at some point. In the grouper.properties, set this: grouperIncludeExclude.use =
true Then start grouper (GSH, UI, whatever), and it will add that type to the DB. Then in the grouperLoaderGroupTypes, you can put: addIncludeExclude This will do all the work to create the supporting groups… does it work? Updating the docs would be great, thanks. Regards, Chris From: Gagné Sébastien
Hi Chris, I’m having a hard time finding the right configuration for the “grouperLoaderGroupTypes”.
Where can I find the available group types ? Should any be available by default or must I import them ? I find the documentation on that subject a little slim, I’ll try to add to it when I understand better. Maybe it’s because I never
configured any GroupType and don’t really know how to use them, but I’m currently lost. Thanks De : Chris Hyzer []
How will it know which members are removed from ldap and which are added to ui? In any case, I think the load is intended to manage “system of record” groups. If you need people to do ad hoc changes, you should mark the job as “add include/exclude” type, which will create an overall group,
an additions group, a subtractions group, and setup the composites appropriately. In the loader job you can add that type automatically (we do this with org groups). If you need help let me know. Thanks, Chris From:
On Behalf Of Gagné Sébastien Hi, I was wondering if there was a way to have « incremental » (add only?) membership updates in the Loader Jobs (LDAP and SQL both behave the same). Right now, using the UI, if I add a member to a Grouper Group that is managed
by a loader it will be removed the next time it runs. Here is my current use case : 1.
GroupABC is in Grouper and managed by a loader process 2.
Loader adds UserA and UserB as member of GroupABC 3.
Using Grouper UI, I add UserC to GroupABC
4.
Loader process runs, removes UserC 5.
I add UserD in source (e.g. Active directory or SQL database) 6.
Loader process runs, adds UserD Is there a way for us to have UserA-B-C-D in GroupABC using the loader processes ? Is there a flag saying “only add new/missing members and ignore the other additionnal Grouper member” , i.e., don’t do step #4 ( keep/ignore
UserC) and still add UserD in #5 ? This can mostly be done if were dealing with an LDAP source since real-time provisioning will likely send UserC in the source before the LDAP Loader runs. When it will run, the loader will have UserC in its result set
so it will leave it in the Group. Thanks Sébastien Gagné, |
Analyste en informatique 514-343-6111 x33844
|
Université de Montréal,
|
Pavillon Roger-Gaudry, local X-100-11 |
- [grouper-users] Incremental memberships update in Loader jobs, Gagné Sébastien, 06/20/2012
- [grouper-users] RE: Incremental memberships update in Loader jobs, Chris Hyzer, 06/20/2012
- [grouper-users] RE: Incremental memberships update in Loader jobs, Gagné Sébastien, 06/20/2012
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- Message not available
- [grouper-users] RE: Incremental memberships update in Loader jobs, Chris Hyzer, 06/21/2012
- Re: [grouper-users] RE: Incremental memberships update in Loader jobs, Tom Zeller, 06/21/2012
- Message not available
- Message not available
- Message not available
- Message not available
- [grouper-users] RE: Incremental memberships update in Loader jobs, Chris Hyzer, 06/20/2012
Archive powered by MHonArc 2.6.16.