Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] RE: Incremental memberships update in Loader jobs

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] RE: Incremental memberships update in Loader jobs


Chronological Thread 
  • From: Tom Zeller <>
  • To: Chris Hyzer <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] RE: Incremental memberships update in Loader jobs
  • Date: Thu, 21 Jun 2012 10:51:33 -0700 (MST)

Yeah. I would prob need to do an example config.

On Jun 21, 2012, at 12:08 PM, Chris Hyzer <> wrote:

Back to list for TomZ…

 

TomZ, if there are two groups:

 

GroupABC, which has people inside, and one other group: GroupABC_systemOfRecord, which has people inside (provisioned from external source via the loader).

 

Can the PSP be configured to send the overall group, and not the system of record group, and when it sends the overall group, to send the immediate/effective members but not the group which is a member of the group (since it wont be provisioned)?

 

Thanks,

Chris

 

 

From: Gagné Sébastien [mailto:]
Sent: Thursday, June 21, 2012 1:03 PM
To: Chris Hyzer
Subject: RE: Incremental memberships update in Loader jobs

 

In the 2 groups scenario, I believe that when it’s going to be provisioned to LDAP, it will send the systemOfRecord group as a member of GroupABC and not the members of systemofRecord. I don’t know if it’s going to work according to what these groups are currently used for and it will double the quantity of groups in AD. I can’t recall exactly, but I seem to remember that there was an option in the provisioning to send member-of-child-group as group member instead group-in-group membership, this might be usefull.

 

The 3 groups approach should work with AD provisioning IF I can only send the Composite group and somehow ignore the _include and _systemOfRecord groups

 

 

The more I think about it, the more a believe an in-house application might be needed, I could add an attribute to the membership to tag them as “system of record” members and treat them accordingly.

 

 

De : Chris Hyzer []
Envoyé : 21 juin 2012 10:49
À : Gagné Sébastien
Objet : RE: Incremental memberships update in Loader jobs

 

Im not ready for a release tomorrow… hopefully soon though J

 

There will be an overall group, and a system of record group.

So if you have

 

GroupABC_systemOfRecord

 

And you add the addInclude type, then it will create:

 

GroupABC, and add GroupABC_systemOfRecord as a member.

 

You shouldn’t ever use UNION since there is extra overhead and it is the same as adding a member.

 

I thought that is what you wanted, just two groups?

 

Or if you want three groups, it could create:

 

GroupABC, and GroupABC_includes, and GroupABC would have as members GroupABC_systemOfRecord and GroupABC_includes

 

Then your ldap provisioning hopefully you could not send the system of record or includes, just the overall… sound good?

 

Thanks,

Chris

 

 

 

From: Gagné Sébastien
Sent: Thursday, June 21, 2012 8:55 AM
To: Chris Hyzer
Subject: RE: Incremental memberships update in Loader jobs

 

We still aren’t sure what we’ll do, I’ll have to check with the rest of the team and that could be middle of next week. I believe 2.1.1 is scheduled to release tomorrow so you don’t need to add the feature, we can wait sometime after 2.1.1, but it’s good to know it’s an option.

 

With a addInclude GroupType what will be created ? If I understand correctly this will happen :

 

I create :

GroupABC_systemOfRecord (type addInclude)

 

Grouper grouptype creates :

GroupABC_includes

GroupABC which is GroupABC_systemOfRecord UNION GroupABC_includes

 

If I provision GroupABC to Active Directory with the PSP, which members will be provisioned ? The indirect members of the UNION or the two groups object (sys of rec. and includes) ?

 

 

On a similar topic, but not necessarily done using GroupTypes, is there a way to have something like :

 

GroupDEF_systemOfRecord

 

GroupDEF which has its how members UNION the members in GroupDEF_systemOfRecord

 

It’s similar to the include type, but with only 2 groups. The goal would be to then send GroupDEF to LDAP with all the members (not have GroupDEF_systemOfRecord as a member of GroupDEF)

 

 

I hope I’m clear enough, if not I’ll try to explain better.

Than you

 

 

De : Chris Hyzer []
Envoyé : 20 juin 2012 16:36
À : Gagné Sébastien
Objet : RE: Incremental memberships update in Loader jobs

 

I think it is doable, I will try to do it in 2.1.1.

 

https://bugs.internet2.edu/jira/browse/GRP-809

 

However, if you are not going to use it, and will do your own thing, let me know and then I will not do this for 2.1.1.

 

Thanks,

Chris

 

From: Gagné Sébastien
Sent: Wednesday, June 20, 2012 4:26 PM
To: Chris Hyzer
Subject: RE: Incremental memberships update in Loader jobs

 

Yep it works now. Thanks

 

Though it’s kind of a heavy structure having 5 groups for each group. We plan on having about 20 000 groups coming from that source. Is it possible for me to create a new 2-groups Type/process or is it something in the Grouper Core ?

 

Ultimately, I’d like to have GroupABC_systemOfRecord and GroupABC, which is “My members” + “Group ABC_SystemOfRecord members” and be able to provision Group ABC to AD. The provisioning should include GroupABC members and SystemOfRecord members. Is it doable ?

 

We were thinking about an in-house java app that would use the API to create groups and edit memberships based on the SQL source, maybe that would be quicker to create than force the SQL loader to do something it might not be designed to do.

 

 

De : Chris Hyzer []
Envoyé : 20 juin 2012 16:12
À : Gagné Sébastien
Objet : RE: Incremental member
ships update in Loader jobs

 

Whoops, yes, that is another bug:

 

https://bugs.internet2.edu/jira/browse/GRP-810

 

Set the require in groups in grouper.properties to true, and then it will not fail…

 

Thanks,

Chris

 

From: Gagné Sébastien
Sent: Wednesday, June 20, 2012 4:09 PM
To: Chris Hyzer
Subject: RE: Incremental memberships update in Loader jobs

 

The Loader is configured with addIncludeExclude :

 

<image001.png>

 

And in grouper.properties I have :

 

#if the addIncludeExclude and requireInGroups should be enabled, and if the type(s) should be

#auto-created, and used to auto create groups to facilitate include and exclude lists, and require lists

grouperIncludeExclude.use = true

grouperIncludeExclude.requireGroups.use = false

 

Should I set it to True ?

 

De : Chris Hyzer []
Envoyé : 20 juin 2012 16:02
À : Gagné Sébastien
Objet : RE: Incremental memberships update in Loader jobs

 

You have requireInGroups

Not addIncludeExclude

 

I will look into adding the other flavor of type for you, its not really documented…

 

Chris

 

From: Gagné Sébastien
Sent: Wednesday, June 20, 2012 4:00 PM
To: Chris Hyzer
Subject: RE: Incremental memberships update in Loader jobs

 

The GroupType was successfully added, but it doesn’t seem to work, I get this exception : http://tinypaste.com/8546b69e

 

What would be interesting for us would be to have the option with 2 groups : the system of record and the adhoc group where we include the system of record. Is there some documentation on how to create new type and process for them ?

 

Thanks again

 

 

De : Chris Hyzer []
Envoyé : 20 juin 2012 15:01
À : Gagné Sébastien
Objet : RE: Incremental memberships update in Loader jobs

 

You can add types to Grouper, and put hooks to do stuff for them.  There is an include/exclude one built in.  I think you just need an “include” one which doesn’t exist…  maybe we should add at some point.

 

In the grouper.properties, set this:

 

grouperIncludeExclude.use = true

 

Then start grouper (GSH, UI, whatever), and it will add that type to the DB.

Then in the grouperLoaderGroupTypes, you can put:  addIncludeExclude

 

This will do all the work to create the supporting groups… does it work?

 

Updating the docs would be great, thanks.

 

Regards,

Chris

 

 

 

From: Gagné Sébastien
Sent: Wednesday, June 20, 2012 2:48 PM
To: Chris Hyzer
Subject: RE: Incremental memberships update in Loader jobs

 

Hi Chris,

I’m having a hard time finding the right configuration for the “grouperLoaderGroupTypes”. Where can I find the available group types ? Should any be available by default or must I import them ?

 

I find the documentation on that subject a little slim, I’ll try to add to it when I understand better. Maybe it’s because I never configured any GroupType and don’t really know how to use them, but I’m currently lost.

 

Thanks

 

De : Chris Hyzer []
Envoyé : 20 juin 2012 11:52
À : Gagné Sébastien;
Objet : RE: Incremental memberships update in Loader jobs

 

How will it know which members are removed from ldap and which are added to ui?

In any case, I think the load is intended to manage “system of record” groups.  If you need people to do ad hoc changes, you should mark the job as “add include/exclude” type, which will create an overall group, an additions group, a subtractions group, and setup the composites appropriately.  In the loader job you can add that type automatically (we do this with org groups).  If you need help let me know.

 

Thanks,

Chris

 

From: On Behalf Of Gagné Sébastien
Sent: Wednesday, June 20, 2012 11:41 AM
To:
Subject: [grouper-users] Incremental memberships update in Loader jobs

 

Hi,

I was wondering if there was a way to have « incremental Â» (add only?) membership updates in the Loader Jobs (LDAP and SQL both behave the same). Right now, using the UI, if I add a member to a Grouper Group that is managed by a loader it will be removed the next time it runs.

 

Here is my current use case :

1.       GroupABC is in Grouper and managed by a loader process

2.       Loader adds UserA and UserB as member of GroupABC
{{ GroupABC contains: UserA, UserB }}

3.       Using Grouper UI, I add UserC to GroupABC
{{ GroupABC contains : UserA, UserB, UserC }}

4.       Loader process runs, removes UserC
{{ GroupABC contains : UserA, UserB }}

5.       I add UserD in source (e.g. Active directory or SQL database)

6.       Loader process runs, adds UserD
{{ GroupABC contains : UserA, UserB
, UserD }}

 

Is there a way for us to have UserA-B-C-D in GroupABC  using the loader processes ? Is there a flag saying “only add new/missing members and ignore the other additionnal Grouper member” , i.e., don’t do step #4 ( keep/ignore UserC) and still add UserD in #5 ?

 

This can mostly be done if were dealing with an LDAP source since real-time provisioning will likely send UserC in the source before the LDAP Loader runs. When it will run, the loader will have UserC in its result set so it will leave it in the Group.

 

Thanks

 

 

Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11

 




Archive powered by MHonArc 2.6.16.

Top of Page