grouper-users - [grouper-users] PSPNG and (not)provisioning groups
Subject: Grouper Users - Open Discussion List
List archive
- From: Marwan Ali Shaher <>
- To: "" <>
- Subject: [grouper-users] PSPNG and (not)provisioning groups
- Date: Fri, 17 Jan 2020 18:04:14 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=colorado.edu; dmarc=pass action=none header.from=colorado.edu; dkim=pass header.d=colorado.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tFh9gayuqPatsAOCR1TimiTEkt7a3td3fJc/ezWcSYE=; b=Zhkyh2ePSGh9u++rRZTBxmH9TY3nSqhj9lBL+d+CpY9Ovl2g8yJUeLgm1fGCEF8oGnDFLaRf3L/1IM67MArHG2CDNPrN08tqoQ/cgvHrl/7YU+NVpUwqwCleayGRkTr3jOpx8xH2vf1rZgQjIHZ75kQo0OCkOmHYG9oYNl4erlCpOlUPRKFtpQuU03L8zE/hEXRyHF50b3zm0YSRpXtVoYLD59e+CZDAscCK3JlYzRi0pZ2hGEyrVvUS6cO9jasm66GTAk56/46LGJsAm0phTyNJ6nqTAuvJfyus4pVxfqF8HSAWZd11SLgnSRST9xl3enifRKrZ6Mg3G7LS3ch2sQ==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HcEsx6Xnd3XymUASgWCGoB+RgJTGf7q8h+DO3nWCwYgyCxK1YR9thjkRL14fvYxxdOIvUOflw0LEaWEfPeE8BwRTRB7Q2f1d0KyQ6T2wrC3Q84DaKK9dSuRU2dZVwZ1i4B15AjKphJrlL9T8xV4TywjIjvAlJd4aCqUcaeWqxIRc8HnUM7Ls4Ik286ws0+H6Z7XW1Mfb3PL2Ny38ZjO5hgeZaNrNHmfivFAMJhKjlN6Dmv2PtX8SESLzLoLBbex21GpSHQB/d+OgmoB2zqU5s+/6euY1QelTbDxXyY8xkn23U94DPvkXqa8mLXOq3nfQwuT3AjBE6/9okdPaJ8vrYg==
Hello everyone,
We finally have the time and momentum to move away from our messaging queue-based group provisioning to using PSPNG. We currently use a bushy structure to provision to AD. For include/exclude type groups, we only provision the overall group to
AD and not the “includes”, “excludes”, “SOR” and “SOR and includes” groups . In our dev Grouper environment, we have the following settings for PSPNG (lines separated for readability) :
changeLog.consumer.pspng_activedirectory.groupSelectionExpression = ${ utils.containedWithin(provisionerName, stemAttributes['etc:pspng:provision_to'], groupAttributes['etc:pspng:provision_to'])
&& !utils.containedWithin(provisionerName, stemAttributes['etc:pspng:do_not_provision_to'], groupAttributes['etc:pspng:do_not_provision_to'])
&& !grouperUtil.extensionFromName(name).endsWith('_excludes’)
&& !grouperUtil.extensionFromName(name).endsWith('_includes’)
&& !grouperUtil.extensionFromName(name).endsWith('_systemOfRecord’)
&& !grouperUtil.extensionFromName(name).endsWith('_systemOfRecordAndIncludes') }
changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name, "cn", "ou")}||cn: ${grouperUtil.extensionFromName(name)}||samAccountName: ${grouperUtil.extensionFromName(name)}||objectclass: group||gidNumber:
${group.idIndex}
The “groupSelectionExpression” value above works in preventing the “includes”, “excludes”, “SOR” and “SOR and includes” groups from getting provisioned to AD. My questions is:
- Is this the right approach, or at least one of them, to achieve provisioning or not provisioning groups based on name ?
Also, from the 2018 TechEx Grouper presentation by the Grouper Dev Team, it looks like there is another approach using the Grouper rules:
Is there a preference on using either approaches?
Thanks,
- Marwan
- [grouper-users] PSPNG and (not)provisioning groups, Marwan Ali Shaher, 01/17/2020
- RE: [grouper-users] PSPNG and (not)provisioning groups, Hyzer, Chris, 01/17/2020
- Re: [grouper-users] PSPNG and (not)provisioning groups, Marwan Ali Shaher, 01/17/2020
- RE: [grouper-users] PSPNG and (not)provisioning groups, Hyzer, Chris, 01/17/2020
Archive powered by MHonArc 2.6.19.