grouper-users - RE: [grouper-users] PSPNG and (not)provisioning groups
Subject: Grouper Users - Open Discussion List
List archive
- From: "Hyzer, Chris" <>
- To: Marwan Ali Shaher <>, "" <>
- Subject: RE: [grouper-users] PSPNG and (not)provisioning groups
- Date: Fri, 17 Jan 2020 19:56:50 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isc.upenn.edu; dmarc=pass action=none header.from=isc.upenn.edu; dkim=pass header.d=isc.upenn.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7dewD5l2knFnBrjDsyXlyIyIIfWhY2QlVKClenIG0ys=; b=ewBUDoJZV9G67p9wEKOod3RSY4BPiQMypmZt7S8m/ud26wVTMioBas7R7iuqcskVXybcY6Jn/qMHcs6xpcbPLiBVGtJ2rwuGHX5P/3LTUFwr13vCXoBtS3PECi87OVHgBMwSANTlD8SQKV4dr7ANfQz2bWaOv4iWbAtZgZeQi0sfTQW8GkRSSXXJO6oviQz4pF2MfiR84VEzTNQ1Mpm0oAS0gqV8c8TuTasTK/1TicZBlZaN6cWqQN6xR8fLqTe2e5OCCKUMS9WlJmRigNpEBAH8DAadIdHDic8Ccf4I1qwuA5Bt447OzPQUQSFeX2e06zunFZGf3guoH96PWrWIYw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NdNs63YP4ehZukrK9hXTW60xgjthsfjwdlfm14+oiJwBArt77SbqnUGvLUuWR8jRb0D9gk37/oib0HByO23tP/OS0NyFy3bMvY6ZKqFqWJvhOQS5a3YJY16L/usZ7mIKDqOEjaUK+5fdVrn04U9COfZ4EJDdGtShiLGcmLgBXa8wGIjAMzk3mMJg8tBiHsjSyoancYc89fIQlJAeONW36BXt+XgE/quX6xO8mlkGuNDw0+UCFnDM0mn/BydmytpdKREceXiA05h+lpPUDLVTSQ9u9+w1EMxk3cKnJU3hptR2ieWRe7wHmKMtBMfkOeXLmcm0W5yQh+OYSjRm/Htwew==
I would say get something working now and it will change slightly in the future and we can take this use case in consideration.
It would be nice if an institution wanted to provision policy groups only that all groups and only groups which are policy groups are marked with the “policy” “type”. Think you could make sure your groups have that “type”? (or at some point before the upgrade to the new method).
Anyways, don’t worry, we will have an upgrade path for it.
Thanks Chris
From: <>
On Behalf Of Marwan Ali Shaher
Hello everyone, We finally have the time and momentum to move away from our messaging queue-based group provisioning to using PSPNG. We currently use a bushy structure to provision to AD. For include/exclude type groups, we only provision the overall group to AD and not the “includes”, “excludes”, “SOR” and “SOR and includes” groups . In our dev Grouper environment, we have the following settings for PSPNG (lines separated for readability) :
changeLog.consumer.pspng_activedirectory.groupSelectionExpression = ${ utils.containedWithin(provisionerName, stemAttributes['etc:pspng:provision_to'], groupAttributes['etc:pspng:provision_to']) && !utils.containedWithin(provisionerName, stemAttributes['etc:pspng:do_not_provision_to'], groupAttributes['etc:pspng:do_not_provision_to']) && !grouperUtil.extensionFromName(name).endsWith('_excludes’) && !grouperUtil.extensionFromName(name).endsWith('_includes’) && !grouperUtil.extensionFromName(name).endsWith('_systemOfRecord’) && !grouperUtil.extensionFromName(name).endsWith('_systemOfRecordAndIncludes') }
changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name, "cn", "ou")}||cn: ${grouperUtil.extensionFromName(name)}||samAccountName: ${grouperUtil.extensionFromName(name)}||objectclass: group||gidNumber: ${group.idIndex}
The “groupSelectionExpression” value above works in preventing the “includes”, “excludes”, “SOR” and “SOR and includes” groups from getting provisioned to AD. My questions is: - Is this the right approach, or at least one of them, to achieve provisioning or not provisioning groups based on name ?
Also, from the 2018 TechEx Grouper presentation by the Grouper Dev Team, it looks like there is another approach using the Grouper rules:
Is there a preference on using either approaches?
Thanks,
- Marwan |
- [grouper-users] PSPNG and (not)provisioning groups, Marwan Ali Shaher, 01/17/2020
- RE: [grouper-users] PSPNG and (not)provisioning groups, Hyzer, Chris, 01/17/2020
- Re: [grouper-users] PSPNG and (not)provisioning groups, Marwan Ali Shaher, 01/17/2020
- RE: [grouper-users] PSPNG and (not)provisioning groups, Hyzer, Chris, 01/17/2020
Archive powered by MHonArc 2.6.19.