Grouper Users - Open Discussion List

["Hyzer, Chris" <>]

I would say get something working now and it will change slightly in the future and we can take this use case in consideration.

 

It would be nice if an institution wanted to provision policy groups only that all groups and only groups which are policy groups are marked with the “policy” “type”.  Think you could make sure your groups have that “type”?  (or at some point before the upgrade to the new method).

 

Anyways, don’t worry, we will have an upgrade path for it.

 

Thanks

Chris

 

From: <> On Behalf Of Marwan Ali Shaher
Sent: Friday, January 17, 2020 1:04 PM
To:
Subject: [grouper-users] PSPNG and (not)provisioning groups

 

Hello everyone,

We finally have the time and momentum to move away from our messaging queue-based group provisioning to using PSPNG. We currently use a bushy structure to provision to AD. For include/exclude type groups, we only provision the overall group to AD and not the “includes”, “excludes”, “SOR” and “SOR and includes” groups . In our dev Grouper environment, we have the following settings for PSPNG (lines separated for readability) :

 

changeLog.consumer.pspng_activedirectory.groupSelectionExpression = ${ utils.containedWithin(provisionerName, stemAttributes['etc:pspng:provision_to'], groupAttributes['etc:pspng:provision_to']) 

&&  !utils.containedWithin(provisionerName, stemAttributes['etc:pspng:do_not_provision_to'], groupAttributes['etc:pspng:do_not_provision_to']) 

&& !grouperUtil.extensionFromName(name).endsWith('_excludes’) 

&& !grouperUtil.extensionFromName(name).endsWith('_includes’) 

&& !grouperUtil.extensionFromName(name).endsWith('_systemOfRecord’) 

&& !grouperUtil.extensionFromName(name).endsWith('_systemOfRecordAndIncludes') }

 

changeLog.consumer.pspng_activedirectory.groupCreationLdifTemplate = dn: ${utils.bushyDn(group.name, "cn", "ou")}||cn: ${grouperUtil.extensionFromName(name)}||samAccountName: ${grouperUtil.extensionFromName(name)}||objectclass: group||gidNumber: ${group.idIndex}

 

The “groupSelectionExpression” value above works in preventing the “includes”, “excludes”, “SOR” and “SOR and includes” groups from getting provisioned to AD. My questions is:

- Is this the right approach, or at least one of them, to achieve provisioning or not provisioning groups based on name ?

 

Also, from the 2018 TechEx Grouper presentation by the Grouper Dev Team, it looks like there is another approach using the Grouper rules:

https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Add+an+attribute+to+group+with+value+if+name+matches+a+pattern+or+two

https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Add+an+attribute+to+stem+with+value+if+name+matches+a+pattern+or+two

 

Is there a preference on using either approaches? 

 

Thanks,

 

- Marwan