The info on this page applies to Grouper 2.6 and above.

Objects that are synced from Grouper to the target system (e.g. LDAP, Azure, etc), can have validations on the elements.

Validation configuration example

Here is an example of a config on a group attribute

Attribute values

(on groups or entities):

  • There is a matching id which is in the target format which compares objects on the Grouper side with objects on the target side to see which objects are the same representation.  If there is no matching ID, and no other way to match (e.g. a secondary matching ID e.g. a "group link" DN or UUID), then the object is invalid
  • Can have a default value where if it is normally blank, it will use the default, and if a value exists in the future that value will replace the default
  • Can be required, so that if it does not have a value, then it is invalid
  • Can have a max length so that if it will not fit in the target then it is invalid
  • Can have an expression that validates the value (e.g. a regex or something complex)
  • There is a search attribute to look up the group/entity in the target.  There might be other ways to look up the user (e.g. by a "group link" value of DN or UUID or secondary search attribute).  If there is no search attribute (even if not marked as required) including taking into consideration the secondary search strategies, then the object is invalid.

Membership attribute configuration

Membership attribute value (groupAttributes or entityAttributes e.g. LDAP only, not for membershipObject provisioning e.g. web service or SQL)

Membership attribute values

  • If the value of the membership attribute is blank, then the object is invalid
  • This applies to the value of the object in the membership.  e.g. if you are provisioning groupAttributes, then if the membership attribute in the entity is invalid, then the entity is invalid (not the group)

Memberships required

  • We will add a config to require memberships in a group to make it provisionable
    • If a group doesnt have any memberships and this setting is enabled, then the group is not provisionable
    • If a group is in the target and is drained of memberships, then it will be handled in the provisioning delete logic (whatever resolution is configured)
  • Entities must be in a provisionable group to be provisionable

Handling validation problems

Note: full syncs will try all provisionable (by membership) objects, and will see if any invalid objects are now valid and can be provisioned

Important validation issues are the matching ID, search attribute, or membership attribute value.

Unimportant validation issues are the group description or user first/last name.

Object typeStateProvisioning run typeIssueResolution
Group/entityInsertFullField/attribute is invalidObject is not provisionable.  No memberships will be added until valid.  Do not insert
Group/entityInsertIncrementalField/attribute is invalidSame resolution as full.  Also do not retry until attributes change on the object or a full sync
Group/entityUpdateFullField/attribute is invalidDo not update the attribute on the object.  
Group/entityUpdateIncrementalField/attribute is invalidSame resolution as full.  Also do not retry until attributes change on the object or a full sync
Group/entityDelete / Mark unprovisionableFull / incrementalField/attribute is invalidDelete the object if configured to.  Invalid data will not stop deletes
MembershipInsertFull / incrementalGroup or entity has unimportant validation issue,
and is not already in target
Do not insert memberships if the group or entity needs to be in the target and is not valid and is not in the target
MembershipInsertFull / incrementalGroup or entity has unimportant validation issue,
and is already in target
Insert memberships if the group or entity needs to be in the target and is not valid and is in the target
MembershipInsertFullGroup or entity has important validation issueDo not insert the membership.  The membership is not provisionable
MembershipInsertIncrementalGroup or entity has important validation issueSame resolution as full.  Also do not retry until attributes change on the object or a full sync
MembershipDeleteFull / incrementalGroup or entity has any validation issueDelete the membership.  Invalid data will not stop deletes


Reporting on validation errors

Capture the errors and have them available on various UI screens for reporting / troubleshooting


See also

Provisioning configuration validation

  • No labels