...
Configuration section: Do you have entity attributes not in the subject source? True/False (default false)
If true:
Config item | Value | Show if | Description |
---|
Show entity attribute |
resolver | true/false |
Resolve attributes with SQL | true/false | showEntityAttributeResolver == 'true' | If true show the next section |
Use global SQL resolver | true/false | showEntityAttributeResolver == 'true' && resolveAttributesWithSql = 'true' | (default false), if true then use a global resolver |
Global SQL resolver | myPeopleResolver | showEntityAttributeResolver == 'true' && resolveAttributesWithSql = 'true' && useGlobalSqlResolver == 'true' | Drop down of global SQL resolvers |
SQL config id | warehouse | showEntityAttributeResolver == 'true' && resolveAttributesWithSql = 'true' && useGlobalSqlResolver == 'false' | Drop down with SQL config ids |
Table or view name | my_people | showEntityAttributeResolver == 'true' && resolveAttributesWithSql = 'true' && useGlobalSqlResolver == 'false' | Table of user data, must have a subject source (optional), and matching/search col (required), and columns with single valued |
attributes | |||
Subject source id column | subject_source_id | showEntityAttributeResolver == 'true' && resolveAttributesWithSql = 'true' && useGlobalSqlResolver == 'false' | The subject source id column (optional |
) | |||
Subject search / matching column | employee_id | showEntityAttributeResolver == 'true' && resolveAttributesWithSql = 'true' && useGlobalSqlResolver == 'false' | Column that searches and matches an entity |
SQL mapping type | entityAttribute / translation | showEntityAttributeResolver == 'true' && resolveAttributesWithSql = 'true' && useGlobalSqlResolver == 'false' | Drop down of the mapping type |
SQL mapping entity attribute | subjectId | showEntityAttributeResolver == 'true' && resolveAttributesWithSql = 'true' && useGlobalSqlResolver == 'false' | If this is an entity attribute mapping type, pick the entity attribute from a drop down |
SQL mapping expression | ${grouperProvisioningEntity.retrieveAttributeValueString('uid')} | showEntityAttributeResolver == 'true' && resolveAttributesWithSql = 'true' && useGlobalSqlResolver == 'false' | If this is a translation write the expression (unescaped) (useGlobalResolver='false') |
Last updated column | last_updated | showEntityAttributeResolver == 'true' && resolveAttributesWithSql = 'true' && useGlobalSqlResolver == 'false' | If this is provided then the incremental provisioner will process people that have been recently updated (useGlobalResolver='false') |
Last updated type | timestamp | showEntityAttributeResolver == 'true' && resolveAttributesWithSql = 'true' && useGlobalSqlResolver == 'false' | Could be timestamp, millisSince1970 (useGlobalResolver='false') |
Select all SQL on full | true/false | showEntityAttributeResolver == 'true' && resolveAttributesWithSql = 'true' | (Default true), if select * from the table should occur on full runs. Set to false if only a small subset of the total entities in the table are provisionable (show for local or global resolver) |
Resolve attributes with LDAP | true/false | showEntityAttributeResolver == 'true' | If true show the next section |
Use global LDAP resolver | true/false | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap = 'true' | (default false), if true then use a global resolver |
Global SQL resolver | myPeopleResolver | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap = 'true' && useGlobalLdapResolver == 'true' | Drop down of global LDAP resolvers |
LDAP | myAd | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap = 'true' && useGlobalLdapResolver == 'false' | Drop down with |
LDAP config ids | |||
Base DN | OU=users,DC=school,DC=edu | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap = 'true' && useGlobalLdapResolver == 'false' | Base DN for search |
Search scope | ONELEVEL_SCOPE, or SUBTREE_SCOPE (default) | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap = 'true' && useGlobalLdapResolver == 'false' | |
Filter part | (objectClass=person) | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap = 'true' && useGlobalLdapResolver == 'false' | If provided, this will be part of the full or individual filter |
Attributes | employeeID, name, org, extensionAttribute11, modifyTimestamp | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap = 'true' && useGlobalLdapResolver == 'false' | Attributes to retrieve (multi-valued attributes will be stored in appropriate structure) |
LDAP matching / search attribute | employeeID | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap = 'true' && useGlobalLdapResolver == 'false' | LDAP attribute which is used to lookup and match an entity in Grouper |
LDAP mapping type | entityAttribute / translation | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap = 'true' && useGlobalLdapResolver == 'false' | Drop down of the mapping type |
LDAP mapping entity attribute | subjectId | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap = 'true' && useGlobalLdapResolver == 'false' | If this is an entity attribute mapping type, pick the entity attribute from a drop down |
LDAP matching expression | ${grouperProvisioningEntity.retrieveAttributeValueString('uid')} | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap = 'true' && useGlobalLdapResolver == 'false' | The value in Grouper that matches the LDAP data. This is not yet ldap escaped. In this case the filter to get one record would be generated as: (&(employeeID=${grouperUtil.ldapFilterEscape(grouperProvisioningEntity.retrieveAttributeValueString('uid'))})(objectClass=person)) |
Filter all LDAP on full | true/false | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap = 'true' | (Default true), if full filter should occur on full runs. Set to false if only a small subset of the total entities in the table are provisionable. In the above example, if this is true, the full filter would be: (&(employeeID=*)(objectClass=person)) |
Last updated attribute | modifyTimestamp | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap = 'true' && useGlobalLdapResolver == 'false' | If provided the incremental can poll for new records to process. e.g. the filter would be (openldap / edirectory) (&(employeeID=*)(objectClass=person)(modifyTimestamp>=20211119082103Z)) Active directory (&(employeeID=*)(objectClass=person)(modifyTimestamp>= 20211119163324.0Z)) |
LDAP last updated format | default / activeDirectory | showEntityAttributeResolver == 'true' && resolveAttributesWithLdap = 'true' && useGlobalLdapResolver == 'false' | This is optional, if not selected it will select default 20211119082103Z for a non AD connection and activeDirectory 20211119163324.0Z for an active directory connection (which is selected in the external system) |
On a full run get all users and full sync the translations.
...
Code Block |
---|
###################################### ## Global entity attribute resolvers ## These SQL or LDAP attribute resolvers could be used in multiple provisioners or other areas ## entityAttributeResolverId is the unique configId for the attribute resolver ###################################### # Entity attribute resolver type # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.resolverType$", required: true, formElement: "dropdown", optionValues: ["sql", "ldap"]} #entityAttributeResolver.entityAttributeResolverId.resolverType = # SQL configId for database connection, default to grouper database # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.sqlConfigId$", formElement: "dropdown", formElement: "dropdown", optionValuesFromClass: "edu.internet2.middleware.grouper.app.loader.db.DatabaseGrouperExternalSystem", showEl: "${resolverType == 'sql'}"} #entityAttributeResolver.entityAttributeResolverId.sqlConfigId = # Table of user data, must have a subject source (optional), and matching/search col (required), and columns with single valued attributes # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.tableOrViewName$", required: true, showEl: "${resolverType == 'sql'}"} #entityAttributeResolver.entityAttributeResolverId.tableOrViewName = # The subject source id column # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.subjectSourceIdColumn$", showEl: "${resolverType == 'sql'}"} #entityAttributeResolver.entityAttributeResolverId.subjectSourceIdColumn = # Column that searches and matches an entity # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.subjectSearchMatchingColumn$", required: true, showEl: "${resolverType == 'sql'}"} #entityAttributeResolver.entityAttributeResolverId.subjectSearchMatchingColumn = # Grouper attribute that matches the row # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.grouperAttributeThatMatchesRow$", required: true, showEl: "${resolverType == 'sql'}, formElement: "dropdown", optionValues: ['sqlsubjectId', 'ldapsubjectIdentifer0']"} #entityAttributeResolver.entityAttributeResolverId.grouperAttributeThatMatchesRow = # The last updated column, e.g. a timestamp or number field (number of millis since 1970) # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.lastUpdatedColumn$", showEl: "${resolverType == 'sql'}"} #entityAttributeResolver.entityAttributeResolverId.lastUpdatedColumn = # The last updated column type, e.g. timestamp, millisSince1970. If this is provided then the incremental provisioner will process people that have been recently updated # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.lastUpdatedColumn$", showEl: "${resolverType == 'sql'}", formElement: "dropdown", optionValues: ['timestamp', 'millisSince1970']"} #entityAttributeResolver.entityAttributeResolverId.lastUpdatedType = # LDAP configId for connection # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.sqlConfigId$", required: true, formElement: "dropdown", formElement: "dropdown", optionValuesFromClass: "edu.internet2.middleware.grouper.app.externalSystem.LdapGrouperExternalSystem", showEl: "${resolverType == 'ldap'}"} #entityAttributeResolver.entityAttributeResolverId.ldapConfigId = # Base DN for search # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.baseDn$", showEl: "${resolverType == 'ldap'}", required: true} #entityAttributeResolver.entityAttributeResolverId.baseDn = # Search scope, default is SUBTREE_SCOPE # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.searchScope$", showEl: "${resolverType == 'ldap'}", required: true, formElement: "dropdown", optionValues: ['ONELEVEL_SCOPE', ' SUBTREE_SCOPE']"} #entityAttributeResolver.entityAttributeResolverId.searchScope = # If there is more to the filter for all users or selected user than just the search attribute, then put that here. e.g. if you have a search attribute of employeeID, and you want the # filter to be (&(employeeID=12345678)(objectClass=person)) then you should fill in this value as: (objectClass=person) # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.searchScope$", showEl: "${resolverType == 'ldap'}"} #entityAttributeResolver.entityAttributeResolverId.filterPart = # Attributes to retrieve (multi-valued attributes will be stored in appropriate structure) # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.ldapAttributes$", showEl: "${resolverType == 'ldap'}", required: true} #entityAttributeResolver.entityAttributeResolverId.ldapAttributes = # LDAP matching / search attribute, this needs to be the same as the subject ID or subject identifier0 # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.subjectSearchMatchingAttribute$", showEl: "${resolverType == 'ldap'}", required: true} #entityAttributeResolver.entityAttributeResolverId.subjectSearchMatchingAttribute = # Grouper attribute that matches the record # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.grouperAttributeThatMatchesRow$", required: true, showEl: "${resolverType == 'ldap'}, formElement: "dropdown", optionValues: ['subjectId', 'subjectIdentifer0']"} #entityAttributeResolver.entityAttributeResolverId.grouperAttributeThatMatchesRecord = # If provided the incremental can poll for new records to process. e.g. the filter would be (openldap / edirectory) (modifyTimestamp>=20211119082103Z), or Active Directory: (modifyTimestamp>= 20211119163324.0Z) # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.lastUpdatedAttribute$", showEl: "${resolverType == 'ldap'"} #entityAttributeResolver.entityAttributeResolverId.lastUpdatedAttribute = # This is optional, if not selected it will select default 20211119082103Z for a non AD connection and activeDirectory 20211119163324.0Z for # an active directory connection (which is selected in the external system) # {valueType: "string", regex: "^entityAttributeResolver\\.([^.]+)\\.lastUpdatedAttribute$", showEl: "${resolverType == 'ldap'", formElement: "dropdown", optionValues: ['default', 'activeDirectory']"} #entityAttributeResolver.entityAttributeResolverId.ldapLastUpdatedFormat = |