See Also Grouper Provisioning Strategy
See Also Grouper SQL database provisioning
We will make a SQL provisioner in Grouper v2.5.
Configuration
Common config attributes for SQL are below.
| Config | Example | Description | Notes |
|---|---|---|---|
| class | edu.internet2.middleware.grouper.app.sqlProvisioning.SqlMembershipProvisioner | Class extends the base provisioner class | This class informs configuration decisions. Required. Read-only. |
| hasSubjectLink | true false | If the subject API is needed to resolve attribute on subject | required, drives requirements of other configurations. defaults to false. |
| hasTargetUserLink | true false | If subjects need to be resolved in the target before provisioning | defaults to false. required. |
| hasTargetGroupLink | true false | If groups need to be resolved in the target before provisioning | defaults to false. required. |
| subjectSourcesToProvision | pennperson | subject sources to provision | required. defaults to all except g:gsa, grouperExternal, g:isa, localEntities. comma separated list. checkboxes. |
| userTableName | users | table to query to lookup users | required if hasTargetUserLink |
| userSearchAttributeName | employee_id | column to filter on | required if hasTargetUserLink |
| userSearchAttributeValueFormat | ${subject.id} | value for the user search attribute name | required if hasTargetUserLink |
| membershipTableName | memberships | table where memberships go | required |
| membershipUserColumn | user_id | column in memberships table for user | required |
| membershipUserValueFormat | ${targetEntity.attributes['uid']} | value for the membership user value | required |
| membershipGroupColumn | group_id | column in memberships table for group | required |
| membershipGroupValueFormat | ${targetGroup.attributes['id']} | value for the membership group value | required |
| syncMemberToId2AttributeValueFormat | ${targetEntity.attributes['user_id']} | main identifier of the user on the target side | show = false |
| syncMemberToId3AttributeValueFormat | ${targetEntity.attributes['uid']} | identifier of the user as referred to by the membership | show = false |
| syncMemberFromId2AttributeValueFormat | ${targetEntity.attributes['netId']} | target attribute value that helps look up user | show = false |
| syncMemberFromId3AttributeValueFormat | ${subject.attributes['mySqlId']} | subject attribute value that helps look up user | show = false |
| syncGroupToId2AttributeValueFormat | ${targetGroup.attributes['group_id']} | main identifier of the group on the target side | show = false |
| syncGroupToId3AttributeValueFormat | ${targetEntity.attributes['gid']} | identifier of the group as referred to by the membership | show = false |
| syncGroupFromId2AttributeValueFormat | ${targetEntity.attributes['groupName']} | target attribute value that helps look up group | show = false |
| userSearchAttributes | user_id, name, email | columns to search when getting users | optional. show if hasTargetUserLink. |
| groupSearchAttributes | group_id, group_name | columns to search when getting groups | optional, show if hasTargetGroupLink |
| membershipSearchAttributes | group_id, user_id, membership_id | columns to search when getting memberships | optional |
| createMissingUsers | true or false | defaults false, optional. show if hasTargetUserLink | |
| createMissingGroups | true or false | defaults to true. show if hasTargetGroupLink | |
| groupSearchAttributeName | gid_number | column name to filter on | show if hasTargetGroupLink required |
| groupSearchAttributeValueFormat | ${syncGroup.groupIdIndex} | value to filter group on | show if hasTargetGroupLink required |
| groupSearchAttributes | cn,gidNumber,samAccountName,objectclass | attributes to get if searching for groups | optional show if hasTargetGroupLink |
| deleteGroupsInTargetIfInTargetAndNotGrouper | true or false | if groups in full sync should be deleted if in group all query and not in grouper or for attributes delete other attribute not provisioned by grouper | default to false |
| deleteGroupsInTargetIfDeletedInGrouper | true or false | if groups that were created in grouper were deleted should it be deleted in sql? or for attributes, delete attribute value if deleted in grouper | default to true |
| deleteMembershipsInTargetIfInTargetAndNotGrouper | if memberships in full sync should be deleted if in membership all query and not in grouper or for attributes delete other attribute not provisioned by grouper | default to false | |
| groupIdOfUsersToProvision | overall group of users to provision. uuid. If not specified, then provision users with any memberships | optional | |
| deleteUsersInTargetIfInTargetAndNotGrouper | if user in target and not in grouper then delete in target | default to false | |
| deleteUsersInTargetIfIDeletedInGrouper | if user in target and removed from grouper then delete in target | default to false | |
| membershipFields | members read,admin update,admin admin | if provisioning normal memberships or privileges | default to "members" for normal memberships |
| dbExternalSystemConfigId | warehouse | links to DB external system in grouper-loader.properties | required |
| userSearchQuery | select * from users where ... | if this is more complicated than just a simple select, put the query here | optional |
| groupSearchQuery | select * from groups where ... | if this is more complicated than just a simple select, put the query here | optional |
| membershipSearchQuery | select * from memberships where ... | if this is more complicated than just a simple select, put the query here | optional |
| groupCreationNumberOfAttributes | integer between 1 and 10 | required. show if createMissingGroups | |
| groupCreationTemplate_attr_[0-9] | group_id | the 0th attribute name | required if createMissingGroups |
| groupCreationLdifTemplate_val_[0-9] | ${syncMember.memberToId2} | the 0th attribute value | required if createMissingGroups |
| userCreationNumberOfAttributes | integer between 1 and 10 | required if createMissingUsers | |
| userCreationTemplate_attr_[0-9] | user_id | the 0th attribute name | required if createMissingUsers |
| userCreationTemplate_val_[0-9] | ${syncGroup.groupToId2} | the 0th attribute value | required if createMissingUsers |
| membershipCreationNumberOfAttributes | integer between 1 and 10 | required | |
| membershipCreationTemplate_attr_[0-9] | membership_id | the 0th attribute name | required |
| membershipCreationTemplate_val_[0-9] | ${syncMembership.membershipToId2} | he 0th attribute value | required |
Caching
Sync objects can cache information in SQL. Synced from full sync (if doesnt exist or if errors), incremental (if doesnt exist or if errors), and the nightly (scheduled) subject resolution daemon (full refresh)
| Object | Field | Cached data |
|---|---|---|
| gcGrouperSyncGroup | groupToId2 | group primary key |
| gcGrouperSyncGroup | groupToId3 | whatever column value the membership attribute refers to |
| gcGrouperSyncGroup | groupFromId2 | sql group object column value that looks up group |
| gcGrouperSyncMember | memberToId2 | user primary key |
| gcGrouperSyncMember | memberToId3 | whatever attribute value the membership column refers to users as |
| gcGrouperSyncMember | memberFromId2 | sql person object column value that looks up user |
| gcGrouperSyncMember | memberFromId3 | subject attribute value that helps look up user |