This is for a future v2.6 release


This is a suggestion for how user data could flow to Grouper in future state

The problem this is trying to solve

Change JEXL to "expression"

Previous state

Data field and row diagram

Example usages:

Setup data fields

There are some built in data fields

Setup data field rows

Setup LOVs (list of values)

Setup data field sources (aka entity resolvers)

The first configuration step is to set up entity resolvers

For users


Merge / match / split

A user search could trigger a query in a resolver for real time updates, though it would be better if users could be in Grouper when they exist so this is not necessary

Can use change log (LDIF, SQL, or messaging) to get data real time for all or certain users


All institutions are either

Data field resolver loads the data

Subject source

When data fields are referenced, also a two part process.  If a group (and user allowed to see), go to group table(s), if anything other than a group, then its the data field tables

If a subject is not found by identifier, search identifier history perhaps, then can be configured to reach out to certain sources

Will free-form searches go to grouper or also to source?  Perhaps configurable





In summary here is a metaphor... we used to have SQL credentials in multiple places, then we made an external system layer to re-use that.  This suggested is similar.  Have a data layer that can we re-used across things.  Includes real-time updates, security, and data manipulation configured centrally...  why?  if we want to be ABAC and data field-based, we need to organize our data fields


How to only load active people or people who change

Data field security (privacy level)

Subject security

Could have certain groups of subjects who are able to see certain other groups subjects.   We will need to get requirements for this and see how it fits in with the data field and data row security

Data model



Existing table can be stripped down since data is in the entity tables


Make sure identifiers.  (hopefully unique)

When subjects are looked up, it can be a two part process (instead of N-part for N subject sources).

  1. Look at groups in group table,
  2. Look at grouper local entities in group table (maybe move to entities table)
  3. Look at subjects (including GrouperSystem, users, apps, things) in the data_field tables based on data fields that are marked as identifiers
  4. Perhaps make external calls if configured

Unique index on data_field_id / subject_identifier_value tuple


List of privacy levels



Types of data fields for user or rows.  Note: a lot of this is configuration and not in this table, maybe we just need a table with id and system name to link to config and be used for foreign keys


Type of data field rows available for users.  Note: a lot of this is configuration and not in this table, maybe we just need a table with id and system name to link to config and be used for foreign key 


Which fields are in which rows


Type of data field rows available for metadata about data field.  Note: a lot of this is configuration and not in this table, maybe we just need a table with id and system name to link to config and be used for foreign key 


Which fields are in which rows

TODO we need values of LOVs


Assignment of a data field to an entity.   When data is synced to the data field tables it will need to do some matching and assign a new grouper_members row if existing not found


Events that happen to data fields to be processed by loaders/provisioners/etc.  Keep data for a week then delete


History of data field to entity


Assignment of a row of data to an entity


HIstory of assignment of a row of data to an entity


Assignment of a field to a row assignment


History of assignment of a field to a row assignment


Keep data field values here to reduce data redundancy


Cache these memberships so lookups are fast.  Cache this in memory too for long running processes.  The groups that are cached are... any groups that secure fields, any groups that secure rows, etc


Row level security for data
