Skip to main content

Grouper

Fischer's Grouper connector supports exporting and importing Groups and Roles on a Grouper system.

Functionalities

Provisioning Integration

Supported Features


Data Format

Export

Create

Modify

Delete

Trigger
Group

Yes

 Yes

Yes

 Yes Yes
Role

Yes

 Yes

Yes

 Yes Yes


Prerequisites


Ensure that these prerequisites are satisfied:

  • Grouper version 2.1.5 or later is installed, configured, and running.

  • An administrator account that can be used to establish a connection and has authority to manage Groups and Roles on the connected system.


Creating the Connected System in the Admin UI

  1. Log in to Identity Administration and click the Systems tab.

  2. On the Connected System View page, click the Add button and select the Grouper connected system from the Type drop-down list. The Connected System Details page displays the default values:

  3. Enter the desired information:

    Definition  Description

    Supported Connectors

    		 Displays whether the connected system is Identity only, Provisioning only, or both.
    Type Select the connected system type.

    Locale

    		 Select the preferred language (default: English). Locale specific information such as Display Name and Description can be added only while modifying the connected system.
    Name The name for this connected system. Note: The name cannot be modified later.
    Display Name The display name of the new connected system.
    Description The description of the connected system.

    Associated With 

    Select how the connector associated with this system will run:

    • Server (default) - Runs locally on the Provisioning/Identity Server.
    • Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list.
    • See Using the Global Identity Gateway with Connected Systems for additional information.
    Provisioning Option Select the provisioning option:
    • Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
    • Administrative - The connected system cannot be used as an object in a workflow.
    Enable HPAM Support 

    		 Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity.
    Enable Transfer of Accounts When selected, administrators are enabling the option to allow OBO users to transfer accounts to separate Identity.
    Connection Information 

    Host 

    		 The IP address or host name of the server (e.g., 10.102.200.20 or localhost).

    Port 

    		 The port number.

    Web Service Context 

    		 The URL context of Grouper Web service. 

    Service Account Name 

    		 The administrative user account.
    Service Account Password The administrative user password.

    Use Secure Connection

    		 Specifies SSL protection. This is required in a production environment, as both administrative and user passwords are transmitted in plain text.
    Note: This connector uses the Java keystore for SSL communication with the system. See the guide Configuring SSL for additional information about enabling SSL.

    Connection Timeout 

    		 The maximum number of seconds to wait for the Web Service to respond before the connection attempt times-out. 0 means no time out.
    System Owner 

    		 Add or Remove users assigned as the owners of the system. Displays the Connected System Owner Search page for selecting users. The HPAM column indicates whether the system owner is authorized to use the HPAM feature. The Approvers column indicates whether the system owner is an approver in the approval process.

  4. Click the Test Connection button to test the Connection Information:

    • If successful, one or both of these messages may display:

    Message: Connection from Provisioning to the connected system was established successfully.

    • If unsuccessful, one or both of these messages may display:

    Error: Failed to establish connection from Provisioning to the connected system.

    Note: If the connection fails, additional messages may display providing more information regarding the failure, and additional information may be posted to the Provisioning and Identity logs.

  5. (Optional) To select owners of the system, click the System Owner Add button. The Connected System Owner Search page displays:


    1. Select the owners and then click the Select button. The system owner displays under the System Owner section:


      Note: More than one user can be assigned as an owner.

    2. To add additional system owners, click the Add button.

  6. On the Connected System Details page, click the Add button to save the configured connected system. The Object Category Association page displays a list of categories that are already associated and/or can be selected to add additional associations to this connected system:


    1. Select one or more available object categories or provide search criteria and click the Search button to find specific categories to select. If there are no available categories to select, proceed to Step 7.

    2. Click the Add Association button to associate the selected object categories to the connected system.

  7. Click the Back button to return to the Connected System View page. The new connected system displays in the list.

See Copying, Modifying, and Deleting Connected Systems for additional information.

Creating the Connected System in the Studio

  1. Log in to the Workflow and Connectivity Studio and click Connectivity ► Add Systems on the menu bar. The Add Connected Systems window displays.

  2. Select the Grouper connected system from the Type drop-down list. The default values display:


  3. Enter the desired information:

    Definition 
    Type Select the connected system type.
    Name  The name for this connected system. Note: The name cannot be modified later.
    Display Name  The display name of the new connected system.
    Description  The description of the connected system.
    Supported Connectors 

    		 Displays whether the connected system is Identity only, Provisioning only, or both. Only connectors that support Provisioning are available here.
    Associated With 

    		 Select how the connector associated with this system will run:
    • Server (default) - Runs locally on the Provisioning/Identity Server.
    • Global Identity Gateway - Runs remotely on a Global Identity Gateway cluster member. Note: Only GIG clusters that have at least one registered and enabled member will display in this list.

    See the Using the Global Identity Gateway with Connected Systems for additional information.

    Provisioning Option 

    Select the provisioning option:

    • Automated (default) - The connected system functions as a normal connected system; there are no restrictions.
    • Administrative - The connected system cannot be used as an object in a workflow.
    Enable HPAM Support 

    		 Select to make the connected system HPAM enabled (default: cleared). Note: This can only be set for systems that support Identity.
    Enable Transfer of Accounts When selected, administrators are enabling the option to allow OBO users to transfer accounts to separate Identity.
    Connection Information 

    Host 

    		 The IP address or host name of the server (e.g., 10.102.200.20 or localhost).

    Port 

    		 The port number.

    Web Service Context 

    		 The URL context of Grouper Web service. 
    Service Account Name 

    		 The name of the administrative user account used to connect to the server. The Select button displays the Select DN from LDAP Directory window to select the DN value.
    Service Account Password  The administrative user password.

    Use HTTPS 

    		 Specifies SSL protection. This is required in a production environment, as both administrative and user passwords are transmitted in plain text.
    Note: This connector uses the Java keystore for SSL communication with the system. See the guide Configuring SSL for additional information about enabling SSL.

    Connection Timeout 

    		 The maximum number of seconds to wait for the Web Service to respond before the connection attempt times-out. 0 means no time out.

  4. Click the Connect button to test the Connection Information:

    • If successful, this message displays:

    Connection from Studio to the connected system was established successfully.

    • If unsuccessful, this message displays:

    Failed to establish connection from Studio to the connected system.

    Note: If the connection fails, additional messages may display providing more information regarding the failure, and additional information may be posted to the Provisioning and Identity logs.


  5. Click the Apply button to apply changes. The Category Association window displays.


    1. Select one or more object categories from the Available Categories list or enter a category name and click the Search button to find a specific category to select. If there are no available categories to select, proceed to Step 6.

    2. Click the Add button to associate the selected object categories to the connected system.

  6. Click OK to accept selected categories.

See Copying, Modifying, and Deleting Connected Systems for additional information.

Using the Connected System for Provisioning


Perform these procedures to configure the connector:

  • "Configuring for Export" 

  • "Configuring for Import" 

  • "Connector Details for Provisioning"

  • "Lookup Data" 

Note: If the number of records to be processed exceeds one thousand, we recommend configuring the workflow to use bulk mode, which lowers the memory consumption of the system by streaming data to files. Because data is streamed for every task, the performance of the workflow execution will be decreased due to increased read-write operations. See the Workflow and Connectivity Studio document for details on how to configure bulk mode.

Configuring for Export


Perform these procedures to configure the connector for data export:

  • "Configuring the Export Connector"
  • "Configuring the Export Link" 

From the Workflow and Connectivity Studio, select the Grouper GroupExport workflow listed under the projects folder.

If a workflow does not already exist, create an export workflow. See  Workflow and Connectivity Studio documentation for details on creating export workflows.

Configuring the Export Connector

  1. In the Design pane, double-click the export object (the first workflow object after the Start object). The Configure Data Source window displays:


  2. From the Configure Plug-in tab, set these properties as required:


    Associated Connected System Select the connected system from the list. The export operation will be done from this connected system.
    Data Formats  Select the type of data format to use: Profiles (default) or ChangeLog.
    DeltaExportMode

    Select the type of attribute to export if a change takes place (this works in conjunction with ExportMode when DeltaExport is selected):

    • OnlyChangedAttributes - Performs a partial export of only the changed attributes from the last time the query was run.
    • ChangedAndMandatoryAttributes (default) - Performs a partial export of both changed and mandatory attributes from the last time the query was run. Mandatory attributes are exported whether they have been changed or not.
    • AllAttributes - Performs a full export of all attributes that contain a value.
    DynamicConnectedSystem

    		 Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected.
    DynamicConnectedSystemOption 
    		 Select how to control Dynamic System Support (DSS):
    • None - There will not be any Dynamic System Support.
    • Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail.
    • GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.

    ExportGroupByIDPath

    		Option to fetch details of a group by providing group IDPath.

    ExportMode

    Select the type of data to export:

    • FullExport - Exports all attributes.
    • DeltaExport - Exports changed, mandatory, or all attributes, depending on the DeltaExportMode property setting.

    Filter 

    		 Filter that is used while exporting entries from Grouper Use the Set Filter button that becomes active to create a filter (see "Set Filter" below).

    FoldSubRecords

    		If this property is TRUE, sub records will be folded and returned as attributes.

    MaxResults

    		 Maximum number of results to be returned. If this property has a value 0, all entries matching the search criteria are returned. This property can only be configured/used when ExportMode is FullExport.

    ResultsPerPage

    		 The number of entries fetched in a single call. Specify 0 for this property if paging is not required.

    Scope

    Determines the level, below the ExportFolder where entries reside, to be included in the Export List. Scope can be one of the following values:

    • OneLevel: Search for entries in one level beneath the Folder entry specified by ExportFolder.
    • AllLevels: Search for entries in all levels beneath the Folder specified by ExportFolder.

    SourceFolderIDPath

    		Specify the folder IDPath from which entries are to be exported. For example qsuob:su. This can be empty or set: to fetch entries from root folder.

    Note: Hover the pointer over a property to view its description.

    Set Filter

    Setting the filter is a means to narrow the search scope and return specific results:


    Element Description

    Attribute

    		 Select the attribute of the filter. This represents the attribute name for searching the Grouper directory.

    Comparison

    		Select the operator value for this filter.

    Value

    		 Enter the required result value.

    AND Condition List

    		Creates an AND statement comparing selected conditions. If there is more than one condition in this list box, all conditions must be true.

    OR Condition List

    		Creates an OR statement comparing selected conditions. If there is more than one condition in this list box, one of the conditions must be true.

    Filter Syntax

    		Displays the filter syntax used to retrieve entries from the LDAP directory and to build the export list.

    Edit Filter Manually

    		Check this box to manually edit the filter in the Filter Syntax to build complex filters.

    Notes:

    • Filtering is allowed only on limited attributes and only Equals and Approximately Equal to conditions are supported.
    • Grouper does not support paging when filter is specified.

  3. (Optional) Select the Attributes tab. Only standard attributes display:



    Modify schema attributes using these buttons.

    Add  Adds additional attributes to the list. The Add New Attribute dialog displays.
    Export  Exports the schema list to an XML file.
    Import Imports the schema list from an XML file.
    Refresh Schema  Dynamically discovers the schema from the target LDAP system. It also includes local as well as global attributes added in the Studio.
    Reset Schema  Resets the schema definition to the default schema prepackaged with the IdM Suite, plus any global variable added.
  4. Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.

  5. Click OK to save any changes and return to the Workflow and Connectivity Studio window.

  6. In the Design pane, double-click the export link between the export object (the first workflow object after the Start object) and the Data Mapper object. The Configure Link window displays:


    Description
    Source Attributes  Select the attributes to export.
    Selected Attributes 

    		 Displays default attributes and those attributes that have been selected from the Source Attributes. 
    Notes: The check boxes are used only for delta export operations. These checked attributes will always be exported whether they were changed or not. Usually, the attributes that are selected as mandatory attributes help in identifying or verifying an entry when completing mapping functions.
    Format Displays the Format Date window to specify a date/time format to be applied to the selected date type attribute, for example, whenChanged. During export, the attribute’s value is converted to the specified format. See the Format Date steps below for additional information.
    Notes:
    • The Format button is only enabled for date attributes.
    • The Refresh Schema button on the Configure Data Source window’s Attributes tab must be used to refresh the schema and enable the Format button for date attributes.
    Advanced Settings  Displays the Configure Attributes window for configuring advanced settings for attributes. 
  7. From the Attribute Selection tab, select attributes to export.

  8. (Optional) Click the Format button to specify a date/time format to be applied to the selected date type attribute. The Format Date window displays.

    1. Select the Include Time check box to add the timestamp with the date.
    2. Select the 24 Hour or 12 Hour option button and then select the required date/time format.
    3. Click OK to save the selected format. The Configure Link window displays.
  9. (Optional) Select the Appearance tab to change how the link displays in the Design pane.

  10. Click OK to save any changes and return to the Workflow and Connectivity Studio window.

  11. Deploy the workflow by selecting Deploy ► New Deployment. See the Workflow and Connectivity Studio documentation for details of deployment options.

  12. Manage and run the deployed workflow from the Admin UI ► Server tab. See the Identity Suite Administration documentation for details.

Configuring for Import


Perform these procedures to configure the connector for data import:

  • Configuring the Import Connector
  • Configuring the Import Link

From the Workflow and Connectivity Studio, select the Grouper GroupAdd, GroupModify, or GroupDelete workflow listed under the projects folder.

If a workflow does not already exist, create an import workflow. See the Workflow and Connectivity Studio documentation for details on creating import workflows.

Configuring the Import Connector

  1. In the Design pane, double-click the import object (the last workflow object). The Configure Data Source window displays:


  2. From the Configure Plug-in tab, set these properties as required:

    Associated Connected System Select the connected system from the list. The import operation will be done to this connected system. 
    Data Formats  Select the type of data format to use: Profiles (default) or ChangeLog.
    CreateIfParentFolderDoesNotExist If this property is set to TRUE, parent folder will be created during group creation if it does not exists.
    DynamicConnectedSystem

    		 Select the global variable to use as the dynamic connected system name. This works in conjunction with DynamicConnectedSystemOption when GlobalVariable is selected.
    DynamicConnectedSystemOption Select how to control Dynamic System Support (DSS):
    • None - There will not be any Dynamic System Support.
    • Transaction-SystemName - The value of the Transaction-SystemName attribute in data will be used as the dynamic connected system. The connected system name must be passed as the value of the attribute Transaction-SystemName; if it is missing in data, the operation will fail.
    • GlobalVariable - Select a global variable to use as the dynamic connected system name from the property DynamicConnectedSystem.

    See the Dynamic System Support appendix in the Workflow and Connectivity Studio document for additional information.

    SubRecordsInFoldedState

    		If this property is TRUE, the connector will accept sub records folded as attribute.

    Notes: Hover the pointer over a property to view its description.

  3. (Optional) Select the Attributes tab. Only standard attributes display:



    Modify schema attributes using these buttons:

    Add Adds additional attributes to the list. The Add New Attribute dialog displays.

    Export

    		 Exports the schema list to an XML file.

    Import 

    		 Imports the schema list from an XML file.

    Refresh Schema 

    		 Dynamically discovers the schema from the connected system. It also includes local as well as global attributes added in the Studio.

    Reset Schema 

    		 Resets the schema definition to the default schema prepackaged with the IdM Suite, plus any global variable added.

  4. Optional) Select the Appearance tab to change how the Connected System object displays in the Design pane.

  5. Click OK to save any changes and return to the Workflow and Connectivity Studio window.

  6. In the Design pane, double-click the import link between the Data Mapper object and the import object (the last workflow object). The Configure Link window displays:



    Source Attributes  Select the attributes to import.

    Check for attribute-level auditing.

    		 If auditing is enabled and these attributes below are checked, Provisioning will log all events for auditing purposes. 
    Selected Attributes 

    		 Displays default attributes and those attributes that have been selected from the Source Attributes. Note: The default attributes are those that are commonly used to create a new user.
    Advanced Settings 

    		 Displays the Configure Attributes window for configuring advanced settings for attributes. Under the Encrypted column, check the box of any attribute that needs to be encrypted.
    Under the Diff With Target column, check the box of any attribute to update using differencing (DiffWithTarget, AddDiffWithTarget, and RemoveDiffWithTarget).

    Audit Key 

    		 Select the attribute to associate with the Audit Key.

  7. From the Attribute Selection tab, select attributes to import.

  8. (Optional) Select the Appearance tab to change how the link displays in the Design pane.

  9. Click OK to save any changes and return to the Workflow and Connectivity Studio window.

  10. Deploy the workflow by selecting Deploy ► New Deployment
    See the Workflow and Connectivity Studio  for details of deployment options.

  11. Manage and run the deployed workflow from the Admin UI ► Server tab
    See the Identity Suite Administration documentation for details.

Connector Details for Provisioning

Grouper Connector Attributes

 The items in the  Create, Modify columns have these meanings:

  • Y = Yes (attribute is supported for this operation)
  • N = No (attribute is not supported for this operation)
  • R = Required (attribute is mandatory for this operation)


Notes:

  • The attributes which contains '->' in name are multi-level attributes. Multi-level attributes can be repeated as a set.
  • All Group and Role attributes can be exported.
  • While modifying/deleting an existing group, the IDPath attribute is case sensitive.
  • For group membership modification/delete, Member->ID and Member->SourceId attributes are case sensitive.
  • For group privilege modification/delete, PrivilegedEntity->ID, PrivilegedEntity->SourceId and PrivilegedEntity->Name attributes are case sensitive.
  • While modifying/deleting custom attributes, the CustomAttribute->Name attribute is case sensitive.
  • For role permission modification/delete, Permission->Name attribute is case sensitive.

Atlassian JIRA Connector Attributes

Name

 MV

Create

 Modify Delete Description
Group Data Format
ID Path N R R R ID Path of the Group.

Original_IDPath

 N N Y N Current ID Path used for rename.
ID N N N N ID of the Group.
Name N Y Y Y Name of the Group.
Path N N N N Path of the Group.
UUID N N N N UUID of the Group.
Description N Y Y Y Description.
GroupType Y Y Y Y Types for the group (i.e.  grouperLoader, teaching, mailingList etc.).
CreateSubjectId N N N N Created user ID.
CreateTime N N N N Created time.
Composite.IsComposite N Y Y N Is the group Composite.
Composite.IsCompositeFactor N N N N Is the group used as a Composite Factor.
Composite.Type N Y Y Y

Type of Composite.
Possible values are union, intersection and complement.
Composite.LeftGroup N Y Y Y ID path of the left group while creating composite group.
Composite.RightGroup N Y Y Y ID path of the right group while creating composite group.
ModifySource N N N N Modified user source.
ModifySubjectId N N N N Modified user ID.
ModifyTime N N N N Modified time.
Attribute->Name N Y Y Y Name of the attribute.
Attribute->Value N Y Y Y Value of the attribute.
Member->Enabled N Y Y Y Member is Enabled.
Member->EndDate N Y Y Y

Membership End Date.
Date has to be provided in the format: yyyy/MM/dd HH:mm:ss.SSS
Member->ID N Y Y Y Member ID.
Member->ListName
N N N Name of the list corresponding to which this is a member.  It will be members list for normal members. Other member list are approvers, mailers etc.
Member->Name N N N N Member Name.
Member->MembershipType N N N N Membership Type.
Member->SourceId N Y Y Y Member Source ID.
Member->StartDate N Y Y Y

Membership Start Date.
Date has to be provided in the format: yyyy/MM/dd HH:mm:ss.SSS
PrivilegedEntity->Allowed N N N N Allowed Privilege.
PrivilegedEntity->ID N Y Y Y Entity ID.
PrivilegedEntity->Name N N N N Entity Name.
PrivilegedEntity->Privileges N Y Y Y Privileges names. Possible values are admin, update, read, view, optin and  optout. We can specify multiple values comma separated.
PrivilegedEntity->Revokable N N N N Privilege is Revokable.
PrivilegedEntity->SourceId N Y Y Y Entity Source ID.
PrivilegedEntity->Type N Y Y Y Privilege Type.
CustomAttribute->Definition N N N N Attribute Definition.
CustomAttribute->Enabled N N N N Attribute is Enabled.
CustomAttribute->Name N Y Y Y Attribute Name.
CustomAttribute->Type N N N N Attribute Type.
CustomAttribute->Value Y Y Y Y Attribute Value.
Role Data Format
IDPath N R R R ID Path of the Role.
Original_IDPath N N Y N Current ID Path used for rename.
ID N N N N ID of the Role.
Name N Y Y Y Name of the Role.
Path N N N N Path of the Role.
UUID N N N N UUID of the Role.
Description N Y Y Y Description.
GroupType Y Y Y Y

Types for the role.
i.e. grouperLoader, teaching, mailingList etc.
CreateSubjectId N N N N Created user ID.
CreateTime N N N N Created time.
Composite.IsComposite N Y Y N Is the role Composite.
Composite.IsCompositeFactor N N N N Is the role used as a Composite Factor.
Composite.Type N Y Y Y

Type of Composite.
Possible values are union, intersection and complement.
Composite.LeftGroup N Y Y Y ID path of the left group while creating composite group.
Composite.RightGroup N Y Y Y ID path of the right group while creating composite group.
ModifySource N N N N Modified user source.
ModifySubjectId N N N N Modified user ID.
ModifyTime N N N N Modified time.
Attribute->Name N Y Y Y Name of the attribute.
Attribute->Value N Y Y Y Value of the attribute.
Member->Enabled N Y Y Y Member is Enabled.
Member->EndDate N Y Y Y

Membership End Date.
Date has to be provided in the format: yyyy/MM/dd HH:mm:ss.SSS
Member->ID N N N N Member ID.
Member->ListName
N N N Name of the list corresponding to which this is a member.  It will be members list for normal members. Other member list are approvers, mailers etc.
Member->Name N N N N Member Name.
Member->MembershipType N N N N Membership Type.
Member->SourceId N Y Y Y Member Source ID.
Member->StartDate N Y Y Y

Membership Start Date.
Date has to be provided in the format: yyyy/MM/dd HH:mm:ss.SSS
PrivilegedEntity->Allowed N N N N Allowed Privilege.
PrivilegedEntity->ID N Y Y Y Entity ID.
PrivilegedEntity->Name N N N N Entity Name.
PrivilegedEntity->Privileges N Y Y Y Privileges names. Possible values are admin, update, read, view, optin and  optout. We can specify multiple values comma separated.
PrivilegedEntity->Revokable N N N N Privilege is Revokable.
PrivilegedEntity->Source N Y Y Y Entity Source.
PrivilegedEntity->Type N Y Y Y Privilege Type.
CustomAttribute->Definition N N N N Attribute Definition.
CustomAttribute->Enabled N N N N Attribute is Enabled.
CustomAttribute->Name N Y Y Y Attribute Name.
CustomAttribute->Type N N N N Attribute Type.
CustomAttribute->Value Y Y Y Y Attribute Value.
Permission->Action N Y Y Y Permission Action. If there are multiple actions for permission, the settings will be repeated for each action.
Permission->Definition N N N N Permission Definition.
Permission->Enabled N N N N Permission is Enabled.
Permission ->EndDate N Y Y Y

Permission End Date.
Date has to be provided in the format: yyyy/MM/dd HH:mm:ss.SSS
Permission->Name N Y Y Y Permission Name.
Permission ->StartDate N Y Y Y Permission Start Date. Date has to be provided in the format: yyyy/MM/dd HH:mm:ss.SSS

Lookup Data

To filter data, use the Data Mapper rule Lookup Data

  1. Log in to the Workflow and Connectivity Studio and double-click the Data Mapper object on the Design pane. The Configure Data Mapper window displays.

  2. Select the Lookup Data rule under the Mapping Rule column and then click the Source Value
    The Configure Lookup window displays.

  3. Select the Grouper System from the Select System drop-down list:


  4. In the Enter Lookup Prefix field, enter the prefix to be added to the Lookup fields.

  5. Select the Lookup Type from the drop-down list, for example, Group By ID Path


  6. Click the ID Path Pick button. The Select Data Elements  dialog displays:

    Select Data Type

    		 Select one of these input attribute option buttons: Variables or Literal.

    View

    		 These options filter the list of attributes displayed.

    Attributes

    		 Check this box to list attributes.

    Lookup

    		 Check this box to list lookup attributes.

    Function 

    		 Check this box to list functions.

    Variables

    		 Check this box to list variables: Built-in, System, Temporary, Persistent, and Global.

    Manage Variables

    New 

    		 Adds a new temporary variable.

    Edit

    		 Modifies the selected temporary variable.

    Delete

    		 Deletes the selected temporary variable.
    Set Data Index

    Value 

    		 Index For a multi-valued attribute, it takes the first value. If other values need to be taken, set this value (default: 1 [not displayed]).

    Entry 

    		 Index Select the attribute from a multi-entry record. If set to more than 1, the value is taken from that entry (default:1 [not displayed]).

  7. Select the ID Path input attributes and then click OK when finished.

  8. Click the FieldsPick button to select the attributes to be fetched after a successful lookup. The Lookup Configuration dialog displays:



    1. Select the attribute(s) from the Selected Attributes list that require a date and/or time format and click the Format button. The Format Date window displays.

    2. Select the Include Time check box to use a date and time format. Select the required date/time format for your target database.

  9. Click OK. The updated Configure Lookup window displays, for example:



  10. Select the Exit as Mapper Task Failed on Lookup Failure check box to exit the task with Failed status on lookup failure. It will not process the succeeding entries and will ignore the already processed entries and will not return any data. This is selected by default.

  11. Click OK.

Configuring Triggers

Perform these procedures to create a trigger:

  • "Prerequisites" 

  • "Trigger Setup Details" 

  • "Trigger Events"

  • "Creating a Trigger" 

  • "Configuring a Trigger Agent" 

  • "Configuring a Trigger Link" 

Prerequisites

Ensure that these prerequisites are satisfied:

  • Grouper version 2.1.5 or later is installed, configured, and running.

  • An administrator account that can be used to establish a connection and has authority to manage Groups and Roles on the connected system.

Trigger Setup Details

Notes:
In this section

  • <GrouperHome> specifies the location where Grouper is installed.
  • While specifying folder names we should use Grouper version. For example: grouper.apiBinary-2.1.4 (this will be shown as grouper.apiBinary-x.x.x).

  1. Make sure that change log is enabled in Grouper. This is enabled by default. This is in the property file <GrouperHome>\grouper.apiBinary-x.x.x\conf\grouper.properties and name of the property is changeLog.enabled.

  2. Make sure that the process which copies data from the temp table to the change log table is enabled. This is also enabled by default. This is in the property file
    <GrouperHome>\grouper.apiBinary-x.x.x\conf\grouper-loader.properties and name of the property is changeLog.changeLogTempToChangeLog.enable.


  3. Copy the trigger callback zip GrouperTrigger.zip from the resource folder in release CD. Extract the contents of this zip to some folder.

  4. Copy the jar groupertriggercallback.jar from the extracted location to <GrouperHome>\grouper.apiBinary-x.x.x\lib\custom.

  5. Open grouper-loader_Addendum.properties from the extracted location and modify the property changeLog.consumer.fisc.callbackFolder to point the location where the contents of the GrouperTrigger.zip are extracted. Make sure that the file trigger.properties is available in that location. Copy the contents of grouper-loader_Addendum.properties and paste it at the bottom of the file <GrouperHome>\grouper.apiBinary-x.x.x\conf\grouper-loader.properties.

  6. Open trigger.properties from the location where the contents of the GrouperTrigger.zip are extracted. We have to modify TriggerCallBackServerAddress and TriggerCallBackServerType to point the server. We have to set the properties TriggerName and TriggerOrgID to values corresponding to Grouper trigger. Verify the properties FoldSubRecords, MergeChangesForAnEntry and TriggerAttributes to check whether the default setting is enough for the trigger. Modify the properties LogFilePath, DataFilePath and TruststorePath to point the corresponding locations under the extracted folder.

    Following are the properties used in Grouper trigger callback.

    TriggerCallBackServerAddress Specifies the host and port for the Provisioning Server or Provisioning GIG. We can specify comma separated values to support multiple addresses.
    TriggerCallBackServerType This property specifies whether the target callback server is Provisioning server or GIG. Set the value to Provisioning when target server is Provisioning and GIG when target is GIG.
    TriggerName Specifies the name of the trigger and this is used to generate the trigger key while sending change notifications to the target server.
    TriggerOrgID Specify the Organization ID for which the trigger is created and is used to generate the trigger key while sending change notifications to the target server.
    FoldSubRecords Use this property to specify whether the multi-level attributes are to be folded or not. If this is true, all sub records will be folded and returned as attributes.
    MergeChangesForAnEntry  This property specifies whether to merge changes of similar types for an entry. Only changes with same change type and modify type are merged. For example, if two members are added to a group, each will have separate change log entry. If this property is true, both member changes will be merged to a single entry.
    TriggerAttributes Specifies the attributes we are interested in. This is used only to decide whether any particular event is to be notified or not. For example, Group membership changes are triggered only when at least one Member-> attribute is in the list. If this property is not set, all events will be triggered.
    NotifyChangesOfMultipleEntriesTogether Use this property to specify whether to send changes to multiple entries together. Grouper change log processor is executed between certain intervals. If this property is true, all changes happened within an interval is merged and notified together in a single call. The data send will have multiple entries when this property is true.
    LogFilePath Specifies the location of the log file.
    DataFilePath The location of the data file.
    TruststorePath Specifies the location of the trust store file.
  7. Open a command window and navigate to the directory <GrouperHome>\grouper.apiBinary-x.x.x\bin. Run the command gsh –loader to run the loader.

Trigger Events

Following trigger events are supported.

  • Add Group/Role
  • Modify Group/Role
  • Assign/Un-assign Group Types for Group/Role
  • Delete Group/Role
  • Add Member to Group/Role
  • Delete Member from Group/Role
  • Assign Privilege in Group/Role
  • Un-assign Privilege in Group/Role
  • Assign/Un-assign Attribute to Group/Role
  • Assign/Un-assign Permission to Role

Creating a Trigger

Note: Ensure that you have completed all Prerequisites and Trigger Setup Details, before proceeding.

  1. From the Workflow and Connectivity Studio menu bar, click File ► New Trigger ► Grouper Trigger. The Create a New Trigger window displays.

  2. Enter a trigger name in the Name field.

  3. Click the Browse button to select a directory other than the default displayed in the Directory field. The directory should be a child of the default location in order to have the trigger listed under the projects folder of the Workflow and Connectivity Studio.

  4. Select one of the available systems in the System field.
    Note: Only connected systems of the trigger type selected in Step 1. will be available. If there are no connected systems to select, then a Grouper provisioning connected system does not exist. This connected system must exist before creating a trigger.

  5. Enter descriptive text in the Description field and then click OK. A new trigger system object and link display in the Design pane.
    Note: The trigger must be fully configured before it can be saved and deployed. Continue with the sections below to complete configuring the trigger.

    Configuring a Trigger Agent

  6. In the Design pane, double-click the trigger system. The Configure Data Source window displays.
    Note: To modify an existing trigger, on the menu bar click View ► Triggers, and then select one of the Grouper triggers listed under the projects folder.


  7. (Optional) Select the Appearance tab to change how the Trigger system object displays in the Design pane.


  8. Click OK to save any changes and return to the Workflow and Connectivity Studio window.
    Note: A trigger cannot be saved until a trigger link has been configured.

  9. Double-click the link between the Start object and the Trigger system object. The Configure Link window displays.
    Note: To modify an existing trigger, on the menu bar click View ► Triggers, and then select one of the Grouper triggers listed under the projects folder.

    Source Attributes

    		Select the attributes to export.

    Selected Attributes

    Displays those attributes that have been selected from the Source Attributes.

    Note: Check boxes in this field set mandatory attributes. These checked attributes will always be exported whether they were changed or not.

    Advanced Settings

    		Displays the Configure Attributes window for selecting any attributes that need to be encrypted.

    Set Unique Key

    		Sets which attribute from the Selected Attributes will make the entry unique.

    Clear Unique Key

    		Removes the current unique key attribute selection. No unique key attribute is defined after selecting this option.

    Effective Date 

    Select these effective date options:

    • Set - Sets an attribute from the selected attributes to apply an effective date offset to control when the triggered data is run. A condition can be provided that determines when or if an effective date offset should be applied. Set a condition and effective date offset from the Effective Date tab.
    • Clear - Removes the selected attribute from being defined for effective date processing.
    • Format - Specifies a desired date/time format to be applied to the selected effective date field. Any field type can be selected to apply a date/time format to the effective date value.
  10. Select the attributes to be triggered from the Source Attributes.

  11. Click the Effective Date tab and then click the Add button. The Set Trigger Data Condition window displays.

    1. Set an Effective Date Offset value and specify a condition when it will be used:

      • For Triggers - All conditions specified here will be evaluated for each incoming data entry. The offset corresponding to the first condition that is satisfied will be applied to the date contained in the effective date attribute. An offset can be mapped to a condition that is specified as default. If none of the conditions in the list are satisfied, the offset corresponding to the default condition will be applied to the effective date.

      • For Chained workflows - From the Chained workflow Configure Data Source window, specify the attribute that should have an effective date condition and offset value applied. From the preceding Data Mapper, provide conditions and offset values to calculate the target effective date value and save this value to the effective date attribute as the target attribute.

    2. Click OK when finished.

  12. From the Target Workflow Selection tab, select the deployed workflow(s) to run when the trigger occurs, and then click the Add ► button.


    To remove a selected workflow from being run, highlight it under Selected Workflows and click the < Remove button.
    Notes:

    • If more than one workflow is selected, they are run in the order listed.
    • If workflows are deployed in Asynchronous mode, all workflows are run together.
    • If serialized execution of workflows is required, consider chaining them.
  13. Highlight a workflow from the Selected Workflows list and click the Set Condition button to set a condition before running workflows. The Set Lookup Condition window displays.

    1. Build a complex condition with logical AND/OR.

    2. Click OK to return to the Configure Link window.

  14. From the Lookup Workflow Selection tab, select the deployed workflow(s) to run when the trigger occurs, and then click the Add > button.
    To remove a selected workflow from being run, highlight it under Selected Workflows and click the ◄ Remove button.
    Notes: 
    • Lookup may be required to get additional attributes to run Target workflows. Lookup workflows run prior to Target workflows.
    • If more than one workflow is selected, they are run in the order listed.
    • Lookup workflows must be deployed in Synchronous mode; otherwise, lookup data may not be available before running Target workflows.


  15. Highlight a workflow from the Selected Workflows list and click the Set Condition button to set a condition before running Lookup workflows. The Set Lookup Condition window displays. Build a complex condition with logical AND/OR. Click OK to return to the Configure Link window.


  16. Click OK to save any changes and return to the Workflow and Connectivity Studio window.

  17. Save the trigger.

  18. Deploy the trigger by clicking the  (deploy) toolbar button. The Deploy Trigger window displays:


  19. Click the Deploy New button. The Deploy Trigger window displays:


  20. Click OK to deploy the trigger.

  21. Enable the trigger from the Server tab of the Admin UI.
    See the Identity Suite Administration documentation for details on enabling triggers.


Was this article helpful?