E-Groups to GMS Migration
In Q3 of 2025, GMS will take over as the primary source of group information. Groups will continue to be synchronised back to Egroups. You are welcome to migrate in advance, and we appreciate any feedback you can provide!
How to migrate
Find your group in https://groups-portal.web.cern.ch/ and change the Group Synchronisation Option to Primary.
Best practices
- Check the synchronisation type of any associated groups. Any other groups included as a member or an admin of a group should be synchronised to Egroups to avoid inconsistencies, ensure their synchronisation type is not
No Sync, and ideally is set toPrimary. - Applications can only be added to GMS primary groups. If you wish to include applications in your group admin group, ensure that it has sync type
Primary. - Avoid circular dependencies. E.g. an admin group being added as a member of the group. This is not supported by Egroups and may result in undefined behaviour.
Sync times
Creation in GMS
In this scenario the user creates a group at: https://groups-portal.web.cern.ch/
The table below shows the sync time for each type of application.
| Application | Sync time (maximum) |
|---|---|
| E-group | 30-60 minutes |
| Active Directory | 10-(?) minutes * |
| SSO Token | 15 minutes** |
Creation in E-groups
In this scenario the user creates an E-group at: https://e-groups.cern.ch/
The table below shows the sync time for each type of application.
| Application | Sync time (maximum) |
|---|---|
| GMS | 20-60 minutes |
| Active Directory | 10-(?) minutes * |
| SSO Token | GMS sync + 15 minutes** |
*The sync to Active Directory is indeterminate and depends on the sync queue and group size. It usually takes ~10 minutes but can take much longer.**This is only for recursive group memberships; flat group membership will appear instantly in the token.
Note: This includes the sync time for both static and dynamic groups.
Implementation note: Upper to Lower Case Conversion
Currently, in E-Groups it's possible to create a group with a mixed case name i.e aaAAaa-AAaaAA.
In GMS, only lowercase characters are allowed, meaning that any newly added group either directly to GMS or synced from e-groups will intentionally be switched to fully lowercase. The purpose of this convention is to add an extra layer of safety to our database entries.
Possible issues
The status of our services as described above has presented drawbacks for some of our users. In case a certain system aggregates data both from GMS and LDAP sources, this will result in inconsistencies regarding naming.
Solution
Advice towards our users who develop the systems and are in need of the above mechanism would be to implement a case-insensitive comparison. In this way each system is properly prepared to handle this convention logic, comparing just the name itself, ignoring cases.