E-Groups to GMS transition
Groups management (GMS) is a subset of endpoints of the Authorization Service API. It provides a REST interface for querying and managing groups and their members, which can optionally be synchronised to and from E-Groups.
Facts
Currently, in E-Groups it's possible to create a group with a mixed case name i.e aaAAaa-AAaaAA.
In GMS, only lowercase characters are allowed, meaning that any newly added group either directly to GMS or synced from e-groups will intentionally be switched to fully lowercase. The purpose of this convention is to add an extra layer of safety to our database entries.
Please note that some older groups have been synced before enforcing the above convention in GMS, therefore they were not affected by this transition.
Possible issues
The status of our services as described above has presented drawbacks for some of our users. In case a certain system aggregates data both from GMS and LDAP sources, this will result in inconsistencies regarding naming.
Solution
Advice towards our users who develop the systems and are in need of the above mechanism would be to implement a case-insensitive comparison. In this way each system is properly prepared to handle this convention logic, comparing just the name itself, ignoring cases.
Sync times
Creation in GMS
In this scenario the user creates a group at: https://groups-portal.web.cern.ch/
The table below shows the sync time for each type of application.
| Application | Sync time (maximum) |
|---|---|
| E-group | 30-60 minutes |
| Active Directory | 10-(?) minutes * |
| SSO Token | 15 minutes** |
Creation in E-groups
In this scenario the user creates an E-group at: https://e-groups.cern.ch/
The table below shows the sync time for each type of application.
| Application | Sync time (maximum) |
|---|---|
| GMS | 20-60 minutes |
| Active Directory | 10-(?) minutes * |
| SSO Token | GMS sync + 15 minutes** |
*The sync to Active Directory is indeterminate and depends on the sync queue and group size. It usually takes ~10 minutes but can take much longer.**This is only for recursive group memberships; flat group membership will appear instantly in the token.
Note: This includes the sync time for both static and dynamic groups.