Jeffrey Crawford
1 minute ago
@mchyzer
yea, so pspng seems to evaluate all possible group names that are configured in the provisioner, we translate the names to a standard format and assign it to entitlement/role attributes, but when it does a full sync, if it finds an account with that attribute value that it knows Grouper is responsible. And if it finds an account with that value that is not in the group, it gets removed.
I can’t seem to get the ldap provisioner to do the same, unless we choose Delete memberships if not exist in Grouper But I think that one will remove all other values that Grouper doesn’t know about right?