One recurring problem with provisioners is that the cache still has information about the group or entity, even if they have been marked unprovisionable. This means it will still try to look them up during a sync, causing errors that shouldn't happen. Also, when a group is marked unprovisionable, the group and membership are left alone in the target until the group is deleted in Grouper. So this could bite somebody long in the future when they clean up a group that is not provisioned, and it deletes it from the target without any desire or expectation to.

I have advised customers to delete records directly in the sync tables to get around this.

E.g. this removes entities from the cache, and something similar could be for the group.

delete from grouper_sync_membership where id in (

select gsms.id /* gs.provisioner_name, gsg.group_name, gsm.subject_id, gsm.subject_identifier, gsms.id */

from grouper_sync gs

join grouper_sync_group gsg on gs.id = gsg.grouper_sync_id

join grouper_sync_member gsm on gs.id = gsm.grouper_sync_id

join grouper_sync_membership gsms on gsg.id = gsms.grouper_sync_group_id and gsm.id = gsms.grouper_sync_member_id

where gs.provisioner_name = 'edgrpprov' and group_name like 'provtest:%'

)