since it's now available elsewhere

When a property change occurs to a Grouper group the change log consumer is asked to process all of them but should only act on ones that have been flagged for syncing to Google. The current coding does this check after it does an initial check to see if the Google group exists. It then steps out. So while nothing will get hurt by the current coding it is mis-leading when reading the logs.

Andy reported an issue where someone with admin privs was given the "manage" role while the provisioner config was set to update.

During discovery we also found that the Change Log Consumer wasn't setting the priv appropriately at all.

Currently the full sync has to be run externally of the Grouper Loader. It would be nice this could be scheduled via "cron" and invoked within the loader.

• split out bridging code to separate class (I need a good name for this class.)
• move the FullSync method to its class

This will leave the CLC class with just CLC specific code.

Currently in membership type changelogs, only the subjectId is logged. While useful to Grouper users, subjectName is more often referenced and meaningful to Google Admins and can save some steps when troubleshooting issues.

Currently:

Google Apps Consumer 'google' - Change log entry 'ChangeLogEntry[timestamp=2018-06-05 12:57:04.473,sequence=16034723,category=membership,actionName=addMembership,contextId=56a9fbb8cb1d4bc696b4811419da4d1b,id=e0cc914fc95d4b9a8c9ef9a6ad3158c6,fieldName=members,subjectId=777777,sourceId=uncg-person,membershipType=flattened,groupId=51f5863f44d24a4badc7156e43f4ab0d,groupName=uncg:apps:AAA_test:bushyTestGroup,memberId=afb3efc0fa2447d9b9440d386b6c4247,fieldId=daf3e08d291e464aa5feda14b7ff4e72,subjectIdentifier0=]'

Proposed:

Google Apps Consumer 'google' - Change log entry 'ChangeLogEntry[timestamp=2018-06-05 12:57:04.473,sequence=16034723,category=membership,actionName=addMembership,contextId=56a9fbb8cb1d4bc696b4811419da4d1b,id=e0cc914fc95d4b9a8c9ef9a6ad3158c6,fieldName=members,subjectId=396705,subjectName="John T Spartan",sourceId=uncg-person,membershipType=flattened,groupId=51f5863f44d24a4badc7156e43f4ab0d,groupName=uncg:apps:AAA_test:bushyTestGroup,memberId=afb3efc0fa2447d9b9440d386b6c4247,fieldId=daf3e08d291e464aa5feda14b7ff4e72,subjectIdentifier0=]'

The provisioner allows the Grouper admin to configure the advanced/extended Google Group settings only at the time of provisioning. It would be nice if those settings could be managed in Grouper using Grouper attributes assigned to a group.

Removing a user's grouper membership in in Grouper and then immediately re-adding the same user's membership for the same group fails for the Change Log Consumer:

Error processing membership add failed: com.google.api.client.googleapis.json.GoogleJsonResponseException: 409 Conflict
{
  "code" : 409,
  "errors" : [ {
    "domain" : "global",
    "message" : "Member already exists.",    "reason" : "duplicate"  } ],
  "message" : "Member already exists."
}

This is likely happening because Google hasn't committed the delete change throughout it's system when the CLC tries to re-add the membership, but eventually it catches up and the membership entry does go away.

In some users, managers may add extra users directly to the group that shouldn't be removed when doing a full sync.

Group should be removed if GoogleSync attribute is removed; groups should be added when Google Sync attribute is added.

The whoCanManage property is set to "update" in my configuration but when the member already exists in Google with "Member" role then in Grouper when this member gets the "update" privilege added and the changelog runs the role remains the same in Google.

Instead of running the first Change Log Consumer event, upon Grouper Loader start-up, it would be nice if a full sync could optionally be run.

The full sync is greedy and queries all Google Groups and compares them to Groupers target population. It then wants to remove/archive (nothing, if ignore is selected) all of the extraneous groups. This is fine if a Grouper is completely authoritative over Google Groups and a single provisioner is used, but does not probably work for most instance.

A filter is needed to match only groups that the provisioner "should" have created. For example filters in a specified prefix of "crs-" for courses or "clubs-" for on campus clubs, etc. A regex would be most flexible.