...

1. Make sure the group(s) you want to add memberships to already exists. Automatic groups (such as members groups) cannot be used here.
2. View the OIS configuration (ie: use the Edit button, not the Configure button), and click Configure Group Mapping.
   1.  In Registry versions prior to v3.1.0, the Configure Group Mapping button is available on the index page of Organizational Identity Sources.
   2. The OIS must be connected to a Pipeline for CO Group Memberships to be assigned.
3. Add one or more mappings.
   1. Attribute: The attribute found in the Organizational Identity Source.
   2. Target Group: The group for which a membership will be created, when the Org Identity has an Attribute matching the specified Comparison and Pattern.
4. At this point, if you search the Organizational Identity Source, any records matching the defined mappings will also show what CO Group memberships would be assigned if a CO Person record were created from or attached to this source record. However, an action triggering the Pipeline (as described above) must take place 

Storing Cached Source Records

When a record has been synced to Registry from the Organizational Identity Source, a cached copy is stored in the Organizational Identity Source Record so that Registry may detect when the source record has been updated. By default, this is a full copy of the record as returned to Registry from the backend (in whatever format is returned from the source, eg JSON, XML, etc). This is also useful for tracing problems, as it is possible for an administrator to look at a cached copy of the data.

However, there may be privacy or data retention concerns that make storing a full copy less desirable for a given deployment. As an alternative, Registry can create a hash of the data to be stored instead. This can be enabled via the Hash Source Records configuration option.

When this configuration is changed, existing records are not affected. Furthermore, since the cached copy will no longer match the current source record, all records from the Source will be considered out of date the next time a sync is performed. It is best to determine the appropriate value for this setting prior to significant production usage.

An additional consideration when enabling Hash Source Records for privacy or data retention reasons is that older copies of the source records are maintained by Changelog Behavior. It is insufficient to enable this setting and perform a full sync to remove all old records from the database, rather manual intervention is required. The following SQL is for general guidance and should not be used directly without first testing against a test server:

SQL> update cm_org_identity_source_records set source_record=md5(source_record) where org_identity_source_id=? and (deleted=true or org_identity_source_record_id is not null);