View Source

This topic is discussed in the Advanced Topics training video.

Grouper's views can be granted to schemas to make it possible to access Grouper data from SQL.

Notes/Warnings

If you do grant Grouper views to schemas you should keep track of what you grant to do some sanity tests on Grouper upgrades.
Some views are for reporting reasons and are not intended for real time data.
Check the views that you use to see the performance.
The SQL interface is useful for large loads that might overwhelm or not be performant or not be possible in web services.
This SQL interface is for SELECT only, not insert/update/delete, and is not used with the Grouper API, just SQL queries in whatever programming language you would like. Ask the Grouper team for help if you are not sure how to use the tables

Best practices to using the SQL interface

Do not use the Grouper schema for accesses to the Grouper SQL interface, make another schema which is readonly and only has access to the required data (where clause)
Make a view on top of the Grouper tables/views and grant that to the other schema. This is because when Grouper is upgraded the views are dropped (including grants), so they would be lost or need to be recreated

Groups with attribute

select
  gaagv.group_name
from
  grouper_attr_asn_group_v gaagv, grouper_groups gg
where
  gaagv.attribute_def_name_name = 'test:attrName'
  and gaagv.group_id = gg.id
  and gaagv.enabled = 'T'
  and gg.enabled = 'T'

Groups under stem with attribute

select
  gg.name
from
  grouper_attr_asn_stem_v gaasv, grouper_stem_set gss, grouper_groups gg
where
  gaasv.attribute_def_name_name = 'test:attrDef1'
  and gaasv.stem_id = gss.then_has_stem_id
  and gg.parent_stem = gss.if_has_stem_id
  and gg.enabled = 'T'
  and gaasv.enabled = 'T'

People added to group after a certain date (micros since 1970)

select distinct gm.subject_id, gm.description from grouper_pit_memberships_lw_v gpmlv, grouper_pit_groups gpg, grouper_members gm 
where gpg.source_id ='b9452d5e6a824b598a5fc83939f2677d' 
and gpg.id  = owner_group_id  and the_start_time > '1616385600000000'
and gm.id = gpmlv.member_id 
;

Memberships

The main views to use are:

grouper_membership_lw_v: This view can be used for memberships or Grouper group privileges (e.g. if someone can ADMIN a group). Note: make sure you have the proper where clause which selects the proper list (generally "members").

Grouper > Grouper SQL interface > grouperSqlMships.jpg

This view contains all memberships (direct, indirect, groups, people, etc). To return a simple list of effective membership for people try:

SELECT DISTINCT subject_id FROM grouper_memberships_lw_v WHERE group_name='{path:to:group}' AND subject_source='{people_subject_source}' AND list_name ='members'

grouper_perms_all_v: This view can be used for Grouper permissions. Note, DISALLOW is exposed through the SQL interface, and is not calculated. So if DISALLOW is assigned in the data being used, you should either not use the SQL interface, or you would need to calculate the DISALLOWs after selecting the data (note, this is a complicated algorithm though it is documented on the wiki with examples).

Grouper > Grouper SQL interface > grouperSqlPerms.jpg

There are some useful tables to join to: grouper_groups, grouper_members, grouper_stems, etc

Privileges

Find all group admins

select group_name, subject_id from grouper_memberships_lw_v gmlv where list_name = 'admins' and SUBJECT_SOURCE = 'mySubjectSource'

Find all stem admins

select stem_name, subject_id from grouper_mship_stem_lw_v gmslv where gmslv.LIST_NAME = 'stemAdmins' and gmslv.SUBJECT_SOURCE = 'mySubjectSource' ;

Find groups someone can update (or admin)

select distinct gmlv.group_name from grouper_memberships_lw_v gmlv where gmlv.list_name in ('admins', 'updaters')
and gmlv.subject_source = 'xyz' and gmlv.subject_id = '123' order by gmlv.group_name limit 100

Groups provisionable to a provisioner

select * from grouper_sync gs, grouper_sync_group gsg 
where gs.provisioner_name = 'blah'
and gs.id = gsg.grouper_sync_id 
and gsg.provisionable = 'T'

Groups with provisioning assignments for a provisioner

Replace provisionerId with the ID of the provisioner

select gaaagv.group_name, 'group' as owner_type from grouper_aval_asn_asn_group_v gaaagv 
where gaaagv.attribute_def_name_name2 like '%etc:provisioning:provisioningTarget'
and gaaagv.value_string = 'provisionerId'
union all
select gaaasv.stem_name, 'stem' as owner_type from grouper_aval_asn_asn_stem_v gaaasv 
where gaaasv.attribute_def_name_name2 like '%etc:provisioning:provisioningTarget'
and gaaasv.value_string = 'provisionerId'

SQL loader membership queries

SELECT gaaag.group_name, gaaag.value_string  FROM penngrouper.grouper_aval_asn_asn_group_v gaaag where gaaag.attribute_def_name_name2 like '%grouperLoaderQuery'