Adds support for nested groups

awslabs / ssosync

Populate AWS SSO directly with your G Suite users and groups using either a CLI or AWS Lambda

Apache License 2.0

530 stars 182 forks source link

Adds support for nested groups #95

Closed terricain closed 11 months ago

terricain commented 2 years ago

Issues

Sorry didn't raise a specific issue but some exist: Fixes #66 Fixes #51 Fixes #27

Description

Adds both GetUser and GetGroup
Adds getAllGroupMembers - This resolves all users from a nested group hierarchy (if any) and de-duplicates users by their unique ID. This is called by getGoogleGroupsAndUsers.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

AmitBaranes commented 1 year ago

any update here?

ChrisPates commented 1 year ago

So, I have multiple issues and pull requests relating to the how ssosync builds the user/group/group membership datasets. Having divide deep into the code it needs refactoring, which is where I currently am (In a feature branch).

Once I have a functional build, I would be appreciate feedback before I push to master. Let me know If you would like me to update this thread when I have a candidate build.

AmitBaranes commented 1 year ago

So, I have multiple issues and pull requests relating to the how ssosync builds the user/group/group membership datasets. Having divide deep into the code it needs refactoring, which is where I currently am (In a feature branch).

Once I have a functional build, I would be appreciate feedback before I push to master. Let me know If you would like me to update this thread when I have a candidate build.

Sure, I'd be happy to test it out.

IDisposable commented 1 year ago

Once I have a functional build, I would be appreciate feedback before I push to master. Let me know If you would like me to update this thread when I have a candidate build.

Please count me in for a review

ChrisPates commented 1 year ago

So the feature branch is a much deeper over all of the internal logic. Getting back to the a left hand model of the Google directory (users, groups and memberships, filtered based on the supplied parameters) and comparing it to a right hand model of identity store (user, groups and memberships).

Plus making better use of the external ids in identity store so we get faster more accurate matches, that survive updates on the left hand side, with a fall back match based on email address, so we can minimise delete/recreate events which result in loss of permission assignments in identity center.