You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2022/10/25 13:55:58 UTC

[jackrabbit-oak] branch trunk updated: OAK-9972 : Create FAQ for dynamic sync

This is an automated email from the ASF dual-hosted git repository.

angela pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 964864002e OAK-9972 : Create FAQ for dynamic sync
964864002e is described below

commit 964864002ec7424116deaee8320cec1f99920dff
Author: angela <an...@adobe.com>
AuthorDate: Tue Oct 25 15:55:45 2022 +0200

    OAK-9972 : Create FAQ for dynamic sync
---
 .../security/authentication/external/dynamic.md         |  4 +++-
 .../markdown/security/authentication/external/faq.md    | 17 ++++++++++++++---
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/oak-doc/src/site/markdown/security/authentication/external/dynamic.md b/oak-doc/src/site/markdown/security/authentication/external/dynamic.md
index 56b7cb0916..1be242c2c7 100644
--- a/oak-doc/src/site/markdown/security/authentication/external/dynamic.md
+++ b/oak-doc/src/site/markdown/security/authentication/external/dynamic.md
@@ -24,7 +24,7 @@ that allows enabling dynamic group membership resolution for external users.
 
 Enabling dynamic membership in the [DefaultSyncConfig] will change the way external
 groups are synchronized (see [OAK-4101]) and how automatic group membership 
-is being handled (see [OAK-4087])
+is being handled (see [OAK-4087]).
 
 The key benefits of dynamic membership resolution are:
 
@@ -32,6 +32,8 @@ The key benefits of dynamic membership resolution are:
 - avoid storing/updating auto-membership which is assigned to all external users
 - ease principal resolution upon repository login
 
+See also [FAQ](faq.html#Dynamic_Sync) for frequently asked questions about thes dynamic sync.
+
 ### SyncContext with Dynamic Membership
 
 With the default `SyncHandler` this configuration option will show the following 
diff --git a/oak-doc/src/site/markdown/security/authentication/external/faq.md b/oak-doc/src/site/markdown/security/authentication/external/faq.md
index e26a594309..76c878d505 100644
--- a/oak-doc/src/site/markdown/security/authentication/external/faq.md
+++ b/oak-doc/src/site/markdown/security/authentication/external/faq.md
@@ -15,19 +15,30 @@
    limitations under the License.
 -->
 
-External Authentication : FAQ
------------------------------
+# External Authentication : FAQ
+
+<!-- MACRO{toc} -->
+
+## General
 
 | Question          | Answer                        | References        |
 |-------------------|-------------------------------|-------------------|
 | Why am I no longer able to change the `rep:externalId`?               | Since Oak 1.5.8 the default sync mechanism properly protects the system maintained property `rep:externalId` which is used to link a given synced user/group account to the corresponding entry on the external IDP. | See [documentation](defaultusersync.html) and [OAK-4301] |
 | Why does a User or Group created with a content package not get synced with the IDP? | Only users/groups with a `rep:externalId` linking them to the external IDP will be respected during the default sync mechanism. | See also [OAK-4397] and [OAK-5304] |
 
+## Dynamic Sync
+See [User and Group Synchronization : Dynamic Membership and Dynamic Groups](dynamic.html) for further details.
 
-
+| Question          | Answer                        | References        |
+|-------------------|-------------------------------|-------------------|
+| The external group doesn't get created | The dynamic membership option will only synchronize the membership information but not the group accounts. Additionally enabling 'Dynamic Groups' option will make sure groups are synchronized while keeping the dynamic nature of the membership information. | See section [Dynamic Groups](defaultusersync.html#dynamic_groups)|
+| I cannot add members to a synchronized group | The dynamic groups option comes with a dedicated validator that makes external groups read-only | See section [Enforcing dynamic groups](defaultusersync.html#validation) |
+| Auto-membership cannot be altered through user management API | The configured auto-membership with local groups is calculated dynamically from the configuration and cannot be changed through user management API | See section [Automatic Membership](dynamic.html) | 
+| External groups have not rep:members property | The membership information is computed using an implementation of `DynamicMembershipProvider` computed dynamically from the `rep:externalPrincipalNames` properties stored with external users | See [OAK-9803] | 
 
 [OAK-4301]: https://issues.apache.org/jira/browse/OAK-4301
 [OAK-4397]: https://issues.apache.org/jira/browse/OAK-4397
 [OAK-5304]: https://issues.apache.org/jira/browse/OAK-5304
+[OAK-9803]: https://issues.apache.org/jira/browse/OAK-9803