A fast way to get membership counts in Apache Syncope

Apache Syncope is a powerful open source Identity Management project, covered extensively on this blog. Amongst many other features, it allows the management of three core types - Users, Groups and "Any Objects", the latter which can be used to model arbitrary types. These core types can be accessed via a flexible REST API powered by Apache CXF. In this post we will explore the concept of "membership" in Apache Syncope, as well as a new feature that was added for Syncope 2.0.7 which allows an easy way to see membership counts.

1) Membership in Apache Syncope

Users and "Any Objects" can be members of Groups in two ways - statically and dynamically. "Static" membership is when the User or "Any Object" is explicitly assigned membership of a given Group. "Dynamic" membership is when the Group is defined with a set of rules, which if they evaluate to true for a given User or "Any Object", then that User or "Any Object" is a member of the group. For example, a User could be a dynamic member of a group based on the value for a given User attribute. So we could have an Apache group with a dynamic User membership rule of "*@apache.org" matching an "email" attribute.

2) Exploring group membership via the REST API

Let's examine group membership with some practical examples. Start Apache Syncope and log in to the admin console. Click on "Groups" and add a new group called "employee", accepting the default options. Now click on the "User" tab and add new Users called "alice" and "bob", with static membership of the "employee" group.

Using a tool like "curl", we can access the REST API using the admin credentials to obtain information on "alice":

• curl -u admin:password http://localhost:9080/syncope/rest/users/alice

Note that "alice" has a "memberships" attribute pointing to the "employee" group. Next we can see information on the "employee" group via:

• curl -u admin:password http://localhost:9080/syncope/rest/groups/employee

3) Obtaining membership counts

Now consider obtaining the membership count of a given group. Let's say we are interested in finding out how many employees we have - how can this be done? Prior to Apache Syncope 2.0.7, we have to leverage the power of FIQL which underpins the search capabilities of the REST API of Apache Syncope:

• curl -u admin:password http://localhost:9080/syncope/rest/users?fiql=%24groups==employee

In other words, search for all Users who are members of the "employee" group. This returns a long list of all Users, even though all we care about is the count (which is encoded in the "totalCount" attribute). There is a new way to do this Apache Syncope 2.0.7. Instead of having to search for Users, membership counts are now encoded in groups. So we can see the total membership counts for a given group just by doing a GET call:

• curl -u admin:password http://localhost:9080/syncope/rest/groups/employee

Following the example above, you should see an "staticUserMembershipCount" attribute with a value of "2". Four new attributes are defined for GroupTO:

• staticUserMembershipCount: The static user membership count of a given group
• dynamicUserMembershipCount: The dynamic user membership count of a given group
• staticAnyObjectMembershipCount: The static "Any Object" membership count of a given group
• dynamicAnyObjectMembershipCount: The dynamic "Any Object" membership count of a given group.

Some consideration was given to returning the Any Object counts associated with a given Any Object type, but this was abandoned due to performance reasons.