Group sys id changed

thomaskennedy · ‎01-05-2018

We have business rules that assign records to groups using the hard-coded sys id of the group. That is, we're not looking up the sys id of the group based on its name, we have the sys id hard coded. It has happened repeatedly that the sys id of some or all of the groups has changed in prod, breaking our script.

According to my understanding all the groups are imported through ldap. It is as if the connection from ldap did a delete against the SN tenant, followed by an insert with the updated group from AD.

I'm not the administrator in prod, so I have no visibility into this. What could be causing this?

rlatorre · ‎01-05-2018

If you are performing LDAP imports in non-production environments, newly created groups will have different sysIDs in those environments. If this is the case, only perform the import in your Production environment and sync the table to non-prod as needed.

It's also not best practice to hard code sys_IDs for just such a reason. Try using a different unique ID for LDAP groups like the groups CN. You can store that in a field on the group table.

ldap:cn=ldap_group_cn_name

thomaskennedy · ‎01-08-2018

Robert,

Can you describe how to go about synching users and groups from prod to other environments? I am quite sure some of the sys ids changed in prod -- we double checked them before our last update set.

So, it seems the first thing to do is update groups only in prod and push downward from there. Then if they change, there will be no debate about whether it changed, and where, and we can concentrate on the how. I'm not the admin and don't know anything about how to do this synch, but it may be that I need to keep pressing this issue.

rlatorre · ‎01-08-2018

We keep our non-prod environments in sync with production by cloning after we have a release. You can also XML export the tables from prod and import into non-prod environments as needed.