rjacobs's sandbox: Crowd Push and Provisioning

This module provides push and provisioning sync capabilities to send user data updated in Drupal to Crowd. The main Crowd SSO module (current dev version) is required.

The main Crowd SSO module has native pull sync capabilities but it does not offer a way to "push" user updates and creations from Drupal to Crowd. This module addresses this functionality gap by adding base APIs to manage push operations along with Drupal user form integration that syncs local changes with Crowd was needed. This means that tasks like the following can be performed in Drupal and seamlessly synced to Crowd:

• General updates to user profiles performed by admins or directly by users on their own accounts.
• New user creations (provisioning) performed by admins or as self-registrations.
• User password resets as part of a direct profile update or a Drupal password reset workflow.
• User deletions (optional).

Usage

After the module is installed a few new configuration options will appear under the main Crowd admin configuration page at admin/config/crowd. From here you can choose which Drupal operations (updates, provisioning, deletion, etc.) will trigger Crowd updates. Note that:

• The module's built-in push logic only handles syncing of the username, email address, active status and password. Additional fields and attributes (such as a first name and last name) can easily be mapped using hook_crowd_push_user_data_alter(), which is very similar to the main Crowd module's hook_crowd_push_user_data_alter().
• The "link" between a Drupal user and a Crowd user is based on a user's username (specifically entries in the Drupal authmap table) so making changes to the username value after it's initiated can break the link between a Drupal user and a Crowd user and cause unpredictable results.
• User data is refreshed (pulled) whenever a user profile page is viewed (/user/% and /user/%/edit) in an effort to ensure data is fresh before edits (pushes) are made. That said, the Crowd Batch & Auto Pull module provides an even more comprehensive set of tools to assist with data freshness across systems, and may also be useful for some needs.

Handling Group Mappings

The main Crowd module has a feature to map individual Crowd groups to Drupal roles and then add/remove roles as needed (based on this mapping) each time a user pull sync takes place. Because this mapping allows a many-to-one relationship between Crowd groups to Drupal roles it is unfortunately not possible to apply this mapping in reverse during a pull. This means that Crowd groups are not automatically updated during a push by default.

Despite this it is still possible to administer Crowd group settings for individual users directly from Drupal. Any users that have the "Administer Crowd group memberships" permission will see a special "Crowd Groups" fieldset on the user registration and profile forms. This allows them to assign any Crowd groups directly to the user, totally independent of the Crowd groups to Drupal roles group map. The group map is still leveraged during the save operation to adjust the user's Drupal roles (if needed) to keep everything consistent. Because users with this "Administer Crowd group memberships" permission have the ability to set any Crowd groups for a user (not just those that are part of a group map) it should be granted very carefully.