One of our Grouper provisioning runs was accidentally started twice, a couple minutes apart. Both runs ran to completion, and this created multiple, identical paths to membership in the same groups. Although not a fatal data error, having multiple identical paths to membership is never correct, and it raises the prospect that this may reveal a larger problem in the API's design. Multiple simultaneous users of the API should not create duplicate records. To solve the issue, we tried using the API to delete one of the paths, but the API returned an error because it could not uniquely identify a single membership pathway to delete. There are 2 possible solutions to this issue. I believe the correct solution is to properly handle a multi user environment, so simultaneous (or near-simultaneous) transactions do not duplicate data. The alternative, minimally acceptable solution is to allow the deletion of one of the identical paths of membership.
Brown was forced to choose the 3rd alternative, restoring the Oracle DB from backup and reapplying provisioned groups and manual changes since the error occurred. We wrote scripts to export and re-import the manual changes to the Grouper DB that we plan to contribute to the project. The scripts are useful for snapshotting the manual changes to the Grouper DB.