--- title: Outbound provisioning CLI description: PingFederate provides a command-line interface (CLI) to help manage automated outbound provisioning at identity provider (IdP) sites. component: pingfederate version: 13.0 page_id: pingfederate:administrators_reference_guide:pf_outbound_provision_cli canonical_url: https://docs.pingidentity.com/pingfederate/13.0/administrators_reference_guide/pf_outbound_provision_cli.html revdate: July 5, 2022 --- # Outbound provisioning CLI PingFederate provides a command-line interface (CLI) to help manage automated outbound provisioning at identity provider (IdP) sites. Administrators can use the CLI to view the status of user provisioning, either globally or one provisioning channel at a time, and to rectify unusual situations where provisioning at the service provider (SP) might be out of sync with the enterprise user store. The CLI tool, `provmgr.bat` or `provmgr.sh`, is located in the directory `/pingfederate/bin`. The tool interacts with the PingFederate internal datastore to maintain provisioning synchronization between the LDAP user store and the target service. The tool creates its own log file, located at `/pingfederate/log/provmgr.log`. You can control settings for this log, as needed, in the `/pingfederate/bin/provmgr.log4j2.xml` file. The following table describes the available global and channel-specific command arguments. | Command argument | Description | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Global options | | | --help | Describes the available options. The help also displays if you run the command with no arguments. | | --show-channels | Lists all channels in a table format, showing for each:- ID: A numeric channel ID (channel-specific commands need this ID) - Name: The channel name - Connection ID - Status: active \| inactive (both the connection and the channel status are shown) - User count/dirty-user-record count, such as `5000/12`, which means 5000 users and 12 dirty records - Source, as LDAP URL - Target code | | --show-nodes | Shows all the provisioning-server nodes with their status and the last timestamp. Applicable only when failover provisioning is configured in the `/pingfederate/bin/run.properties` file. | | --force-node-backupUse with node number: -n \ | Sets the provisioner mode to FAILOVER for the associated PingFederate server node. | | **Channel-specific options** With each command, specify the channel with the -c \ argument. For example: provmgr -c 1 --show-source You can determine channel ID numbers by using the global command provmgr --show-channels. | | | --reset-group-timestamp | Deletes the user-group timestamp, which forces the provisioner to process the provisioning group on the next cycle, even if the timestamp on that group did not actually change.Depending on your LDAP server and administrative practices, you might want to schedule this command to run periodically to catch up with any users that may have been deleted, rather than deactivated, in the directory server. Some directory servers do not update the group timestamp for deleted users. You should rarely need this option if users are deactivated rather than deleted. If you do need it, you might want to schedule it when other network activity is low. | | --reset-attribute-sync | Sets the attribute sync timestamp to 1, which forces the provisioner to look at all users for changes, not only those that have a newer timestamp on their LDAP entry. This is rarely needed and might consume considerable network resources, depending on the number of users. If it is needed, you might want to schedule it when other network activity is low. | | --reset-values-hash | Removes the values hash for all users. The database stores a hash of attribute values for users to determine whether any values have been changed.This argument forces users that have a newer timestamp on their LDAP entry to be updated at the service provider, regardless of the actual field values. However, users whose recorded timestamp is unchanged are not updated. | | --reset-all | Equivalent to using all three of the previous arguments. | | --show-dirty-records | Lists all users or groups that have not been provisioned or updated at the SP site. This option is rarely needed and might consume considerable network resources, depending on the number of users. If it is needed, you might want to schedule it when other network activity is low. | | --show-dirty-group-records | List groups that have not been provisioned or updated at the SP site. | | --show-dirty-user-records | List all users that have not been provisioned or updated at the SP site. | | --show-group--show-userUse with:-u \Or:-g \ | Shows all internal database fields related to the specified user or group, including transitory mapping fields, which are fields waiting to be pushed to the SP. For a user, shows all LDAP attributes retrieved from the directory server. You can obtain user or group names and GUIDs for dirty records, as needed, using any of the --show-dirty-\* options, described above.The LDAP GUID, if used and if it is binary, should be entered in hexadecimal format, as shown in log files.``` provmgr.sh --show-user -u user@example.com provmgr.sh --show-user -g ffd448643f812b43a0bee2504173f0 ``` | | --clear-dirty-records | Clears the dirty flag on all records. | | --clear-dirty-group-records | Clears the dirty flag on all group records. | | --clear-dirty-user-records | Clears the dirty flag on all user records. | | --delete-dirty-records | Removes all dirty records from the internal store. | | --delete-dirty-group-records | Removes all dirty group records from the internal store. | | --delete-dirty-user-records | Removes all dirty user records from the internal store. | | --delete-all--delete-all-users | The `delete-all` parameter removes all users and groups from the internal store and deletes the provisioning group timestamp and the last attribute-sync timestamp.The `delete-all-users` parameter deletes users and timestamps but retains groups.The effect of either command is to reset the channel to its initial state for user provisioning. All user metadata is lost and provisioning for the channel will start from the beginning, picking up all users, and groups if deleted, and pushing them to the SP when the synchronization frequency interval has expired. The synchronization frequency interval is defined on **System > Server > Protocol Settings > Outbound Provisioning**. You should rarely need these options. If needed, you might want to schedule the operation when other network activity is low. | | --show-target | Displays the target configuration. | | --show-source | Displays all source LDAP configuration parameters, including settings and location. |