There are many deprovisioning features in Grouper, this feature is a manual process to deprovision an individual.

This allows a deprovisioning administrator manually see someone's access and instantly remove it.

Deprovisioning setup

  • You can identify multiple affiliations (relationships) to the institution that have their own deprovisioning settings and a group of deprovisioned users.  Generally institutions start with and might only need one for their workforce.
  • Groups and folders can be pre-configured to be applicable or excluded for this deprovisioning process for each affiliation

Deprovisioning process for a user

The administrator manually initiates this process at the time of deprovisioning a user from an affiliation:

  • Search for and select a user
  • The administrator will be presented with a list of direct memberships and privileges the user has in the configured groups/folders for the affiliation being deprovisioned 
    • Checkboxes to remove the membership/privilege have defaults based on group/folder configuration of the group/folder
    • After reviewing the page, and the administrator clicks the deprovision button, the user's selected direct memberships and privileges will be removed
  • Added to the deprovisioned group for a configured amount of time. 
    • Either this is a short amount of time to let data flow through the institutions systems, or it is a long period of time if there is a worry that systems are deprovisioning users
  • While they are deprovisioned, any additions of that user to a configured group (manual or loaded) will be veto'ed
  • Loader jobs can be configured to automatically exclude deprovisioned users (since the system of record might not be accurate)

Group managers

  • Can use the Grouper UI to see if there are users in their group who are deprovisioned

While a user is deprovisioned

  • A user is deprovisioned while they are in the deprovisioned group
  • If a group manager adds a deprovisioned user to a group where that is not allowed, the action will be veto'ed
  • Grouper will notify application administrators where Grouper is not the system of record or where manual deprovisioning is preferred.  This is a nightly notification
    • The group manager can certify that the group should have users by certifying the group on a certain date.  If there are new deprovisioned user after that date they will get notifications for them.



Blog on Deprovisioning

Check out the October 2024 Grouper blog on deprovisioning for a helpful overview of the topic.


Here  are workflows around configuring and using deprovisioning.

deprovisioningSwimlanes


Getting started

Grouper deprovisioning settings on objects

Grouper deprovision process

Grouper deprovisioning report

Development notes

Grace periods, recent memberships


See Also

Slack Use Case from University of Pennsylvania

Grouper Automatically Managed Recent Memberships / Grace Periods


  • No labels