This info is from Advance CAMP session at 2019 Technology Exchange in New Orleans

Also of interest, Grouper automatically managed recent memberships feature added in May 2020:

Documentation from University of Nebraska on how to accommodate a 90 day grace period for employees.

This uses a rule through the Grouper UI, which adds a user to another group when their membership removes.

  • contact Brett Bieber or Patrick Haugland for more info

Adding removed member to another group with expiration date (grace period group).

*Note these rule only triggers on users who are direct members of the access policy.

  1. Create a grace period group for your access policy. 
    • example "app:firefly:P:allows_denies:psc_90d_grace"
  2. Navigate to the group you wish to add a grace period rule to and click More | Attribute assignments
    • example "ref:hr:pa:6700:Employee"
  3. Click the + Assign Attribute button and add in the following attribute assignment:
    • etc:attribute:rules:rule
  1. Now click on the actions button to the right of the rule attribute that has been added and select "Add metadata assignment. Do this for each of the following attributes
    • etc:attribute:rules:ruleActAsSubjectId
      • Set value to "GrouperSystem"
    • etc:attribute:rules:ruleActAsSubjectSourceId
      • Set value to "g:isa"
    • etc:attribute:rules:ruleCheckOwnerName
      • Set value to Group ID Path ex "ref:hr:pa:6700:Employee"  
    • etc:attribute:rules:ruleCheckType
      • Set value based on type of membership change 
        • New member being added "membershipAdd"
        • Member being removed "membershipRemove"
        • New member in a nested group "flattenedMembershipAdd"
        • Member being removed from a nested group "flattenedMembershipRemove"
    • etc:attribute:rules:ruleIfOwnerName
      • Set value to Group ID Path ex "ref:hr:pa:6700:Employee"
    • etc:attribute:rules:ruleThenEl
      • Set value to ${ruleElUtils.assignMembershipDisabledDaysForGroupId("groupId", memberId, X, true)}
        • Replace groupId with to the UUID of your grace period group
          • example: f1453bf852354be9a2a8cc8cfff58c84
        • Replace X with the number of days you want them to be in the grace period group.
          • example: 90
      • The resulting value should look something like. 
        • ${ruleElUtils.assignMembershipDisabledDaysForGroupId("f1453bf852354be9a2a8cc8cfff58c84", memberId, 90, true)}

*When you're done it should look something like this

  • No labels