...
| Code Block |
|---|
################################### ## Deprovisioning ################################### # if deprovisioning should be enabled deprovisioning.enable = true # comma separated realmsaffiliations for deprovisioning e.g. employee, student, etc # these need to be alphanumeric suitable for properties keys for further config or for group extensions deprovisioning.realmsaffiliations = # Group name of the group that identifies generally if an entity is # in this realmaffiliation. So if a group is deprovisioned # by various realmsaffiliations, then only deprovision if the entity in the group # is not in any realmaffiliation eligible group. # e.g. VPN is deprovisioned by realmsaffiliations employee and student. If the person # is no longer an employee, but is still # a student, then dont deprovision. # deprovisioning.realmaffiliation_<realmName><affiliationName>.groupNameMeansInRealmgroupNameMeansInAffiliation = a:b:c # deprovisioning.realmaffiliation_employee.groupNameMeansInRealmgroupNameMeansInAffiliation = community:employee # folder where system objects are for deprovisioning # e.g. managersWhoCanDeprovision_<realmName><affiliationName> # e.g. usersWhoHaveBeenDeprovisioned_<realmName><affiliationName> deprovisioning.systemFolder = $$grouper.rootStemForBuiltinObjects$$:deprovisioning # autocreate the deprovisioning groups deprovisioning.autocreate.groups = true # users in this group who are admins of a realmaffiliation but who are not Grouper SysAdmins, will be # able to deprovision from all grouper groups/objects, not just groups they have access to UPDATE/ADMIN deprovisioning.admin.group = $$deprovisioning.systemFolder$$:deprovisioningAdmins # number of days in deproivisioning group. Should be the amount of time for systems of record to catch up and # for people to change external systems of record in manual processes deprovisioning.defaultNumberOfDaysInDeprovisioningGroup = 14 #number of groups shown in the body of deprovisioning email deprovisioning.email.group.count = 100 #deprovisioning reminder email subject deprovisioning.reminder.email.subject = You have $groupCount$ groups that have suggested users to be deprovisioned #deprovisioning reminder email body (links and groups are added dynamically) deprovisioning.reminder.email.body = You need to review the memberships of the following groups. Review the memberships of each group and click: More actions -> Deprovisioning -> Members of this group have been reviewed deprovisioning.reminder.email.body.greaterThan100 = There are $remaining$ more groups to be reviewed. |
...
Identify the deprovisioning managers and add them to the managers group. e.g. if your grouper.rootStemForBuiltinObjects is "etc", and your deprovisioning realm affiliation is "employee", then the group would be:
...
| Attribute name | Description |
|---|---|
| deprovisioning | Marker on group/folder |
| deprovisioningRealmdeprovisioningAffiliation | Realm Affiliation configured in the grouper.properties |
| deprovisioningDeprovision | true|false, true to deprovision, false to not deprovision (default to true). Note, if this is set on a daemon job, then it will not deprovision any group in the loader job (they will be marked as such) |
| deprovisioningStemScope | one|sub, if in folder only or in folder and all subfolders (default to sub) |
| deprovisioningSendEmail | true|false, default to false. Set this to true for objects where the system of record is outside of grouper or where manual removal is preferred |
| deprovisioningEmailSubject | custom subject for emails, if blank use the default configured subject. Note there are template variables $$name$$ $$netId$$ $$userSubjectId$$ $$userEmailAddress$$ $$userDescription$$ |
| deprovisioningEmailBody | custom email body for emails, if blank use the default configured body. Note there are template variables $$name$$ $$netId$$ $$userSubjectId$$ $$userEmailAddress$$ $$userDescription$$ |
deprovisioningAllowAddsWhileDeprovisioned | If allows adds to group of people who are deprovisioned can be: blank, true, or false. If blank, then will not allow adds unless auto change loader is false |
deprovisioningAutoChangeLoader | If this is a loader job, if being in a deprovisioned group means the user should not be in the loaded group. can be: blank (true), or false (false) |
deprovisioningAutoselectForRemoval | If the deprovisioning screen should autoselect this object as an object to deprovision can be: blank, true, or false. If blank, then will autoselect unless deprovisioningAutoChangeLoader is false |
deprovisioningDirectAssignment | If deprovisioning configuration is directly assigned to the group or folder or inherited from parent |
deprovisioningEmailAddresses | Email addresses to send deprovisioning messages. If blank, then send to group managers, or comma separated email addresses (mutually exclusive with deprovisioningMailToGroup) |
deprovisioningMailToGroup | Group ID which holds people to email members of that group to send deprovisioning messages (mutually exclusive with deprovisioningEmailAddresses) |
deprovisioningSendEmail | If this is true, then send an email about the deprovisioning event. If the assignments were removed, then give a description of the action. If assignments were not removed, then remind the managers to unassign. Can be <blank>, true, or false. Defaults to false unless the assignments were not removed. |
deprovisioningShowForRemoval | If the deprovisioning screen should show this object if the user as an assignment. can be: blank, true, or false. If blank, will default to true unless auto change loader is false. |
| deprovisioningInheritedFromFolderId | Stem ID of the folder where the configuration is inherited from. This is blank if this is a direct assignment and not inherited |
...
Do not allow assignments by WS of deprovisioned users to deprovisionable objects by realmaffiliation. Allow a param to override this
Allow global deprovision across realms affiliations or if no realm affiliation specified. Or document how to do this
...