...
As of Registry v3.2.0, CO Group Memberships may have valid from and valid through dates attached. These may be manually populated, or synced via Organizational Identity Sources. CO Group Memberships outside of the specified validity dates will not be provisioned or usable for Registry authorization.
To manually configure validity dates for a CO Group Membership, navigate using one of these paths:
- CO Person Record > Click Edit next to the appropriate group membership
- CO Group Record > Click Edit next to the appropriate group member
Reprovisioning Records
When a CO Group Member valid from or valid through date takes effect, the record must be reprovisioned for the associated changes to be propagated downstream. This is done via the Registry Job Shell. When executed, the job will reprovision any record 
Note that the Registry Job Shell groupvalidity must be configured to run in order to reprovision records associated with a CO Group Membership whose validity status has changedvalid from or valid through date is within the last x minutes, where x is set via the CO Setting Group Validity Sync Window. The default value for this setting is 1440 minutes (or 1 day), and so typically it would make sense to run this task once per day, perhaps just after midnight. However, it may make sense to run this task more frequently, depending on how your deployment uses these dates.
- For Registry v4.0.0 and later, the Core Job Shell ValidateGroupMember job must be run periodically via cron.
- As of Registry v4.0.2, the ValidateGroupMember job will also process CO Group Nesting changes due to membership validity taking effect.
- For Registry v3.x, the Registry Job Shell
groupvaliditytask must be configured to run periodically via cron.