Include Page | ||||
---|---|---|---|---|
|
Deprovisioning features in Grouper allow
This is a design document for deprovisioning support in Grouper. Comments welcome.
Deprovisioning in Grouper allows a deprovisioning administrator to see someone's access and instantly remove it. It would
Grouper will also help notify application administrators where grouper is not the system of record.The Grouper UI has screens for deprovisioning.
...
Code Block |
---|
###################################
## Deprovisioning
###################################
# if deprovisioning should be enabled
deprovisioning.enable = true
# group that users who are allowed to deprovision other users are in
deprovisioning.managers.must.be.in.group = $$grouper.rootStemForBuiltinObjects$$:deprovisioning:managersWhoCanDeprovision
# group that deprovisioned users go in (temporarily, but history will always be there)
deprovisioning.group.which.has.been.deprovisioned = $$grouper.rootStemForBuiltinObjects$$:deprovisioning:usersWhoHaveBeenDeprovisioned
# autocreate the deprovisioning groups
deprovisioning.autocreate.groups = true |
Deprovisioning managers
Identify the deprovisioning managers and add them to the "deprovisioning.managers.must.be.in.group", aka: <yourEtcPrefixHere>:deprovisioning:managersWhoCanDeprovision
Deprovisioning screens
See the users who have been deprovisioned
Use the menu to deprovision a user
Search for a user to deprovision
Search results show the right subject sources
See the user's access, add some notes, and deprovision them
Attributes
The deprovisioning attribute is assignable to memberships, groups, and folders. This is a single-assign marker attribute. The rest are assigned on that attribute assignment. Note: not all attributes are used for each type of owner (group/folder/membership)
...
not
...
the system of record
...
or where manual
...
deprovisioning is preferred
...
.
...
deprovisioningAllowAddsWhileDeprovisioned
...
If allows adds to group of people who are deprovisioned
can be: blank, true, or false. If blank, then will not allow adds unless auto change loader is false
...
deprovisioningAutoChangeLoader
...
If this is a loader job, if being in a deprovisioned group means the user should not be in the loaded group.
can be: blank (true), or false (false)
...
deprovisioningAutoselectForRemoval
...
If the deprovisioning screen should autoselect this object as an object to deprovision
can be: blank, true, or false. If blank, then will autoselect unless deprovisioningAutoChangeLoader is false
...
deprovisioningDirectAssignment
...
If deprovisioning configuration is directly assigned to the group or folder or inherited from parent
...
deprovisioningEmailAddresses
...
Email addresses to send deprovisioning messages.
If blank, then send to group managers, or comma separated email addresses (mutually exclusive with deprovisioningMailToGroup)
...
deprovisioningMailToGroup
...
Group ID which holds people to email members of that group to send deprovisioning messages (mutually exclusive with deprovisioningEmailAddresses)
...
deprovisioningSendEmail
...
If this is true, then send an email about the deprovisioning event. If the assignments were removed, then give a description of the action. If assignments were not removed, then remind the managers to unassign. Can be <blank>, true, or false. Defaults to false unless the assignments were not removed.
...
deprovisioningShowForRemoval
...
If the deprovisioning screen should show this object if the user as an assignment.
can be: blank, true, or false. If blank, will default to true unless auto change loader is false.
Here are workflows around configuring and using deprovisioning.
Gliffy Diagram | ||||
---|---|---|---|---|
|
Deprovisioning settings on folders / groups / attributes
Grace periods, recent memberships
See Also
Blog on Grouper Deprovisioning with Grouper 2.4 (September 2018)
Slack Use Case from University of Pennsylvania
Grouper Automatically Managed Recent Memberships / Grace Periods
Notes
...
- Note: users of this screen would effectively have a lot of access in grouper. They can pull up any subjects and see what they have. They can remove most things. But they do not have to be Grouper admins. This screen could be used by an HR person.
...
- This group has a membership expiry for a certain configured amount of time (2 weeks is the default)
- This group can be used in "exclude" groups or rules in grouper for lockouts
- Note, some institutions might already have this "lockout" group
...
- Note, permissions are assigned on roles or memebrships in roles so those would not be shown but they would be removed
...
- Also adds the user to the deprovisioning group with end date on membership of 2 weeks
- Assignments are in point in time so they can be restored later or migrated to another user
...
- Mark a group or folder as ineligible for deprovisioning (e.g. the lockout group)
- If Grouper is not the system of record for a group, mark a group or folder with attributes so that emails are sent out to application owners to deprovision that user. This would not remove the assignment in grouper because in this case grouper is not the source of the assignment but instead reflects it in another system. The receiver of the email would need to unassign the user and that data would flow back to grouper ater the next load
- e.g. an attribute to say "deprovision_notify_app_owner", an attribute "deprovision_notify_app_owner_email", attribute "deprovision_notify_app_owner_email_subject", "deprovision_notify_app_owner_email_body"
- Attribute keep track of when last emailed so users dont get emailed more than once a day
...