Versions Compared

Old Version 75

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version Current

changes.mady.by.user chris.hyzer.3@at.internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
spaceKeyGrouper
pageTitleNavigation

Deprovisioning There are many deprovisioning features in Grouper, this feature is a manual process to deprovision an individual.

This allows allow a deprovisioning administrator to manually see someone's access and instantly remove it.

Deprovisioning setup

  • You can identify multiple affiliations (relationships) to the institution that have their own deprovisioning settings and a group of deprovisioned users.  Generally institutions start with and might only need one for their workforce.
  • Groups and folders can be pre-configured to be applicable or excluded for this deprovisioning process for each affiliation

Deprovisioning process for a user

The administrator manually initiates this process at the time of deprovisioning a user from an affiliation:

  • Search for and select a user
  • The administrator will be presented with a list of direct memberships and privileges the user has in the configured groups/folders for the affiliation being deprovisioned 
    • Checkboxes to remove the membership/privilege have defaults based on group/folder configuration of the group/folder
    • After reviewing the page, and the administrator clicks the deprovision button, the user's selected direct memberships and privileges will be removed
  • Added to the deprovisioned group for a configured amount of time. 
    • Either this is a short amount of time to let data flow through the institutions systems, or it is a long period of time if there is a worry that systems are deprovisioning users
  • While they are deprovisioned, any additions of that user to a configured group (manual or loaded) will be veto'ed
  • Loader jobs can be configured to automatically exclude deprovisioned users (since the system of record might not be accurate)

Group managers

  • Can use the Grouper

...

  • UI to see if there are users in their group who are deprovisioned

While a user is deprovisioned

  • A user is deprovisioned while they are in the deprovisioned group
  • If a group manager adds a deprovisioned user to a group where that is not allowed, the action will be veto'ed
  • Grouper will notify application administrators where Grouper is not the system of record or where manual deprovisioning is preferred.  This is a nightly notification
    • The group manager can certify that the group should have users by certifying the group on a certain date.  If there are new deprovisioned user after that date they will get notifications for them.



Info
titleBlog on Deprovisioning

Check out the October 2024 Grouper blog on deprovisioning for a helpful overview of the topic.

...