Versions Compared

Old Version 8

changes.mady.by.user Hyzer

Saved on

compared with

New Version 9

changes.mady.by.user Hyzer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

 

 

This is a design document for deprovisioning support in Grouper.  Comments welcome.

Deprovisioning in Grouper allows a deprovisioning administrator to see someone's access and instantly remove it.  It would also help notify application administrators where grouper is not the system of record.

The Grouper UI

...

has screens for deprovisioning. 

Configuration in grouper.base.properties

Code Block
###################################
## Deprovisioning
###################################

# if deprovisioning should be enabled
deprovisioning.enable = true

# group that users who are allowed to deprovision other users are in
deprovisioning.managers.must.be.in.group = $$grouper.rootStemForBuiltinObjects$$:deprovisioning:managersWhoCanDeprovision

# group that deprovisioned users go in (temporarily, but history will always be there)
deprovisioning.group.which.has.been.deprovisioned = $$grouper.rootStemForBuiltinObjects$$:deprovisioning:usersWhoHaveBeenDeprovisioned

# autocreate the deprovisioning groups
deprovisioning.autocreate.groups = true

Deprovisioning managers

Identify the deprovisioning managers and add them to the "deprovisioning.managers.must.be.in.group", aka: <yourEtcPrefixHere>:deprovisioning:managersWhoCanDeprovision

Deprovisioning screens

Image Added

 

See the users who have been deprovisioned

Image Added

 

Use the menu to deprovision a user

 

Image Added

 

Search for a user to deprovision

 

Image Added

 

Search results show the right subject sources

 

Image Added

 

See the user's access, add some notes, and deprovision them

Image Added

 

 

Notes:

  1. Users of this screen would need to be in a certain group.  Grouper admins would also be allowed to use this page
    1. Note: users of this screen would effectively have a lot of access in grouper.  They can pull up any subjects and see what they have.  They can remove most things.  But they do not have to be Grouper admins.  This screen could be used by an HR person.
  2. This screen could be disabled if an institution does not want it.
  3. The screen would start with have a subject lookup for someone to be deprovisioned
  4. When submitting that combobox, all the assignments in grouper would display, as well as deprovisioned status
  5. A button "Add to deprovision group" could add Deprovision user and remove access" adds the user to a preset built-in group for people who will be deprovisioned.  
    1. This group should have has a membership expiry for a certain configured amount of time (1 month 2 weeks is the default)
    2. This group can be used in "exclude" groups or rules in grouper for lockouts
    3. Note, some institutions might already have this "lockout" group
  6. Assignments on screen will include direct memberships, privileges, permissions, and attributes(?)and attribute assignments
    1. Note, permissions are assigned on roles or memebrships in roles so those would not be shown but they would be removed
  7. The screen will have checkbox about assignments to deprovision
  8. There could be a way to see effective as well as immediate assignments, though it will default to immediate (ones you can deprovision)
  9. There will be is a "check all" and "uncheck all" button
  10. An "unassign" button will remove all those assignments
    1. All assignments could be stored temporarily in attributes so that the state could be restored (future feature if people interested)
    2. At the very least, the stuff unassigned could be logged and emailed to the user using the app so they could piece it back together.  Maybe grouper import script or GSH?Assignments are in point in time so they can be restored later or migrated to another user
  11. Groups and folders could have attributes related to deprovisioning
    1. Mark a group or folder as ineligible for deprovisioning (e.g. the lockout group)
    2. Mark If Grouper is not the system of record for a group, mark a group or folder with attributes so that emails are sent out to application owners to deprovision that user.  This would not remove the assignment in grouper because in this case grouper is not the source of the assignment but instead reflects it in another system.   The receiver of the email would need to unassign the user and that data would flow back to grouper ater the next load
      1. e.g. an attribute to say "deprovision_notify_app_owner", an attribute "deprovision_notify_app_owner_email", attribute "deprovision_notify_app_owner_email_subject", "deprovision_notify_app_owner_email_body"
      2. Attribute keep track of when last emailed so users dont get emailed more than once a day
  12. There could be a is feature in loader jobs to not load deprovisioned users (without having to adjust the query).  Of course loader jobs could be exempt from this if they need deprovisioned users inside.  The default would be to not include them
  13. There could be is an overall audit and then keep individual audits
  14. There could be is a report of deprovisioned users and assignments they still have access to so that followups can be made after a week or two to make sure everything is removed for that user that should be
  15. There could be a report of inactive users and things they are still assigned to to clean out users who left the institution long ago
  16. Set membership expire dates based on required groups (potential)
  17. Remove membership expire dates based on adding back in to required groups (potential)

...