Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 15 Next »

This is a design document for deprovisioning support in Grouper.  Comments welcome.

Deprovisioning in Grouper allows a deprovisioning administrator to see someone's access and instantly remove it.  It would also help notify application administrators where grouper is not the system of record.

The Grouper UI has screens for deprovisioning. 

Configuration in

## Deprovisioning

# if deprovisioning should be enabled
deprovisioning.enable = true

# group that users who are allowed to deprovision other users are in = $$grouper.rootStemForBuiltinObjects$$:deprovisioning:managersWhoCanDeprovision

# group that deprovisioned users go in (temporarily, but history will always be there) = $$grouper.rootStemForBuiltinObjects$$:deprovisioning:usersWhoHaveBeenDeprovisioned

# autocreate the deprovisioning groups
deprovisioning.autocreate.groups = true

Deprovisioning managers

Identify the deprovisioning managers and add them to the "", aka: <yourEtcPrefixHere>:deprovisioning:managersWhoCanDeprovision

Deprovisioning screens

See the users who have been deprovisioned

Use the menu to deprovision a user

Search for a user to deprovision

Search results show the right subject sources

See the user's access, add some notes, and deprovision them


The deprovisioning attribute is assignable to memberships, groups, and folders.  This is a single-assign marker attribute.  The rest are assigned on that attribute assignment.  Note: not all attributes are used for each type of owner (group/folder/membership)

Attribute nameDescription
deprovisioningMarker on group/folder/membership
deprovisioningDirectAssignmentIf the configuration is on the group, or inherited from a folder. This is required for all objects with deprovisioning configuration or objects in folders with deprovisioning
deprovisioningDeprovisiontrue|false, true to deprovision, false to not deprovision (default to true). Note, if this is set on a daemon job, then it will not deprovision any group in the loader job (they will be marked as such)
deprovisioningStemScopeone|sub, if in folder only or in folder and all subfolders (default to sub)
deprovisioningSendEmailtrue|false, default to false. Set this to true for objects where the system of record is outside of grouper or where manual removal is preferred
deprovisioningEmailAddressescomma separated email addresses to send to. If blank then send to the UPDATERS/ADMINS of the group
deprovisioningEmailSubjectcustom subject for emails, if blank use the default configured subject. Note there are template variables $$name$$ $$netId$$ $$userSubjectId$$ $$userEmailAddress$$ $$userDescription$$
deprovisioningEmailBodycustom email body for emails, if blank use the default configured body. Note there are template variables $$name$$ $$netId$$ $$userSubjectId$$ $$userEmailAddress$$ $$userDescription$$
deprovisioningNotesnotes on membership when deprovisioning


If allows adds to group of people who are deprovisioned

can be: blank, true, or false.  If blank, then will not allow adds unless auto change loader is false


  1. Users of this screen would need to be in a certain group.  Grouper admins would also be allowed to use this page
    1. Note: users of this screen would effectively have a lot of access in grouper.  They can pull up any subjects and see what they have.  They can remove most things.  But they do not have to be Grouper admins.  This screen could be used by an HR person.
  2. This screen could be disabled if an institution does not want it.
  3. The screen would have a subject lookup for someone to be deprovisioned
  4. When submitting that combobox, all the assignments in grouper would display, as well as deprovisioned status
  5. A button "Deprovision user and remove access" adds the user to a built-in group for people who will be deprovisioned.  
    1. This group has a membership expiry for a certain configured amount of time (2 weeks is the default)
    2. This group can be used in "exclude" groups or rules in grouper for lockouts
    3. Note, some institutions might already have this "lockout" group
  6. Assignments on screen will include direct memberships, privileges, and attribute assignments
    1. Note, permissions are assigned on roles or memebrships in roles so those would not be shown but they would be removed
  7. The screen will have checkbox about assignments to deprovision
  8. There could be a way to see effective as well as immediate assignments, though it will default to immediate (ones you can deprovision)
  9. There is a "check all" and "uncheck all" button
  10. An "unassign" button will remove all those assignments
    1. Also adds the user to the deprovisioning group with end date on membership of 2 weeks
    2. Assignments are in point in time so they can be restored later or migrated to another user
  11. Groups and folders have attributes related to deprovisioning
    1. Mark a group or folder as ineligible for deprovisioning (e.g. the lockout group)
    2. If Grouper is not the system of record for a group, mark a group or folder with attributes so that emails are sent out to application owners to deprovision that user.  This would not remove the assignment in grouper because in this case grouper is not the source of the assignment but instead reflects it in another system.   The receiver of the email would need to unassign the user and that data would flow back to grouper ater the next load
      1. e.g. an attribute to say "deprovision_notify_app_owner", an attribute "deprovision_notify_app_owner_email", attribute "deprovision_notify_app_owner_email_subject", "deprovision_notify_app_owner_email_body"
      2. Attribute keep track of when last emailed so users dont get emailed more than once a day
  12. There is feature in loader jobs to not load deprovisioned users (without having to adjust the query).  Of course loader jobs could be exempt from this if they need deprovisioned users inside.  The default would be to not include them
  13. There is an overall audit and then keep individual audits
  14. Daemon will send emails to application owners on users to deprovision.  Will send one email with batch of users to deprovision
  15. Screen for app owners to see who they should look at
  16. There is a report of deprovisioned users and assignments they still have access to so that followups can be made after a week or two to make sure everything is removed for that user that should be
  17. There could be a report of inactive users and things they are still assigned to to clean out users who left the institution long ago
  18. If messaging queues are configured, messages will be sent to deprovision a user
  19. If someone adds a deprovioned (for 2 weeks) user to a group or privilege or permission, then they will get a warning that the user has been deprovisioned...
  20. Application managers could run membership reports to see which users have been deprovisioned (ever), or which users are not active, not active staff, etc
  • No labels