In Grouper v2.5.25+ there is a feature that allows you to automatically populate groups with recent members of other groups. This is how grace periods are implemented. In v2.5.30+ this changed a bit and is documented below. Note the attributes changed in 2.5.30 and an upgrade task will automatically convert the old format to the new format. When you upgrade you should run the "upgrade task" daemon.
A recent-membership group is a group that contains members who used to be in a certain group a certain number of days ago. You can have multiple recent-membership groups on one group to monitor. (the recentMembershipMarker attribute is assigned to the target group). If a subject is added back to the group to monitor, they will be removed from the recent-membership group. If you want to delegate the ability to assign recent-memberships (by default only admins can do this), just add privileges to the three recentMembership attribute definitions (attr read and attr update).
Note: this feature is based on any type of memberships not just immediate memberships.
If you will have a policy group that includes the eligible group and the grace period (recent-memberships) group, you might want the grace group to include the current memberships. The recent-memberships group could be the overall policy group. Then if the group is provisioned to a system, there will be no "flicker". Flicker is the brief period of time after a subject is removed from the eligible group until it is added to the recent-memberships group (could take a few minutes). If current memberships are included in the recent-memberships group then when a subject is removed from the group to monitor they will be not removed from the recent memberships group (until X days passes).
If you want a grace period group, and you want to know if eligible or in grace, and you dont want flicker, then you need three groups:
- Eligible group (policy without considering grace period)
- Grace period policy group: recent-memberships including current memberships (eligible group)
- Grace period only group: composite of recent-memberships-with-eligible minus eligible).
Create a new recent-memberships group
- Create or navigate to the group which holds the recent memberships
- Click on the More Tab → Loader, and configure a recent memberships loader
- Select the "from group"
- Select the "days of recent memberhips". Note, this can be a decimal
- Identify if include current memberships
- Wait a minute and if the change log is up to date the recent-memberships group will be created and populated
- Nightly loader job will sync things up but it should be up to date in near real time using the change log
- Note, if you remove these recent-memberships attributes, the recent-memberships group and members will still be there. You will need to delete the orphaned recent-memberships group
To disabled the loader job edit this in grouper.properties
To edit the change log consumer edit this in grouper-loader.properties
- Configuration is stored in attributes on the "to" group
- In order to make the loader query more efficient and simpler to troubleshoot, a view consolidates the attributes into one simple place to get recent membership configuration
- This is synced to a table for performance reasons
- The grouper_time table is consulted to make this database agnostic
- A view on that table the PIT view will show the memberships to be loaded
Script a recent membership group
Just change the first 4 params and it will do the rest