In Grouper v2.5.25+ there is a feature that allows you to automatically populate groups with recent members of other groups. This is how grace periods are implemented.
A recent-membership group is a group that contains members who used to be in a certain group a certain number of days ago. You can have multiple recent-membership groups on one group to monitor. (the recentMembershipMarker attribute is multi-assign). If a subject is added back to the group to monitor, they will be removed from the recent-membership group. If you want to delegate the ability to assign recent-memberships (by default only admins can do this), just add privileges to the two recentMembership attribute definitions (attr read and attr update).
Note: this feature is based on effective memberships not immediate memberships.
If you will have a policy group that includes the eligible group and the grace period (recent-memberships) group, you might want the grace group to include the current memberships. The recent-memberships group could be the overall policy group. Then if the group is provisioned to a system, there will be no "flicker". Flicker is the brief period of time after a subject is removed from the eligible group until it is added to the recent-memberships group (could take a few minutes). If current memberships are included in the recent-memberships group then when a subject is removed from the group to monitor they will be not removed from the recent memberships group (until X days passes).
If you want a grace period group, and you want to know if eligible or in grace, and you dont want flicker, then you need three groups:
- Eligible group (policy without considering grace period)
- Grace period policy group: recent-memberships including current memberships (eligible group)
- Grace period only group: composite of recent-memberships-with-eligible minus eligible).
Create a new recent-memberships group
- Assign the grouperRecentMembershipsMarker attribute to a "group to monitor" (note you can do this multiple times for one group)
- Assign three attributes to that attribute assign as metadata assignments
grouperRecentMembershipsDays: must be a valid integer (no whitespace) which is the number of days
grouperRecentMembershipsGroupName: must be a fully qualified group system name (including parent folders separated by colons), make sure it is not surrounded by whitespace
- grouperRecentMembershipsIncludeEligible: true|false if the eligible population should be included in the recent-memberships group to reduce provisioning flicker
- Wait a minute and if the change log is up to date the recent-memberships group will be created and populated
- Nightly loader job will sync things up but it should be up to date in near real time using the change log
- Note, if you remove these recent-memberships attributes, the recent-memberships group and members will still be there. You will need to delete the orphaned recent-memberships group
To disabled the loader job edit this in grouper.properties
To edit the change log consumer edit this in grouper-loader.properties