You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

v2.6.16+ To enforce membership eligibility, you can use a composite, rules, JEXL scripted groups, or you can use this new feature.  You can link an attribute with an eligibility group so that memberships will be veto-ed or removed when users are no longer eligible.

Architecture

  1. Identify coarse grained populations that manual groups could be constrained to
  2. Create an attribute def and attribute name (obviously can do multiple of these)
  3. Allow certain people to be able to read and assign the attribute (e.g. power users)
  4. Configure the attribute in grouper.properties to be linked to an eligibility group (e.g. employees)
  5. Configure the veto text in the externalized text file
  6. Configure the attribute to be assigned in the group edit screen (optional)
  7. Assign the attribute to groups or folders
    1. Note, loader groups are not affected
  8. Membership hook will veto membership adds if the user is not eligible
  9. Change log consumer will remove members when no longer eligible
  10. Full sync daemon will make sure everything is correct
  11. When members are removed a record is kept in the grouper_mship_req_change table

Identify coarse grained populations

Create attributes

Allow certain people to be able to read and assign the attribute (e.g. power users)

Configure the attribute in grouper.properties to be linked to an eligibility group (e.g. employees)

groupScreenType.requireEmployee.attributeName = etc:attribute:membershipRequirement:requireEmployee
groupScreenType.requireEmployee.label = Require employee
groupScreenType.requireEmployee.description = Members of this group (or groups in folder) will be required to be employees, otherwise they will be vetoed or removed
groupScreenType.requireEmployee.index = 1


Configure the veto text in the externalized text file

Configure the attribute to be assigned in the group edit screen (optional)

Assign the attribute to groups or folders

Note, loader groups are not affected

Membership hook will veto membership adds if the user is not eligible

Change log consumer will remove members when no longer eligible

Full sync daemon will make sure everything is correct

When members are removed a record is kept in the grouper_mship_req_change table

TO DO

More features can be added to this:

  1. Notifications (to managers or users)
  2. Grace periods
  3. Readonly mode
  4. Exclude groups which are "exclude" type (doesnt exist yet)
  5. Exclude groups by regex
  6. Include only manual groups
  7. Constrain subject sources
  8. Remove when membership remove in folder (e.g. job or title changes)
  9. Loader can restrict ineligible members
  • No labels