v2.6.16+ To enforce membership eligibility, you can use a composite, rules, JEXL scripted groups, or you can use this new feature. You can link an attribute with an eligibility group so that memberships will be veto-ed or removed when users are no longer eligible.
Architecture
- Identify coarse grained populations that manual groups could be constrained to
- Create an attribute def and attribute name (obviously can do multiple of these)
- Allow certain people to be able to read and assign the attribute (e.g. power users)
- Configure the attribute in grouper.properties to be linked to an eligibility group (e.g. employees)
- Configure the veto text in the externalized text file
- Configure the attribute to be assigned in the group edit screen (optional)
- Assign the attribute to groups or folders
- Note, loader groups are not affected
- Membership hook will veto membership adds if the user is not eligible
- Change log consumer will remove members when no longer eligible
- Full sync daemon will make sure everything is correct
- When members are removed a record is kept in the grouper_mship_req_change table
Identify coarse grained populations
Create attributes
Allow certain people to be able to read and assign the attribute (e.g. power users)
Configure the attribute in grouper.properties to be linked to an eligibility group (e.g. employees)
# ui key to externalize text grouper.membershipRequirement.requireEmployee.uiKey = vetoRequireEmployee # attribute name that signifies this requirement grouper.membershipRequirement.requireEmployee.attributeName = etc:attribute:membershipRequirement:requireEmployee # group name which is the population group grouper.membershipRequirement.requireEmployee.requireGroupName = ref:employee
Configure the veto text in the externalized text file
veto.membershipVeto.customComposite.vetoRequireEmployee = Only employees can be members of this group
Configure the attribute to be assigned in the group edit screen (optional)
groupScreen.attribute.requireEmployee.attributeName = etc:attribute:membershipRequirement:requireEmployee groupScreen.attribute.requireEmployee.label = Require employee groupScreen.attribute.requireEmployee.description = Members of this group (or groups in folder) will be required to be employees, otherwise they will be vetoed or removed groupScreen.attribute.requireEmployee.index = 1
Assign the attribute to groups or folders
Groups:
Folders
Membership hook will veto membership adds if the user is not eligible
Change log consumer will remove members when no longer eligible
Full sync daemon will make sure everything is correct
When members are removed a record is kept in the grouper_mship_req_change table
select gmrc.the_timestamp, gg.name as removed_from, gm.description, gg_elig.name as eligibility_group, gadn.name as attribute_name, gmrc.config_id, case when gmrc.engine = 'F' then 'fullDaemon' when gmrc.engine = 'C' then 'changeLog' else gmrc.engine end as engine from grouper_mship_req_change gmrc, grouper_members gm, grouper_groups gg, grouper_groups gg_elig, grouper_attribute_def_name gadn where gmrc.member_id = gm.id and gmrc.group_id = gg.id and gmrc.attribute_def_name_id = gadn.id and gmrc.require_group_id = gg_elig.id order by the_timestamp desc;
TO DO
More features can be added to this:
- Notifications (to managers or users)
- Grace periods
- Readonly mode
- Exclude groups which are "exclude" type (doesnt exist yet)
- Exclude groups by regex
- Include only manual groups
- Constrain subject sources
- Remove when membership remove in folder (e.g. job or title changes)
- Loader can restrict ineligible members