You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

v2.6.16+ To enforce membership eligibility, you can use a composite, rules, JEXL scripted groups, or you can use this new feature.  You can link an attribute with an eligibility group so that memberships will be veto-ed or removed when users are no longer eligible.

Architecture

  1. Identify coarse grained populations that manual groups could be constrained to
  2. Create an attribute def and attribute name (obviously can do multiple of these)
  3. Allow certain people to be able to read and assign the attribute (e.g. power users)
  4. Configure the attribute in grouper.properties to be linked to an eligibility group (e.g. employees)
  5. Configure the veto text in the externalized text file
  6. Configure the attribute to be assigned in the group edit screen (optional)
  7. Assign the attribute to groups or folders
    1. Note, loader groups are not affected
  8. Membership hook will veto membership adds if the user is not eligible
  9. Change log consumer will remove members when no longer eligible
  10. Full sync daemon will make sure everything is correct
  11. When members are removed a record is kept in the grouper_mship_req_change table

Identify coarse grained populations

Create attributes

Allow certain people to be able to read and assign the attribute (e.g. power users)

Configure the attribute in grouper.properties to be linked to an eligibility group (e.g. employees)

# ui key to externalize text
grouper.membershipRequirement.requireEmployee.uiKey = vetoRequireEmployee

# attribute name that signifies this requirement
grouper.membershipRequirement.requireEmployee.attributeName = etc:attribute:membershipRequirement:requireEmployee

# group name which is the population group
grouper.membershipRequirement.requireEmployee.requireGroupName = ref:employee


Configure the veto text in the externalized text file

veto.membershipVeto.customComposite.vetoRequireEmployee = Only employees can be members of this group



Configure the attribute to be assigned in the group edit screen (optional)

groupScreen.attribute.requireEmployee.attributeName = etc:attribute:membershipRequirement:requireEmployee
groupScreen.attribute.requireEmployee.label = Require employee
groupScreen.attribute.requireEmployee.description = Members of this group (or groups in folder) will be required to be employees, otherwise they will be vetoed or removed
groupScreen.attribute.requireEmployee.index = 1


Assign the attribute to groups or folders

Groups:


Folders

Membership hook will veto membership adds if the user is not eligible

Change log consumer will remove members when no longer eligible

Full sync daemon will make sure everything is correct

When members are removed a record is kept in the grouper_mship_req_change table

select
  gmrc.the_timestamp,
  gg.name as removed_from,
  gm.description,
  gg_elig.name as eligibility_group,
  gadn.name as attribute_name,
  gmrc.config_id,
  case
    when gmrc.engine = 'F' then 'fullDaemon'
    when gmrc.engine = 'C' then 'changeLog'
    else gmrc.engine
  end as engine
from
  grouper_mship_req_change gmrc,
  grouper_members gm,
  grouper_groups gg,
  grouper_groups gg_elig,
  grouper_attribute_def_name gadn
where
  gmrc.member_id = gm.id
  and gmrc.group_id = gg.id
  and gmrc.attribute_def_name_id = gadn.id
  and gmrc.require_group_id = gg_elig.id
order by
  the_timestamp desc;


TO DO

More features can be added to this:

  1. Notifications (to managers or users)
  2. Grace periods
  3. Readonly mode
  4. Exclude groups which are "exclude" type (doesnt exist yet)
  5. Exclude groups by regex
  6. Include only manual groups
  7. Constrain subject sources
  8. Remove when membership remove in folder (e.g. job or title changes)
  9. Loader can restrict ineligible members
  • No labels