COmanage Registry supports validity dates in various contexts.
Each CO Person Role record may have valid from and valid through dates attached. These dates may be collected manually, via an Enrollment Flow, or via a Pipeline.
CO Person Role validity dates can be used in Expiration Policies, and are also used to set CO Person and Person Role Status. Provisioners will not see CO Person Role records with invalid dates, regardless of the role status.
As of Registry v2.0.0, Organizational Identities may have valid from and valid through dates attached. These are primarily intended for Organizational Identity Sources to convey validity information about their records (the dates can be synced to a CO Person Role record via a Pipeline), though these dates may also be collected manually.
Organizational Identities with invalid dates may not be used to login to Registry, even if a valid login identifier is otherwise attached. Provisioners will not see Organizational Identity records with invalid dates (for the limited set of Organizational Identity data that provisioners are permitted to see).
As of Registry v3.2.0, CO Group Memberships may have valid from and valid through dates attached. These may be manually populated, or synced via Organizational Identity Sources. CO Group Memberships outside of the specified validity dates will not be provisioned or usable for Registry authorization.
To manually configure validity dates for a CO Group Membership, navigate using one of these paths:
When a CO Group Member valid from or valid through date takes effect, the record must be reprovisioned for the associated changes to be propagated downstream. This is done via the Registry Job Shell. When executed, the job will reprovision any record associated with a CO Group Membership whose valid from or valid through date is within the last x minutes, where x is set via the CO Setting Group Validity Sync Window. The default value for this setting is 1440 minutes (or 1 day), and so typically it would make sense to run this task once per day, perhaps just after midnight. However, it may make sense to run this task more frequently, depending on how your deployment uses these dates.
groupvaliditytask must be configured to run periodically via cron.