Grouper attestation means marking a group or folder so that owners must review the membership list periodically. This is useful in ad hoc groups where deprovisioning is not automatic. Owners will be reminded by email to review the memberships. After reviewing the memberships, the group owner will click a button on the group indicating that it has been reviewed.
This is in the 2.3.0 API and UI patch (TODO list patch number)
You will notice a new menu item Attestation in the More actions dropdown for groups and folders as shown in the screenshots:
When you click on the Attestation menu item and there are no attestation attributes for that group/folder and any of the parents in the hierarchy, you will see a screen which has a link to configure the attestation for that group/folder. Here is the screenshot:
Clicking on the link will take you to the screen where you can add the attestation attributes. Here is the screenshot:
Each attribute is described in detail in the Design section below.
If attestation attributes already exist for a group or any of the stems in the parent hierarchy then they are displayed like shown in the screenshot:
If the logged in user is a member of the wheel group or has admin privileges on the group, they can edit the attestation attributes:
Similarly, attestation attributes for a folder can be edited if the logged in user is a member of wheel group or has admin privileges.
There is a cron job which runs every day (by default) and it sends reminder emails to people configured in attestationEmailAddresses attribute or if there is no email address in that attribute, it picks up the emails from subject source email property of admins for the group. If no emails are found there either, then the job logs an error and move on to the next element.
attestationDaysBeforeToRemind attribute controls how many days before the current attestation expires, we are going to start sending emails.
Set this in grouper.properties
#put the URL which will be used e.g. in emails to users. include the webappname at the end, and nothing after that. #e.g. https://server.school.edu/grouper/ grouper.ui.url = http://localhost:8088/grouper/ #smtp server is a domain name or dns name. set to "testing" if you want to log instead of send (e.g. for testing) mail.smtp.server = localhost # OPTIONAL FOR ATTESTION, WILL BE BLANK IN PROD #this is the subject prefix of emails, which will help differentiate prod vs test vs dev etc mail.subject.prefix = DEV: |
Note, might want to leave these as defaults:
######################################### ## Attestation ######################################### #default value of attestation days until recertify. Every group/folder can define their own days until recertify value and if they don't provide, use the following one. attestation.default.daysUntilRecertify = 180 #number of groups shown in the body of attestation email attestation.email.group.count = 100 #attestation reminder email subject attestation.reminder.email.subject = You have $groupCount$ groups that require attestation #attestation reminder email body (links and groups are added dynamically) attestation.reminder.email.body = You need to attest the memberships of the following groups. Review the memberships of each group and click: More actions -> Attestation -> Members of this group have been reviewed attestation.reminder.email.body.greaterThan100 = There are $remaining$ more groups to be attested. |
At the start up time, attestationDef and attestationValueDef attribute definitions will be added to the system as shown in the screenshots.
Use this method to check if has attestation (it implements that algorithm)
groupOrFolder.getAttributeDelegate().hasAttributeOrAncestorHasAttribute() |
Email logic: Take each email to each user (by email address), and only send one email to that user. Ff there are more than 100 (configured in grouper.properties) attestations, just show 100 in the message but say there are 5432 others so email isn’t too big. Also, add at the bottom of each message who was CC’ed since you email will be sent directly to a person.
e.g.
school:groupA needs attestation: emails to: jsmith@school.edu, and bgreen@school.edu
school:groupB needs attestation: emails to: jsmith@school.edu, and kwilson@school.edu
send 3 emails:
FIRST EMAIL: To jsmith@school.edu
Subject: you have 2 grouper groups that require attestation.
Body:
You need to attest the memberships of the following groups:
<link to membership>
<link to membership>
SECOND EMAIL: To bgreen@school.edu
Subject: you have 1 grouper groups that require attestation.
Body:
You need to attest the memberships of the following groups:
<link to membership>
THIRD EMAIL: To kwilson@school.edu
Subject: you have 1 grouper groups that require attestation.
Body:
You need to attest the memberships of the following groups:
<link to membership>