This is a design document for deprovisioning support in Grouper.  Comments welcome.

Deprovisioning in Grouper allows a deprovisioning administrator to see someone's access and instantly remove it.  It would also help notify application administrators where grouper is not the system of record.

The Grouper UI has screens for deprovisioning. 

Configuration in grouper.base.properties

###################################
## Deprovisioning
###################################

# if deprovisioning should be enabled
deprovisioning.enable = true

# group that users who are allowed to deprovision other users are in
deprovisioning.managers.must.be.in.group = $$grouper.rootStemForBuiltinObjects$$:deprovisioning:managersWhoCanDeprovision

# group that deprovisioned users go in (temporarily, but history will always be there)
deprovisioning.group.which.has.been.deprovisioned = $$grouper.rootStemForBuiltinObjects$$:deprovisioning:usersWhoHaveBeenDeprovisioned

# autocreate the deprovisioning groups
deprovisioning.autocreate.groups = true

Deprovisioning managers

Identify the deprovisioning managers and add them to the "deprovisioning.managers.must.be.in.group", aka: <yourEtcPrefixHere>:deprovisioning:managersWhoCanDeprovision

Deprovisioning screens

 

See the users who have been deprovisioned

 

Use the menu to deprovision a user

 

 

Search for a user to deprovision

 

 

Search results show the right subject sources

 

 

See the user's access, add some notes, and deprovision them

 

 

Notes:

  1. Users of this screen would need to be in a certain group.  Grouper admins would also be allowed to use this page
    1. Note: users of this screen would effectively have a lot of access in grouper.  They can pull up any subjects and see what they have.  They can remove most things.  But they do not have to be Grouper admins.  This screen could be used by an HR person.
  2. This screen could be disabled if an institution does not want it.
  3. The screen would have a subject lookup for someone to be deprovisioned
  4. When submitting that combobox, all the assignments in grouper would display, as well as deprovisioned status
  5. A button "Deprovision user and remove access" adds the user to a built-in group for people who will be deprovisioned.  
    1. This group has a membership expiry for a certain configured amount of time (2 weeks is the default)
    2. This group can be used in "exclude" groups or rules in grouper for lockouts
    3. Note, some institutions might already have this "lockout" group
  6. Assignments on screen will include direct memberships, privileges, and attribute assignments
    1. Note, permissions are assigned on roles or memebrships in roles so those would not be shown but they would be removed
  7. The screen will have checkbox about assignments to deprovision
  8. There could be a way to see effective as well as immediate assignments, though it will default to immediate (ones you can deprovision)
  9. There is a "check all" and "uncheck all" button
  10. An "unassign" button will remove all those assignments
    1. Assignments are in point in time so they can be restored later or migrated to another user
  11. Groups and folders have attributes related to deprovisioning
    1. Mark a group or folder as ineligible for deprovisioning (e.g. the lockout group)
    2. If Grouper is not the system of record for a group, mark a group or folder with attributes so that emails are sent out to application owners to deprovision that user.  This would not remove the assignment in grouper because in this case grouper is not the source of the assignment but instead reflects it in another system.   The receiver of the email would need to unassign the user and that data would flow back to grouper ater the next load
      1. e.g. an attribute to say "deprovision_notify_app_owner", an attribute "deprovision_notify_app_owner_email", attribute "deprovision_notify_app_owner_email_subject", "deprovision_notify_app_owner_email_body"
      2. Attribute keep track of when last emailed so users dont get emailed more than once a day
  12. There is feature in loader jobs to not load deprovisioned users (without having to adjust the query).  Of course loader jobs could be exempt from this if they need deprovisioned users inside.  The default would be to not include them
  13. There is an overall audit and then keep individual audits
  14. There is a report of deprovisioned users and assignments they still have access to so that followups can be made after a week or two to make sure everything is removed for that user that should be
  15. There could be a report of inactive users and things they are still assigned to to clean out users who left the institution long ago