This is a design document for deprovisioning support in Grouper. Comments welcome.
Deprovisioning in Grouper allows a deprovisioning administrator to see someone's access and instantly remove it. It would also help notify application administrators where grouper is not the system of record.
The Grouper UI has screens for deprovisioning.
################################### ## Deprovisioning ################################### # if deprovisioning should be enabled deprovisioning.enable = true # group that users who are allowed to deprovision other users are in deprovisioning.managers.must.be.in.group = $$grouper.rootStemForBuiltinObjects$$:deprovisioning:managersWhoCanDeprovision # group that deprovisioned users go in (temporarily, but history will always be there) deprovisioning.group.which.has.been.deprovisioned = $$grouper.rootStemForBuiltinObjects$$:deprovisioning:usersWhoHaveBeenDeprovisioned # autocreate the deprovisioning groups deprovisioning.autocreate.groups = true |
Identify the deprovisioning managers and add them to the "deprovisioning.managers.must.be.in.group", aka: <yourEtcPrefixHere>:deprovisioning:managersWhoCanDeprovision
See the users who have been deprovisioned
Use the menu to deprovision a user
Search for a user to deprovision
Search results show the right subject sources
See the user's access, add some notes, and deprovision them
The deprovisioning attribute is assignable to memberships, groups, and folders. This is a single-assign marker attribute. The rest are assigned on that attribute assignment. Note: not all attributes are used for each type of owner (group/folder/membership)
Attribute name | Description |
---|---|
deprovisioning | Marker on group/folder |
deprovisioningDeprovision | true|false, true to deprovision, false to not deprovision (default to true). Note, if this is set on a daemon job, then it will not deprovision any group in the loader job (they will be marked as such) |
deprovisioningStemScope | one|sub, if in folder only or in folder and all subfolders (default to sub) |
deprovisioningSendEmail | true|false, default to false. Set this to true for objects where the system of record is outside of grouper or where manual removal is preferred |
deprovisioningEmailSubject | custom subject for emails, if blank use the default configured subject. Note there are template variables $$name$$ $$netId$$ $$userSubjectId$$ $$userEmailAddress$$ $$userDescription$$ |
deprovisioningEmailBody | custom email body for emails, if blank use the default configured body. Note there are template variables $$name$$ $$netId$$ $$userSubjectId$$ $$userEmailAddress$$ $$userDescription$$ |
deprovisioningNotes | notes on membership when deprovisioning |
deprovisioningAllowAddsWhileDeprovisioned | If allows adds to group of people who are deprovisioned can be: blank, true, or false. If blank, then will not allow adds unless auto change loader is false |
deprovisioningAutoChangeLoader | If this is a loader job, if being in a deprovisioned group means the user should not be in the loaded group. can be: blank (true), or false (false) |
deprovisioningAutoselectForRemoval | If the deprovisioning screen should autoselect this object as an object to deprovision can be: blank, true, or false. If blank, then will autoselect unless deprovisioningAutoChangeLoader is false |
deprovisioningDirectAssignment | If deprovisioning configuration is directly assigned to the group or folder or inherited from parent |
deprovisioningEmailAddresses | Email addresses to send deprovisioning messages. If blank, then send to group managers, or comma separated email addresses (mutually exclusive with deprovisioningMailToGroup) |
deprovisioningMailToGroup | Group ID which holds people to email members of that group to send deprovisioning messages (mutually exclusive with deprovisioningEmailAddresses) |
deprovisioningSendEmail | If this is true, then send an email about the deprovisioning event. If the assignments were removed, then give a description of the action. If assignments were not removed, then remind the managers to unassign. Can be <blank>, true, or false. Defaults to false unless the assignments were not removed. |
deprovisioningShowForRemoval | If the deprovisioning screen should show this object if the user as an assignment. can be: blank, true, or false. If blank, will default to true unless auto change loader is false. |