Grouper attestation means marking a group or folder so that owners must review the membership list periodically.  This is useful in ad hoc groups where deprovisioning is not automatic.  Owners will be reminded by email to review the memberships.  After reviewing the memberships, the group owner will click a button on the group indicating that it has been reviewed.

This is in the 2.3.0 API path #64 and UI patch #24 and in Grouper 2.4.

Note after installing the patches you should run from GSH:


Child pages:


Attest a group as reviewed

When a group needs it memberships reviewed (either initially or when the attestation period has elapsed), you can attest the group on the membership screen or on the attestation screen

On the membership screen you will see a note and a button:

If you are on the attestation screen, you will see a menu item Attestation actions → Attest group as reviewed

Attestation menu

You will notice a new menu item Attestation in the More actions dropdown for groups and folders as shown in the screenshots: 


If you are a Grouper admin or if you have UPDATE or ADMIN privileges on a group, you can edit attestation.

If you can edit attestation or if you have READ on a group, you can READ the attestation.

NOTE: you dont need privileges on the attributes that configure the attestation.

To run the daemon you need to be a Grouper admin


There is a cron job which runs everyday (by default) in the Grouper daemon and it sends reminder emails to people configured in attestationEmailAddresses attribute or if there is no email address in that attribute, it picks up the emails from subject source email property of admins for the group. If no emails are found there either, then the job logs an error and move on to the next element. Note that the job doesn't send multiple emails to the same person on the same day even if you configure the cron to run the job multiple times on the same day.

attestationDaysBeforeToRemind attribute controls how many days before the current attestation expires, we are going to start sending emails.  Or there is a default configured (default is 180 days)

Run daemon from UI: (you would only do this occasionally or for testing).  There is a menu item for grouper admins to be able to kick off the daemon

Run daemon from GSH:


Clear last reviewed date

If you want to mark a group to be reviewed again, you can "clear last reviewed date".  While on the attestation screen for a group, click "Attestation actions → Clear last reviewed date"

View folder attestation

If a group inherits its attestation settings from an ancestor folder, there is a link from the group attestation menu: Attestation actions → View folder attestation

View all attestable groups

If you are in the folder or group "Attestation actions" menu, you can "View all attestable groups".  This will go to the global view all attestable groups screen, that need attestation


Configure for first time use

Set this in

#put the URL which will be used e.g. in emails to users.  include the webappname at the end, and nothing after that.
grouper.ui.url = http://localhost:8088/grouper/

#smtp server is a domain name or dns name.  set to "testing" if you want to log instead of send (e.g. for testing)
mail.smtp.server = localhost

#this is the default email address where mail from grouper will come from
mail.from.address =

#this is the subject prefix of emails, which will help differentiate prod vs test vs dev etc
mail.subject.prefix = DEV:

Note, might want to leave these as defaults.

## Attestation

#default value of attestation days until recertify. Every group/folder can define their own days until recertify value and if they don't provide, use the following one.
attestation.default.daysUntilRecertify = 180

#number of groups shown in the body of attestation email = 100

#attestation reminder email subject = You have $objectCount$ groups that require attestation

#attestation reminder email body (links and groups are added dynamically) = You need to attest the memberships of the following groups.  Review the memberships of each group and click: More actions -> Attestation -> Members of this group have been reviewed = There are $remaining$ more groups to be attested.

Configure in (these are the defaults)

## Atttestation Job
otherJob.attestationDaemon.class =
otherJob.attestationDaemon.quartzCron = 0 0 1 * * ?


At the start up time, attestationDef and attestationValueDef attribute definitions will be added to the system as shown in the screenshots. 


Future scope