Grouper Developers Forum

[Chris Hyzer <>]

Hey,

 

There was one requirement where if a user is not in a certain branch of the org structure, to remove them from an application group/role, or add an end-date, or not allow them to be added to a group/role.

 

I took that to mean, there are a bunch of folders/stems which have all the orgs, and if the subject is removed from one of those groups, and doesn’t have a membership in any others in the folder, that it means the user’s employment changed, and should lose rights.

 

Here is an example:

 

https://spaces.internet2.edu/display/GrouperWG/Grouper+rules+use+case+-+Veto+if+not+eligible+in+org#Grouperrulesusecase-Vetoifnoteligibleinorg-GSHtestcase

 

I think if you were to actually use this, you would have to be very careful that all groups in the org folders ONLY contain groups which mean the user is in the folder org.  i.e. if you have an include/exclude relationship of groups, then you could add someone to an exclude list located in the org folder, and the rule doesn’t know, and allows the user to be added to the application role.  So, I think for this use case we should assume the org list in Grouper is hierarchical using groups, and that you don’t base a rule on a folder, but instead the roll-up group, e.g. the IT_department group which would contain the members of the programmers and sysadmins.  So it would look like this (veto based on membership in group):

 

https://spaces.internet2.edu/display/GrouperWG/Grouper+rules+use+case+-+Veto+if+not+eligible#Grouperrulesusecase-Vetoifnoteligible-GSHtestcase

 

I guess what I am saying, is that unless someone wants to use the folder way, I would like to just nix this implementation of depending on folders and assume that implementers will have roll-up groups.

 

Thoughts?

 

Thanks,

Chris