Grouper Users - Open Discussion List

[Chris Hyzer <>]

No one by default :)  People request access and we grant it or they ask for a 
rule or composite and we make it for them so they don't need access.  Our 
groups are not readonly by default

Thanks,
Chris

-----Original Message-----
From: Jeff McCullough 
[mailto:]
 
Sent: Friday, May 08, 2015 3:31 PM
To: Chris Hyzer
Cc: Steven Carmody; Grouper-Users
Subject: Re: [grouper-users] adhoc group memberships, what to do when IDM 
Roles change

Who do you allow access for reference groups like employees? Anyone or does 
one have to be part of a special group?

Jeff

> On May 8, 2015, at 8:39 AM, Chris Hyzer 
> <>
>  wrote:
> 
> We have a few options at Penn:
> 
> 1. Intersect the employee group for auto-removal
> 2. Rule on employee group for auto-removal or auto-end date in the near 
> future
> 3. Rule on org list so if removed from org due to leaving Penn or switching 
> orgs:
>       - remove from group
>       - -or- send email so someone can review
> 4. There is a deprovisioning process where one step is for a Group 
> administrator to review memberships/privs and remove all but ones that are 
> needed
> 
> I could imagine a Grouper rule like #3 above where if someone changes orgs 
> or is removed from all orgs that it determines groups which aren't exempt 
> from the process which have the person as an ad hoc member, puts an 
> end-date on membership (few days?) and emails the UPDATERS/ADMINS of the 
> group letting them know they can remove the end date if they like...
> 
> Chris
> 
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Steven Carmody
> Sent: Friday, May 08, 2015 9:41 AM
> To: Grouper-Users
> Subject: [grouper-users] adhoc group memberships, what to do when IDM Roles 
> change
> 
> Hi,
> 
> We've delegated to Depts the authority to create and manage adhoc groups 
> to meet their local needs. We're now trying to figure what to do when a 
> "significant" change occurs in a person's relationships with Brown, and 
> their Roles. Examples could include a staff person moving to a new job 
> in a different dept, or a student becoming an alum (we now support 
> lifetime accounts for students/alumns).
> 
> We also allow people to authenticate for 18 months after separating from 
> Brown, but remove all of the privileges that we know about (except being 
> able to login to the HR/payroll system in order to obtain a W-2). "Doing 
> something" about adhoc group memberships would be part of removing 
> privileges.
> 
> Our current best thought (which isn't really very good) is to have the 
> IDM/Person Registry/Provisioning Rules "tell" a process what change has 
> occurred. That process would obtain all the adhoc groups that this 
> person is a member of, and send an email to the owners of each group and 
> the person saying that unless a certain action is taken by a certain 
> date the person will be removed from the group (default is to remove). 
> (Note -- people have a number of group memberships based on their 
> affiliation and role; as their status in the relevant Business system is 
> updated these memberships will be changed automatically; I'm only 
> worried about adhoc memberships.)
> 
> We expect that other schools are already starting to encounter this 
> problem, tho, and we're interested in hearing how other campuses are 
> approaching this situation.
> 
> thanks in advance !