Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] adhoc group memberships, what to do when IDM Roles change

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] adhoc group memberships, what to do when IDM Roles change

Chronological Thread 
  • From: Chris Hyzer <>
  • To: Jeff McCullough <>
  • Cc: Steven Carmody <>, Grouper-Users <>
  • Subject: RE: [grouper-users] adhoc group memberships, what to do when IDM Roles change
  • Date: Fri, 8 May 2015 19:58:50 +0000
  • Accept-language: en-US

No one by default :) People request access and we grant it or they ask for a
rule or composite and we make it for them so they don't need access. Our
groups are not readonly by default


-----Original Message-----
From: Jeff McCullough

Sent: Friday, May 08, 2015 3:31 PM
To: Chris Hyzer
Cc: Steven Carmody; Grouper-Users
Subject: Re: [grouper-users] adhoc group memberships, what to do when IDM
Roles change

Who do you allow access for reference groups like employees? Anyone or does
one have to be part of a special group?


> On May 8, 2015, at 8:39 AM, Chris Hyzer
> <>
> wrote:
> We have a few options at Penn:
> 1. Intersect the employee group for auto-removal
> 2. Rule on employee group for auto-removal or auto-end date in the near
> future
> 3. Rule on org list so if removed from org due to leaving Penn or switching
> orgs:
> - remove from group
> - -or- send email so someone can review
> 4. There is a deprovisioning process where one step is for a Group
> administrator to review memberships/privs and remove all but ones that are
> needed
> I could imagine a Grouper rule like #3 above where if someone changes orgs
> or is removed from all orgs that it determines groups which aren't exempt
> from the process which have the person as an ad hoc member, puts an
> end-date on membership (few days?) and emails the UPDATERS/ADMINS of the
> group letting them know they can remove the end date if they like...
> Chris
> -----Original Message-----
> From:
> [mailto:]
> On Behalf Of Steven Carmody
> Sent: Friday, May 08, 2015 9:41 AM
> To: Grouper-Users
> Subject: [grouper-users] adhoc group memberships, what to do when IDM Roles
> change
> Hi,
> We've delegated to Depts the authority to create and manage adhoc groups
> to meet their local needs. We're now trying to figure what to do when a
> "significant" change occurs in a person's relationships with Brown, and
> their Roles. Examples could include a staff person moving to a new job
> in a different dept, or a student becoming an alum (we now support
> lifetime accounts for students/alumns).
> We also allow people to authenticate for 18 months after separating from
> Brown, but remove all of the privileges that we know about (except being
> able to login to the HR/payroll system in order to obtain a W-2). "Doing
> something" about adhoc group memberships would be part of removing
> privileges.
> Our current best thought (which isn't really very good) is to have the
> IDM/Person Registry/Provisioning Rules "tell" a process what change has
> occurred. That process would obtain all the adhoc groups that this
> person is a member of, and send an email to the owners of each group and
> the person saying that unless a certain action is taken by a certain
> date the person will be removed from the group (default is to remove).
> (Note -- people have a number of group memberships based on their
> affiliation and role; as their status in the relevant Business system is
> updated these memberships will be changed automatically; I'm only
> worried about adhoc memberships.)
> We expect that other schools are already starting to encounter this
> problem, tho, and we're interested in hearing how other campuses are
> approaching this situation.
> thanks in advance !

Archive powered by MHonArc 2.6.16.

Top of Page