Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] adhoc group memberships, what to do when IDM Roles change

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] adhoc group memberships, what to do when IDM Roles change

Chronological Thread 
  • From: Julio Polo <>
  • To: Steven Carmody <>
  • Cc: David Langenberg <>, Chris Hyzer <>, Grouper-Users <>
  • Subject: Re: [grouper-users] adhoc group memberships, what to do when IDM Roles change
  • Date: Fri, 8 May 2015 11:00:20 -1000

Are you willing to automatically delete a person from all ad hoc groups once that person changes jobs or leaves altogether?  Do you need a way for the ad hoc group admin to undo that deletion?  I assume you need the latter, so it sounds like you need every ad hoc group to be a composite that includes a quarantine factor group:

ad hoc group composite = (manual inclusions factor group) complement (quarantine factor group)

When a person changes jobs or leaves altogether, your IDM would detect that event, then add that person to the quarantine factor group of every ad hoc group.  The group admin doesn't do anything unless the person needs to continue having access, at which time the admin would remove the person from the quarantine factor group.


On Fri, May 8, 2015 at 10:19 AM, Steven Carmody <> wrote:
We have LOTS of groups of the type that you describe, and we use the processes you describe to address the problem I'm worried about. We currently have > 1M groups in Grouper.

But, since we've now given 200+ depts the authority to create and manage adhoc groups, we have a harder problem to address. The adhoc groups are typically Project teams (drawing people from several depts) or research team groups (often including undergraduates -- that's part of the Brown culture; and often including external users -- a different and also very hard problem). Unfortunately, these are truly adhoc groups.

I suspect the problem will only get worse when, in a couple of years, we allow everyone to create their own personal adhoc groups.

On 5/8/15 4:09 PM, Julio Polo wrote:
Are your groups really ad hoc or are they usually well-defined groups
such as "employees of the office of information technology" with some
exceptions?   This all hinges on your having something that
automatically keeps these well-defined groups in sync.  For example, we
have a group store where we offer app developers groups based on roles
(faculty, staff, student), department, campus, system of record.  The
groups in the group store are automatically updated as our IDM system
gets data from the systems of record.

In this scenario, you would create a composite group:  ("employees of IT
department" from the group store UNION "a group for manual inclusions")
COMPLEMENT "a group for manual exclusions"  If a person leaves that IT
department, he or she is no longer a member of the composite group, and
therefore no longer has access to whatever is controlled by that
composite group.  The tricky part is setting rules for dealing with the
manual inclusions/exclusions.

Archive powered by MHonArc 2.6.16.

Top of Page