Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] deprovisioning with a grace period

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] deprovisioning with a grace period

Chronological Thread 
  • From: David B Langenberg <>
  • To: "Lomax, Erica" <>, "" <>
  • Subject: Re: [grouper-users] deprovisioning with a grace period
  • Date: Thu, 25 May 2017 18:30:45 +0000
  • Accept-language: en-US
  • Authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
  • Ironport-phdr: 9a23:o4+tmxTQv6HM2GRkPRAZuRl6Xtpsv+yvbD5Q0YIujvd0So/mwa6zZxeN2/xhgRfzUJnB7Loc0qyN4v+mAjBLvc7JmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6OPn+FJLMgMSrzeCy/IDYbxlViDanb75/KBe7oR/fu8QZjodvJbo9wQbVr3VVfOhb2XlmLk+JkRbm4cew8p9j8yBOtP8k6sVNT6b0cbkmQLJBFDgpPHw768PttRnYUAuA/WAcXXkMkhpJGAfK8hf3VYrsvyTgt+p93C6aPdDqTb0xRD+v4btnRAPuhSwaLDMy7n3ZhdJsg6JauBKhpgJww4jIYIGOKfFyerrRcc4GSWZdW8pcUTFKDIGhYIsVF+cPPfhWoZThp1UArhWxCwisC//gxTJTiX/6wag63v49HQzc3gEtGc8FvnTOrNXyMacfSe67w7PWzTXCcvxdxCrw45XOfB87p/GMUqx/cczKxkYxDQPFgUibpIv4MDyPyOQCrWyb4vF9Ve2zi24nqh1+rSKgxscrkIXGmJ8ayk3d+Ch/3Y07JsW4RVZmbdK4H5ZcrS6XOolsTs4tX21koiI3x78etZKmYiQHy44rywPRZvGHaYSF5hbuWPyMLTtmi39ofq+0iQyo/ki60OL8U9G50FZUoSpBldnBrmgD2gDU5MSbRPZx51ms1y+S2wzK7eFLOl47mbDcK5483r4/jZ0TsVnFHiDrgkn2lLWWdkI4+ue29+vnfrTmppiaN4NujQH+L7gumsi4AeQ/MQgCRXSU+eO51LH7/E35RqtFjuEun6XErJzXKt4Xq6G7DgNP3Ysv9wyzAjOk3dgAmHkINlNFeBaJj4jzPFHOJej1AuqljFSyjjhrw+vLPqD9DZXNL3jMjK3ufbl660JG1gU80M1f64pOCr4dOPLzRlPxtNvAAx82KQy0xPvnCM1j2YMEQG6PH7SZP73IsV+T/e8vJ+iMZJQJuDbmNfQp/f/ujXklmVADZ6mp24UYaGymEvh8PUqWfGfs0Z89FjJAmg07RfyuwHCYUDVaLT7mcrg97Th9LIWjBJfrQZqgj7uHxzuyApAQa2xbXBTEW3jycJicVu1JdTmfONRJkzoYWKKnRpN7kxyiqUWyn7V9KffM9zddqInuzsNd5uvPmAs0+CAuScmRzjfeYXtzmzYkTiE30OhV6Wh0zFiO16J1mfMQQdBa+f5NehoxNZ/XxuN9Td3+R1SSLZ+yVF+6T4D+UnkKRdUrzopLOh4lFg==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Hi Erica,

We do exactly what you’re looking to do. The way we accomplish it is to not
touch the eligibility factors for Box (or any service for that matter) until
lock day. So, our finite-state-machine that handles closure and all the
associated warnings waits until closure day before pulling (in our case) the
eduPersonAffiliation which causes all the grouper magic to revoke access.
The FSM then also issues the box API calls to delete the account or spin it
to a private account (in the case of alumni).


David Langenberg
Asst Director, Identity Management
The University of Chicago

On 5/25/17, 1:17 PM,
on behalf of Lomax, Erica"
on behalf of

We currently are working on how to deprovision users from Box. Unlike
services where we just cut off access when eligibility ends, we want to allow
a grace period to allow users to retrieve content. During that grace period,
we want to send warnings about the loss of access on a specified schedule
(30d, 14d, etc). After the grace period, the account would remain in Box in
a deactivated state for 90d prior to deletion.

At a high level, our group for Box eligibility rolls up as follows:
(Employee eligibility calculation group + Student eligibility calculation
group + Associate eligibility calculation group + ad hoc adds group) -
excludes group. We automatically provision employee accounts in Box via API,
students and associates and ad hocs provision on demand via SAML. On loss of
all eligibility, you may or may not have a Box account.

Trying to drive this deprovisioning logic out of Grouper is proving a
very challenging, but maybe we're over complicating it. Before we make our
final plans, can anyone offer advice on how they've solved similar issues or
have solutions we could review?

Erica Lomax
Director, Identity & Infrastructure
Information Services | Oregon State University | 541-737-3619

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Archive powered by MHonArc 2.6.19.

Top of Page