grouper-users - Re: [grouper-users] deprovisioning with a grace period
Subject: Grouper Users - Open Discussion List
List archive
- From: David B Langenberg <>
- To: "Lomax, Erica" <>, "" <>
- Subject: Re: [grouper-users] deprovisioning with a grace period
- Date: Thu, 25 May 2017 18:30:45 +0000
- Accept-language: en-US
- Authentication-results: oregonstate.edu; dkim=none (message not signed) header.d=none;oregonstate.edu; dmarc=none action=none header.from=uchicago.edu;
- Ironport-phdr: 9a23:o4+tmxTQv6HM2GRkPRAZuRl6Xtpsv+yvbD5Q0YIujvd0So/mwa6zZxeN2/xhgRfzUJnB7Loc0qyN4v+mAjBLvc7JmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6OPn+FJLMgMSrzeCy/IDYbxlViDanb75/KBe7oR/fu8QZjodvJbo9wQbVr3VVfOhb2XlmLk+JkRbm4cew8p9j8yBOtP8k6sVNT6b0cbkmQLJBFDgpPHw768PttRnYUAuA/WAcXXkMkhpJGAfK8hf3VYrsvyTgt+p93C6aPdDqTb0xRD+v4btnRAPuhSwaLDMy7n3ZhdJsg6JauBKhpgJww4jIYIGOKfFyerrRcc4GSWZdW8pcUTFKDIGhYIsVF+cPPfhWoZThp1UArhWxCwisC//gxTJTiX/6wag63v49HQzc3gEtGc8FvnTOrNXyMacfSe67w7PWzTXCcvxdxCrw45XOfB87p/GMUqx/cczKxkYxDQPFgUibpIv4MDyPyOQCrWyb4vF9Ve2zi24nqh1+rSKgxscrkIXGmJ8ayk3d+Ch/3Y07JsW4RVZmbdK4H5ZcrS6XOolsTs4tX21koiI3x78etZKmYiQHy44rywPRZvGHaYSF5hbuWPyMLTtmi39ofq+0iQyo/ki60OL8U9G50FZUoSpBldnBrmgD2gDU5MSbRPZx51ms1y+S2wzK7eFLOl47mbDcK5483r4/jZ0TsVnFHiDrgkn2lLWWdkI4+ue29+vnfrTmppiaN4NujQH+L7gumsi4AeQ/MQgCRXSU+eO51LH7/E35RqtFjuEun6XErJzXKt4Xq6G7DgNP3Ysv9wyzAjOk3dgAmHkINlNFeBaJj4jzPFHOJej1AuqljFSyjjhrw+vLPqD9DZXNL3jMjK3ufbl660JG1gU80M1f64pOCr4dOPLzRlPxtNvAAx82KQy0xPvnCM1j2YMEQG6PH7SZP73IsV+T/e8vJ+iMZJQJuDbmNfQp/f/ujXklmVADZ6mp24UYaGymEvh8PUqWfGfs0Z89FjJAmg07RfyuwHCYUDVaLT7mcrg97Th9LIWjBJfrQZqgj7uHxzuyApAQa2xbXBTEW3jycJicVu1JdTmfONRJkzoYWKKnRpN7kxyiqUWyn7V9KffM9zddqInuzsNd5uvPmAs0+CAuScmRzjfeYXtzmzYkTiE30OhV6Wh0zFiO16J1mfMQQdBa+f5NehoxNZ/XxuN9Td3+R1SSLZ+yVF+6T4D+UnkKRdUrzopLOh4lFg==
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Hi Erica,
We do exactly what you’re looking to do. The way we accomplish it is to not
touch the eligibility factors for Box (or any service for that matter) until
lock day. So, our finite-state-machine that handles closure and all the
associated warnings waits until closure day before pulling (in our case) the
eduPersonAffiliation which causes all the grouper magic to revoke access.
The FSM then also issues the box API calls to delete the account or spin it
to a private account (in the case of alumni).
Dave
--
David Langenberg
Asst Director, Identity Management
The University of Chicago
On 5/25/17, 1:17 PM,
"
on behalf of Lomax, Erica"
<
on behalf of
>
wrote:
We currently are working on how to deprovision users from Box. Unlike
services where we just cut off access when eligibility ends, we want to allow
a grace period to allow users to retrieve content. During that grace period,
we want to send warnings about the loss of access on a specified schedule
(30d, 14d, etc). After the grace period, the account would remain in Box in
a deactivated state for 90d prior to deletion.
At a high level, our group for Box eligibility rolls up as follows:
(Employee eligibility calculation group + Student eligibility calculation
group + Associate eligibility calculation group + ad hoc adds group) -
excludes group. We automatically provision employee accounts in Box via API,
students and associates and ad hocs provision on demand via SAML. On loss of
all eligibility, you may or may not have a Box account.
Trying to drive this deprovisioning logic out of Grouper is proving a
very challenging, but maybe we're over complicating it. Before we make our
final plans, can anyone offer advice on how they've solved similar issues or
have solutions we could review?
Thanks!
Erica Lomax
Director, Identity & Infrastructure
Information Services | Oregon State University | 541-737-3619
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- [grouper-users] deprovisioning with a grace period, Lomax, Erica, 05/25/2017
- <Possible follow-up(s)>
- Re: [grouper-users] deprovisioning with a grace period, David B Langenberg, 05/25/2017
Archive powered by MHonArc 2.6.19.