Grouper Users - Open Discussion List

[Greg Haverkamp <>]

Thanks, Chris.  I think the more rules examples, the better.  :)

I just managed to muddle through the rules setup enough last week to get our first rules in place.  (8 hours on the train from Boston to Washington, D.C. had some benefits.)  I had been planning to solve a problem with the Loader (hence GRP-2027), but I ended up implementing using Rules.  We (now) give users a week's grace period after they activate their accounts before they're required to enroll in MFA.  Prior to this, we had a chicken-and-egg problem: a user couldn't login to set up MFA, because logging in required MFA.  Now, any time a user is added to our group of activated accounts, we have a rule that automatically puts them into the 7-day MFA bypass group.  We have another rule on the MFA bypass group that, on membership add, puts a 7-day expiration on their membership.  (And then there's a complement composite that removes them from the bypass group as soon as they have a token registered.)

I was all set to write some code, either to implement GRP-2027 or to do some filtering in the Loader, but finally figuring out how Rules worked prevented that.  So that was a big win.

Greg

On Thu, Jul 18, 2019 at 12:57 PM Hyzer, Chris <> wrote:

We did an example for this at the last training session in Madison.

 

This was not documented on the rule wiki, now it is.

 

An example at Penn is a reprieve group for a training requirement (so someone who misses a yearly training isn’t locked out while they do the training and the data flows through the systems back to the grouper loader certifying they have done it).  If someone gets a reprieve, then automatically put an end date on that membership in a week.

 

https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Disabled-date+activation+when+added+to+same+group

 

This GSH script will apply the rule and test that it works.

 

Thanks

Chris