Identity and Access Management
Membership Requirement Request
Last modified 4/18/2024
This is a process to implement membership requirements that can be applied to a group or folder.
What are membership requirements?
A form of automated group curation, membership requirements allow for the creation of an eligibility group that membership in allows a user to also be a member in a secondary group. If the user is not in the eligibility group the user cannot be added to the secondary group either. When the user is removed from the eligibility group they are also removed from the target group.
User is a member of the eligibility group → Can be added to the secondary group
User is no longer a member of the eligibility group → User is removed from the secondary group and cannot be readded
User is not a member of the eligibility group → user cannot be added to the secondary group
What does implementation look like?
A ticket submission with an eligibility group detailed will result in options being added to the create/edit group and create/edit folder pages with check box options for designating the eligibility requirements of the users in the secondary group (as pictured below). Checking the box for "require active employee" will require that any members of the group (or folder) be an active employee as defined in the eligibility group.
Working example:
It is a requirement that all members of a VPN group be active employees. An eligibility group is created that contains all types of employees. Grouper administrators create the rule and assign permissions to use the rule to users. Users then will add people to the secondary group like normal. If the user is eligible they are allowed to be added. If they are not, they cannot be added. If the user is in the group and their eligibility changes, they will be removed from the group automatically.
Notes:
In the above picture, if both boxes are checked only student employees will be able to be added to the group because full-time employees are not active student employees and will not be allowed.