Sent: Friday, October 20, 2017 2:58 PM
Subject: [grouper-dev] Bad Membership Finder Utility .... Was: ( [grouper-users] Composite group problems)
I suspect that this condition is barely understood about the inner workings of the system by most deployers and/or users.
Giving the AM ( Access Management ) team control over the promptness of the “fully effective By” window would be a very powerful tool/control that Grouper could assert. ( Or at least knowledge of when the changes are fully verified/effective in Grouper.)
In the current non-blocking model, with an attempt to not “thrash the system” and make every save take minutes, I could see the idea of stacking up a queue (change log consumer?) to process these checks/corrections in a timely ( a few minutes, < 2 ? , < 5 ? ) manor.
But maybe that “acceptable delay” should be a property of the composite and/or the groups that are involved?
I could imagine some cases were you always want:
) change in “this special group” to be 100% completed “NOW”. ( Global Exclude groups, or just “important” Exclude groups, etc… And maybe even in some “include groups” too.)
) While other groups may be ok to be “loosely consistent”. ( “Provision that group in the next hour and no harm done. “ ) Especially when in the context of Access Control Policies and/or Provisioning/DE provisioning. So maybe membership changes also needs to force (queue/call) Prov/DeProv processes too?