Minor Description
Attestation is a great start. However, I am seeing a need to be able to report on attestation, and to be able to do attestation on another significant part of the Grouper system. ( group math )
General goal is to have all memberships of a group to be attested.
However since the memberships (and parts of the group math) may be controlled by others, the map of who needs to attest can get complicated and hard to configure on a "group by group" basis.
What I propose is a new feature that would allow a user to configure an "attestation coverage report" for a "primary" group. Such that two distinct things would be reviewed and attested.
However since some of the memberships maybe the result of "group math" those groups in the math may not need attested directly by the managers of the "primary group". Rather the "reference groups" and "system of record" groups that feed into the "group math" need to have their memberships attested buy their own managers.
And
The group math itself needs to be attested by those who manage the "primary group" (or maybe someone else.)
I picture a "visualization report" that shows the visualization of the group. Hopefully also including an "algebraic form of the group math" as well. And including the last attestation dates from the groups in the visualization. That would need to be attested by the attestor(s) of the "primary group".
I think the challenge would likely be due to the possibility that some of the group may may not be visible to the "primary group". ( deny groups, for example )
Due to the complexity of configuring this and the possible privilege driven limits this kind of an "audit function" should be built into Grouper for users to "turn on/off" and "lightly configure" to meet their needs.
And using the group type values and/or privileges to help drive this logic seems to be the right way to guide the function/separation of the boundaries for recursive lines of attestation in the group math.