Grouper: About Attestation

Manually managed (ad-hoc) groups in Grouper can be configured to require periodic membership review. This process is called Attestation. Attestation is useful in ad-hoc groups where deprovisioning is not automatic and is helpful in reducing risk to the University of Minnesota by making sure the right users have access to data, systems, or applications.

The users responsible for a Grouper group's Attestation will be reminded by email to review the memberships and certify the access. They will also get an alert when viewing the group in the Grouper UI. After reviewing the memberships, the responsible party will click a button on the group indicating that the groups membership has been reviewed. 

When an application is onboarded Security Groups are created with managing members of that application and while the main task of those Security Groups is for manually managing members in reference groups and the security group itself, they also are responsible for this attestation process. When a security group has update or greater privilege on a manually managed ad-hoc group they will get notified of attestation.

While Attestation configurations are enforced for certain security levels of applications, the Attestation process in Grouper is informational only: it will not disable or remove any group memberships at this time. 

All Attestation actions are logged, and any group owner can view the audit logs.

This is an example of what an Attestation email looks like:

an example email from the grouper application with links to the groups that need attestation.


There is more information about attestation on the Grouper Wiki page Grouper Attestation.