Grouper - Create Include/Exclude Composite Groups

From the web user interface, create the group as you would normally would following the recommendations for naming the group with the appropriate department or service prefix.

Only empty groups can be made Include/Exclude Composite groups. So, before adding any members to the group, open the More actions drop-down menu and select Attribute Assignments.

In the group's Attribute Assignments page, click on + Assign attributes.

Type include in the Attribute name text box and then select etc:legacy:attribute:legacyGroupType_addIncludeExclude from the drop-down menu options.

With etc:legacy:attribute:legacyGroupType_addIncludeExclude as the only option in the Attribute name text box, click Save.

Verify that the attribute assignment iis as follows:

• Assignment type: Direct assignment
• Attribute name: legacyGroupType_addIncludeExclude
• Enabled?: enabled
• Assignment values: leave blank
• Attribute definition: legacyGroupTypeDef_addIncludeExclude

Browsing back to the folder where the group is located, there should now be intermediate groups that make up the overall group. Please note that membership updates in Include/Exclude-type composite groups CAN NOT be done to the overall group directly. Instead, membership updates should be done to the "includes", "excludes", or "system of record" intermediate groups. The overall group membership consists of members in the "system of record" PLUS "includes" groups MINUS the "excludes" group members.