A common issue in large-scale Archer environments is the need to ensure that all users are assigned to appropriate groups. LDAP synchronization is one way to solve this, but if you don't have an LDAP server which reflects the group assignments you need, your only other option is to manually edit the groups and/or users individually through the Access Control administration UI.
The CHUM (CastleHill User Management) Tool implements a basic solution to this problem. It leverages the core "Contacts" application, with the addition of two new User/Groups List fields. These fields allow rules to be defined for each Archer user in Contacts, one of which indicates groups that the user should be a member of, and the other specifying groups that the user should not be a member of.
When the CHUM Tool executes, it will iterate through all Contacts records and assert that the group membership follows those rules. For each record's "RSA Archer User Account" user, if the user is not currently in any of the groups listed in the "Include in Groups" field, the user will be added to those groups. Likewise, if the user is found to be in any of the groups listed in the "Exclude from Groups" field, the user will be removed from those groups. Any groups that the user was already a member of but which were not found in either field will be unaffected.
In order to use the app, the two new User/Groups List fields will need to be added to the "Contacts" application. They should be:
simple User/Groups List fields (not Record Permissions)
given the names "Include in Groups" and "Exclude from Groups", respectively (if you elect to use different names, make sure you change them in the code where they are referenced below as well)
configured to allow multiple selections (i.e. not "Dropdown" or "Radio Buttons") with no maximum selection
configured via "Field Population" to allow only groups ("All Groups") to be selected (user selections are not applicable for these fields)
added to the layout
After making this change, you may edit a Contacts record for a given user, populate the two new fields with groups you'd like to see added and/or removed for that user, then run the CHUM Tool. The group membership rules you have defined will then be asserted for the user.
This represents a very simple solution to the group management problem, as it depends on nothing more than the addition of two new fields to the existing core Contacts application. For a more robust solution involving workflow, manager approval, and activity logging, see the User Access Processor demo.