As someone who cares about legal issues, I want a newly registered user to not be able to join groups until after signing the CLA, so that legal compliance is achieved.

[puiterwijk]

This is something that we may be able to enforce on the FreeIPA side? @tiran can maybe tell us whether that's feasible (depending on how FPCA is stored probably)?

[tiran]

It might be possible to archive this with a pre-callback on the group_add_member plugin. This would enforce the restriction on the IPA API layer.

[ryanlerch]

After this was initially filed, this feature has been expanded out a little, as we now need to support more and one "agreement". And a user may have an account, and not have signed any of the agreements.

So on the freeipa-fas side, we need the following (i think):

• a new user attribute, which is a list of the User Agreements a user has signed.
• a new group attribute, which is a list of the User Agreements a user must have signed before they can join the group. (Pretty sure if there is more than one here, the user must be a member of Agreement 1 AND Agreement 2, etc.)
• enforcing the restriction on the add_member call.

[tiran]

Also see https://github.com/fedora-infra/freeipa-fas/pull/105#issuecomment-639424507