Grouper Web Services


Get permission assignments.  These permissions can be on roles or subjects (note if assignment is assigned directly to a subject, it is in the context of a role).

You can lookup permissions by attribute definition, attribute definition name, role name or uuid, or subject. You can filter by action.  Note you must pass in at least an attribute definition, attribute definition name, role, or subject, and you can mix and match.

All returned permission assignments will be filtered for security based on the logged in or acted as user (security rules are on attribute framework wiki)

The returned data will include the permission assignments, and a normalized list of references (role, attribute definitions, attribute names (if requested with includeAttributeDefNames=T), subjects, etc)

You can lookup assignments by multiple owners, definitions, subjects, actions, etc (non-lite operation only)

If you want to return details on the assignment (e.g. the depth of each hierarchy etc), pass in the param: includePermissionAssignDetail=T

If you want to return the underlying attribute assignment objects, pass in the param: includeAttributeAssignments=T

If there are limits or other metadata on the permission, to read those, pass in includeAttributeAssignments=T and includeAssignmentsOnAssignments=T. Note these attribute assignments on assignments are only on the immediate assignment, not effective.


  • Can base permission assign list based on action, active, etc
  • Lookup owner or other objects by object lookup (by id, name, etc)
  • Returns role / subject information etc, can be detailed or not
  • Can actAs another user
  • For 2.0+, you can pass in pointInTimeFrom and pointInTimeTo to check permissions at a certain point in time in the past, or in a date range. This should be formatted: yyyy/MM/dd HH:mm:ss.SSS

Get permission assignments lite service

  • Accepts one role, or one subject, or attribute definition, or attribute definition name to get permission assignments for.   You can mix and match, but at least one must be passed in (e.g. you can query for a subject's permissions in a role)
  • Documentation: SOAP (click on getPermissionAssignmentsLite), REST (click on getPermissionAssignmentsLite)
  • For REST, the request can put data in query string (in URL or request body)
  • REST request (colon is escaped to %3A):
    • GET /grouper-ws/servicesRest/v1_6_000/permissionAssignments
    • Note: if passing data in request body e.g. actAs, use a POST
  • (see documentation above for details): Request object, response object
  • Response codes
  • Samples (all files with "Lite" in them, click on "download" to see file)

Get permission assignments service

  • Accepts multiple roles or subjects or attribute definitions (or combination) etc to retrieve lists of permission assignments
  • Documentation: SOAP (click on getPermissionAssignments), REST (click on getPermissionAssignments)
  • REST request (colon is escaped to %3A):
    • POST /grouper-ws/servicesRest/v1_6_000/permissionAssignments
  • (see documentation above for details): Request object, response object
  • Response codes overall
  • Returns an overall status
  • Samples (all files without "Lite" in them, click on "download" to see files)

Wiki Home

Download Grouper

Grouper Guides

Community Contributions

Developer Resources ('+Wiki)

Grouper Website

Questions or comments about the wiki space? Contact Steve Olshansky <steveo AT internet2 DOT edu>

  • No labels