Child pages
  • Grouper Kuali Rice Workflow Membership Provisioner
Skip to end of metadata
Go to start of metadata

Membership Provisioner

Grouper Kuali Integration

In the Grouper-Kim connector jar there is a "post processor" which handles workflow events.  If you register this post processor in the Kuali doctype for your workflow (or there is another one for a Grouper post processor which also stores document results in the Kuali database):

       <postProcessorName>edu.internet2.middleware.grouperKimConnector.postProcessor.GrouperEdoclitePostProcessor</postProcessorName>

Then you can configure a group that that doctype provisions into, and it can also send an email to admins so they can be sure things were done and without error

###############################
# configure postprocessor actions on document types.  The string "sampleProvisioning" ties the configs
# together, change that label for multiple

# doctype name that this applies to
kuali.edoclite.saveMembership.multipleProvisioning.docTypeName = sampleProvisionMultipleGroups.doctype

# regex of group allowed to assign to, extra layer of security, optional
kuali.edoclite.saveMembership.multipleProvisioning.groupRegex =

# list of allowed to assign to (comma separate), extra layer of security, optional,
#generally mutually exclusive with the groupRegex
kuali.edoclite.saveMembership.multipleProvisioning.allowedGroups = some:group:name0, some:group:name1

# edocliteFieldPrefix if checkboxes or textfields or whatever, put the prefix of the edoclite field here.
#so if the field prefix is "groups", then it will look for groups0, groups1, etc to groups200...
#the value of the field is the group to add to
kuali.edoclite.saveMembership.multipleProvisioning.edocliteFieldPrefix = groupFieldDef

#this will be prefixed to the entered group name so the whole stem doesnt
#have to be put on screen (also helps sandbox out the security)
kuali.edoclite.saveMembership.multipleProvisioning.enteredGroupNamePrefix = some:group:

# groups (comma separated) id or name which the initiator will be assigned to when the document is final
kuali.edoclite.saveMembership.multipleProvisioning.addMembershipToGroups =

# groups (comma separated) id or name which the initiator will be unassigned from when the document is final
kuali.edoclite.saveMembership.multipleProvisioning.removeMembershipFromGroups =

# email addresses (comma separated) that should get an admin email that this was done (or errors)
kuali.edoclite.saveMembership.multipleProvisioning.emailAdmins = mchyzer@isc.upenn.edu

# delete date: yyyy/mm/dd or dd-Mon-yyyy
kuali.edoclite.saveMembership.multipleProvisioning.edocliteFieldGroupDisabledDate = disabledDate

# enable date: yyyy/mm/dd or dd-Mon-yyyy
kuali.edoclite.saveMembership.multipleProvisioning.edocliteFieldGroupEnabledDate = enabledDate




At this point whoever fills out your form, and successfully is approved throughout that form's workflow, will be provisioned into the group automatically.  Here is the full example

Note, you can also provision permissions:

###############################
# configure postprocessor actions on document types.  The string "sampleProvisioning" ties the configs
# together, change that label for multiple

###### MISC
# email addresses (comma separated) that should get an admin email that this was done (or errors)
kuali.edoclite.saveMembership.sampleProvisionPermissions.emailAdmins = mchyzer@isc.upenn.edu

# doctype name that this applies to
kuali.edoclite.saveMembership.sampleProvisionPermissions.docTypeName = sampleProvisionPermissions.doctype

###### GROUPS
# regex of group allowed to assign to, extra layer of security, optional
kuali.edoclite.saveMembership.sampleProvisionPermissions.groupRegex = ^some:role:[^:]$

# list of allowed to assign to (comma separate), extra layer of security, optional,
#generally mutually exclusive with the groupRegex
kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedGroups =

# edocliteFieldPrefix if checkboxes or textfields or whatever, put the prefix of the edoclite field here.
# so if the field prefix is "groups", then it will look for groups0, groups1, etc to groups200...
# the value of the field is the group to add to
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPrefix =

# this will be prefixed to the entered group name so the whole stem doesnt
# have to be put on screen (also helps sandbox out the security)
kuali.edoclite.saveMembership.sampleProvisionPermissions.enteredGroupNamePrefix =

# groups (comma separated) id or name which the initiator will be assigned to when the document is final
kuali.edoclite.saveMembership.sampleProvisionPermissions.addMembershipToGroups =

# groups (comma separated) id or name which the initiator will be unassigned from when the document is final
kuali.edoclite.saveMembership.sampleProvisionPermissions.removeMembershipFromGroups =

# delete date: yyyy/mm/dd or dd-Mon-yyyy
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldGroupDisabledDate = disabledDate

# enable date: yyyy/mm/dd or dd-Mon-yyyy
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldGroupEnabledDate = enabledDate

###### PERMISSIONS ROLES
# role to assign permissions to or null if not doing permissions (mutually exclusive with edocliteFieldRoleForPermissions)
kuali.edoclite.saveMembership.sampleProvisionPermissions.roleForPermissions =

# role to assign permissions to (read from edoclite) or empty if not doing permissions (mutually exclusive with roleForPermissions)
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldRoleForPermissions = role

# this will be prefixed to the entered role name so the whole stem doesnt
# have to be put on screen (also helps sandbox out the security)
kuali.edoclite.saveMembership.sampleProvisionPermissions.enteredRoleNamePrefix = some:role:

# allowed roles (e.g. from edoclite form) or empty if not validating
kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedRolesForPermissions = some:role:user, some:role:admin

###### PERMISSIONS OPERATIONS
# operation of assign|remove permissions (mutually exclusive with edocliteFieldOperationForPermissions)
kuali.edoclite.saveMembership.sampleProvisionPermissions.operationForPermissions =

# operation to assign|remove permissions (read from edoclite) or empty if not doing permissions (mutually exclusive with operationForPermissions)
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldOperationForPermissions = operation

# allowed operations (e.g. from edoclite form) or empty if not validating
kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedOperationsForPermissions = assign_permission, remove_permission, replace_permissions

###### ACTIONS
# actions to assign permissions to or null if not doing permissions (mutually exclusive with edocliteFieldRoleForPermissions)
kuali.edoclite.saveMembership.sampleProvisionPermissions.actionsForPermissions =

# actions to assign permissions to (read from edoclite) or empty if not doing permissions (mutually exclusive with actionsForPermissions)
# this is the prefix, appending 0,1,2 etc on the end.  so the fields would be someEdocliteFieldName0, someEdocliteFieldName1, etc
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPrefixActionsForPermissions = actionsFieldDef

# allowed actions (e.g. from edoclite form) or empty if not validating
kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedActionsForPermissions = read, write

###### PERMISSIONS
# permissions to assign or null if not doing permissions (mutually exclusive with edocliteFieldPrefixForPermissions)
kuali.edoclite.saveMembership.sampleProvisionPermissions.permissions =

# permissions to assign (read from edoclite) or empty if not doing permissions (mutually exclusive with permissions)
# this is the prefix, appending 0,1,2 etc on the end.  so the fields would be someEdocliteFieldName0, someEdocliteFieldName1, etc
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPrefixForPermissions = permissionsFieldDef

# allowed permissions (e.g. from edoclite form) or empty if not validating
kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedPermissions =

# regex of permissions allowed to assign, extra layer of security, optional
kuali.edoclite.saveMembership.sampleProvisionPermissions.permissionsRegex = ^penn:isc:ait:apps:someApp:permissions:.*$

#this will be prefixed to the entered permission name so the whole stem doesnt
#have to be put on screen (also helps sandbox out the security)
kuali.edoclite.saveMembership.sampleProvisionPermissions.enteredPermissionNamePrefix = penn:isc:ait:apps:someApp:permissions:

# delete date: yyyy/mm/dd or dd-Mon-yyyy
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPermissionDisabledDate = disabledDate

# enable date: yyyy/mm/dd or dd-Mon-yyyy
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPermissionEnabledDate = enabledDate

# field name which has blank or FALSE, TRUE, or GRANT for if the user can delegate the permissions to others
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPermissionsDelegatable = delegation

# blank or FALSE, TRUE, or GRANT for if the user can delegate the permissions to others
kuali.edoclite.saveMembership.sampleProvisionPermissions.permissionsDelegatable =

##################################################

sadf

  • No labels