Skip to end of metadata
Go to start of metadata

Role and Permission Management as of v2.0 and above

Grouper has the capability to manage external applications' roles and permissions, and can function as a central permission management system. 

Note that "privilege" is interchangeable with "permission", but Grouper already has documents about internal Grouper privileges on Groups / folders / etc. so the word "permission" is used here.

See also the Overview of Access Management Features page for guidelines of when to use rules, roles, permission limits, and enabled / disabled dates.

GSH commands

Create a role

gsh 30% userSharerRole = rolesStem.addChildRole("userSharer", "userSharer");

Add a member to a role (in this case a group)

gsh 38% userSharerRole.addMember(studentsGroup.toSubject());

Create a permission definition

gsh 51% resourcesDef = resourcesStem.addChildAttributeDef("secureShareWebResources", AttributeDefType.perm);

Add one permissions resource name to another (permissionSet)

gsh 63% receiveSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(splashResource);

Assign a permission to a role

gsh 70% userSharerRole.getPermissionRoleDelegate().assignRolePermission(sendSetResource);

Assign a permission to a member in a role

gsh 73% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(adminEmailButtonResource, schleindMember);

Get the permission assignments (not necessarily active or allowed), assigned to a role, immediate, based on role name, print these out

gsh 123% for (PermissionEntry permissionEntry : new PermissionFinder().assignPermissionType(PermissionType.role).assignImmediateOnly(true).addRole("a:b").findPermissions()) {      System.out.println(permissionEntry.getAttributeDefNameName());    }
    for (PermissionEntry permissionEntry : new PermissionFinder().assignPermissionType(PermissionType.role).assignImmediateOnly(true).addRole("a:b").findPermissions()) {      System.out.println(permissionEntry.getAttributeDefNameName());    }

Get the permission assignments (not necessarily active or allowed), assigned to a role, immediate, based on permission name, print these out

for (PermissionEntry permissionEntry : new PermissionFinder().assignPermissionType(PermissionType.role).assignImmediateOnly(true).addPermissionName("a:b").findPermissions()) {      System.out.println(permissionEntry.getRoleName());    }

sdf

SQL interface

The view for permissions is grouper_perms_all_v.  Note, results here need to be processed is allow/disallow is used, also you should take into account if the records are active or not

get all attributes assigned to a role, assuming direct assignment (unassignable)

SELECT GPAV.ATTRIBUTE_DEF_NAME_NAME
  FROM grouper_perms_all_v gpav
 WHERE     GPAV.ROLE_NAME = 'a:b'
       AND gpav.permission_type = 'role'
       AND GPAV.ROLE_SET_DEPTH = 0
       AND GPAV.ATTR_ASSIGN_ACTION_SET_DEPTH = 0
       AND GPAV.ATTR_DEF_NAME_SET_DEPTH = 0
       AND GPAV.MEMBERSHIP_DEPTH = 0

get all roles that are assigned a given attribute, assuming direct assignment (unassignable)

SELECT GPAV.role_name
  FROM grouper_perms_all_v gpav
 WHERE     GPAV.ATTRIBUTE_DEF_NAME_NAME = 'a:b'
       AND gpav.permission_type = 'role'
       AND GPAV.ROLE_SET_DEPTH = 0
       AND GPAV.ATTR_ASSIGN_ACTION_SET_DEPTH = 0
       AND GPAV.ATTR_DEF_NAME_SET_DEPTH = 0
       AND GPAV.MEMBERSHIP_DEPTH = 0

See also

 Access Management Features Overview

Training Slides, pages 31-38