Skip to end of metadata
Go to start of metadata

Diagrams

Note: there are 4 levels of hierarchies in Grouper permissions.  

  1. Indirect group membership to have a role
  2. Permissions that imply other permissions (so you can assign one permissions and get a lot of rights)
  3. Actions that imply other actions (e.g. admin implies all other actions)
  4. Role inheritance so a role can inherit all permissions from another role, and add some more


Here are examples and diagrams of Grouper permissions


When to use Grouper Permissions

  1. When the application can support permissions being provisioned to it
  2. Helps if your application has a specific and probably custom UI to assign permissions
    1. E.g. imagine assigning permissions on Confluence pages outside of the Confluence app?  Might be difficult to use
    2. Grouper has a permissions UI but it is generic
  3. Grouper permissions do not provision with PSPNG.  You need to provision permissions to the application using Grouper WS or SQL or Java
  4. Grouper permissions will tell you real time when assignments change (for real time provisioning), but it only indicates that a role has changed somehow
    1. If you are doing a change log consumer or messaging, you need to get that indication and do a full sync of permissions for that role

Role and Permission Management as of v2.0 and above

Grouper has the capability to manage external applications' roles and permissions, and can function as a central permission management system. 

Note that "privilege" is interchangeable with "permission", but Grouper already has documents about internal Grouper privileges on Groups / folders / etc. so the word "permission" is used here.

See also the Overview of Access Management Features page for guidelines of when to use rules, roles, permission limits, and enabled / disabled dates.


GSH commands

Create a role

gsh 30% userSharerRole = rolesStem.addChildRole("userSharer", "userSharer");

Add a member to a role (in this case a group)

gsh 38% userSharerRole.addMember(studentsGroup.toSubject());

Create a permission definition

gsh 51% resourcesDef = resourcesStem.addChildAttributeDef("secureShareWebResources", AttributeDefType.perm);

Add one permissions resource name to another (permissionSet)

gsh 63% receiveSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(splashResource);

Assign a permission to a role

gsh 70% userSharerRole.getPermissionRoleDelegate().assignRolePermission(sendSetResource);

Assign a permission to a member in a role

gsh 73% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(adminEmailButtonResource, schleindMember);

Get the permission assignments (not necessarily active or allowed), assigned to a role, immediate, based on role name, print these out

gsh 123% for (PermissionEntry permissionEntry : new PermissionFinder().assignPermissionType(PermissionType.role).assignImmediateOnly(true).addRole("a:b").findPermissions()) {      System.out.println(permissionEntry.getAttributeDefNameName());    }
    for (PermissionEntry permissionEntry : new PermissionFinder().assignPermissionType(PermissionType.role).assignImmediateOnly(true).addRole("a:b").findPermissions()) {      System.out.println(permissionEntry.getAttributeDefNameName());    }

Get the permission assignments (not necessarily active or allowed), assigned to a role, immediate, based on permission name, print these out

for (PermissionEntry permissionEntry : new PermissionFinder().assignPermissionType(PermissionType.role).assignImmediateOnly(true).addPermissionName("a:b").findPermissions()) {      System.out.println(permissionEntry.getRoleName());    }

sdf

SQL interface

The view for permissions is grouper_perms_all_v.  Note, results here need to be processed is allow/disallow is used, also you should take into account if the records are active or not

get all attributes assigned to a role, assuming direct assignment (unassignable)

SELECT GPAV.ATTRIBUTE_DEF_NAME_NAME
  FROM grouper_perms_all_v gpav
 WHERE     GPAV.ROLE_NAME = 'a:b'
       AND gpav.permission_type = 'role'
       AND GPAV.ROLE_SET_DEPTH = 0
       AND GPAV.ATTR_ASSIGN_ACTION_SET_DEPTH = 0
       AND GPAV.ATTR_DEF_NAME_SET_DEPTH = 0
       AND GPAV.MEMBERSHIP_DEPTH = 0

get all roles that are assigned a given attribute, assuming direct assignment (unassignable)

SELECT GPAV.role_name
  FROM grouper_perms_all_v gpav
 WHERE     GPAV.ATTRIBUTE_DEF_NAME_NAME = 'a:b'
       AND gpav.permission_type = 'role'
       AND GPAV.ROLE_SET_DEPTH = 0
       AND GPAV.ATTR_ASSIGN_ACTION_SET_DEPTH = 0
       AND GPAV.ATTR_DEF_NAME_SET_DEPTH = 0
       AND GPAV.MEMBERSHIP_DEPTH = 0

See also

 Access Management Features Overview

Grouper New Template Wizard

Training Slides, pages 31-38