Child pages
  • Grouper permissions example
Skip to end of metadata
Go to start of metadata

This is in response to the request to show how to query via web service all the permissions implied by a role.

Note: this was done in 2.1.4 (candidate)  Note also, all this can be done in the UI too...

Create a session, and two attribute definitions

gsh 0% grouperSession = GrouperSession.startRootSession();
gsh 1% attributeDef = new AttributeDefSave(grouperSession).assignName("test:app0:permissionDefs:permissionDef0").assignToEffMembership(true).assignToGroup(true).assignAttributeDefType(AttributeDefType.perm).assignCreateParentStemsIfNotExist(true).save();
gsh 2% attributeDef.getAttributeDefActionDelegate().configureActionList("read,write");
gsh 3% attributeDef2 = new AttributeDefSave(grouperSession).assignName("test:app1:permissionDefs:permissionDef1").assignToEffMembership(true).assignToGroup(true).assignAttributeDefType(AttributeDefType.perm).assignCreateParentStemsIfNotExist(true).save();
gsh 4% attributeDef2.getAttributeDefActionDelegate().configureActionList("read,write, admin");

Create a few roles, add some members

gsh 5% app0role0 = new GroupSave(grouperSession).assignName("test:app0:roles:role0").assignCreateParentStemsIfNotExist(true).assignTypeOfGroup(TypeOfGroup.role).save();
gsh 6% app0role1 = new GroupSave(grouperSession).assignName("test:app0:roles:role1").assignCreateParentStemsIfNotExist(true).assignTypeOfGroup(TypeOfGroup.role).save();
gsh 7% app1role0 = new GroupSave(grouperSession).assignName("test:app1:roles:role0").assignCreateParentStemsIfNotExist(true).assignTypeOfGroup(TypeOfGroup.role).save();
gsh 8% app1role1 = new GroupSave(grouperSession).assignName("test:app1:roles:role1").assignCreateParentStemsIfNotExist(true).assignTypeOfGroup(TypeOfGroup.role).save();
gsh 9% addMember("test:app0:roles:role0", "test.subject.0");
gsh 10% addMember("test:app0:roles:role0", "test.subject.1");
gsh 11% addMember("test:app0:roles:role1", "test.subject.1");
gsh 12% addMember("test:app0:roles:role1", "test.subject.2");
gsh 13% addMember("test:app1:roles:role0", "test.subject.2");
gsh 14% addMember("test:app1:roles:role0", "test.subject.3");
gsh 15% addMember("test:app1:roles:role1", "test.subject.3");
gsh 16% addMember("test:app1:roles:role1", "test.subject.4");

Add some permissionNames

gsh 17% permissionName0_1 = new AttributeDefNameSave(grouperSession, attributeDef).assignName("test:app0:permissionNames:permissionName0_1").assignCreateParentStemsIfNotExist(true).save();
gsh 18% permissionName0_2 = new AttributeDefNameSave(grouperSession, attributeDef).assignName("test:app0:permissionNames:permissionName0_2").assignCreateParentStemsIfNotExist(true).save();
gsh 19% permissionName1_1 = new AttributeDefNameSave(grouperSession, attributeDef).assignName("test:app0:permissionNames:permissionName1_1").assignCreateParentStemsIfNotExist(true).save();
gsh 20% permissionName1_2 = new AttributeDefNameSave(grouperSession, attributeDef).assignName("test:app0:permissionNames:permissionName1_2").assignCreateParentStemsIfNotExist(true).save();
gsh 21% permissionName1_0_1 = new AttributeDefNameSave(grouperSession, attributeDef).assignName("test:app1:permissionNames:permissionName0_1").assignCreateParentStemsIfNotExist(true).save();
gsh 22% permissionName1_0_2 = new AttributeDefNameSave(grouperSession, attributeDef).assignName("test:app1:permissionNames:permissionName0_2").assignCreateParentStemsIfNotExist(true).save();
gsh 23% permissionName1_1_1 = new AttributeDefNameSave(grouperSession, attributeDef).assignName("test:app1:permissionNames:permissionName1_1").assignCreateParentStemsIfNotExist(true).save();
gsh 24% permissionName1_1_2 = new AttributeDefNameSave(grouperSession, attributeDef).assignName("test:app1:permissionNames:permissionName1_2").assignCreateParentStemsIfNotExist(true).save();
gsh 25% permissionName1_1_3 = new AttributeDefNameSave(grouperSession, attributeDef2).assignName("test:app1:permissionNames:permissionName1_3").assignCreateParentStemsIfNotExist(true).save();
gsh 26% permissionName1_1_4 = new AttributeDefNameSave(grouperSession, attributeDef2).assignName("test:app1:permissionNames:permissionName1_4").assignCreateParentStemsIfNotExist(true).save();

Assign some role and individual permissions

gsh 27% app0role0.getPermissionRoleDelegate().assignRolePermission("read", permissionName0_1);
gsh 28% app0role0.getPermissionRoleDelegate().assignRolePermission("write", permissionName1_1_1);
gsh 29% app1role1.getPermissionRoleDelegate().assignRolePermission("read", permissionName1_1_2);
gsh 30% app1role1.getPermissionRoleDelegate().assignRolePermission("read", permissionName1_0_2);
gsh 31% app0role0.getPermissionRoleDelegate().assignSubjectRolePermission("admin", permissionName1_1_4, SubjectFinder.findById("test.subject.0", true));
gsh 32% app0role0.getPermissionRoleDelegate().assignSubjectRolePermission("write", permissionName1_0_1, SubjectFinder.findById("test.subject.0", true));
gsh 33% app0role1.getPermissionRoleDelegate().assignSubjectRolePermission("read", permissionName0_2, SubjectFinder.findById("test.subject.1", true));
gsh 34% app1role1.getPermissionRoleDelegate().assignSubjectRolePermission("write", permissionName1_0_1, SubjectFinder.findById("test.subject.4", true));

Now, lets query via web service to find permission assignments assigned to a role

java -jar grouperClient.jar --operation=getPermissionAssignmentsWs --permissionType=role --roleNames=test:app0:roles:role0

XML to server:

<WsRestGetPermissionAssignmentsRequest>
  <permissionType>role</permissionType>
  <roleLookups>
    <WsGroupLookup>
      <groupName>test:app0:roles:role0</groupName>
    </WsGroupLookup>
  </roleLookups>
</WsRestGetPermissionAssignmentsRequest>

XML from server:

<WsGetPermissionAssignmentsResults>
  <wsAttributeDefs>
    <WsAttributeDef>
      <extension>permissionDef0</extension>
      <name>test:app0:permissionDefs:permissionDef0</name>
      <uuid>33c0b3263a1c42ae861990012192310b</uuid>
      <attributeDefType>perm</attributeDefType>
      <multiAssignable>F</multiAssignable>
      <multiValued>F</multiValued>
      <valueType>marker</valueType>
    </WsAttributeDef>
  </wsAttributeDefs>
  <wsPermissionAssigns>
    <WsPermissionAssign>
      <action>read</action>
      <permissionType>role</permissionType>
      <attributeDefNameId>4d81aebc539148c1908ac2f1485ad530</attributeDefNameId>
      <attributeDefNameName>test:app0:permissionNames:permissionName0_1
      </attributeDefNameName>
      <attributeDefId>33c0b3263a1c42ae861990012192310b</attributeDefId>
      <attributeDefName>test:app0:permissionDefs:permissionDef0</attributeDefName>
      <enabled>T</enabled>
      <attributeAssignId>c474dabd2d01482ba287910ea6929407</attributeAssignId>
      <roleId>b6979607f4be43038df280208521d021</roleId>
      <roleName>test:app0:roles:role0</roleName>
      <allowedOverall>T</allowedOverall>
      <disallowed>F</disallowed>
    </WsPermissionAssign>
    <WsPermissionAssign>
      <action>write</action>
      <permissionType>role</permissionType>
      <attributeDefNameId>7051d0aac8894e2cb05f4f00a14b1bb0</attributeDefNameId>
      <attributeDefNameName>test:app1:permissionNames:permissionName1_1
      </attributeDefNameName>
      <attributeDefId>33c0b3263a1c42ae861990012192310b</attributeDefId>
      <attributeDefName>test:app0:permissionDefs:permissionDef0</attributeDefName>
      <enabled>T</enabled>
      <attributeAssignId>9a183f124e8d4c1492931ebfa77165cc</attributeAssignId>
      <roleId>b6979607f4be43038df280208521d021</roleId>
      <roleName>test:app0:roles:role0</roleName>
      <allowedOverall>T</allowedOverall>
      <disallowed>F</disallowed>
    </WsPermissionAssign>
  </wsPermissionAssigns>
  <resultMetadata>
    <resultCode>SUCCESS</resultCode>
    <resultMessage>, Found 2 results.  </resultMessage>
    <success>T</success>
  </resultMetadata>
  <responseMetadata>
    <resultWarnings></resultWarnings>
    <millis>28208</millis>
    <serverVersion>2.1.4</serverVersion>
  </responseMetadata>
  <wsGroups>
    <WsGroup>
      <extension>role0</extension>
      <typeOfGroup>role</typeOfGroup>
      <displayExtension>role0</displayExtension>
      <displayName>test:app0:roles:role0</displayName>
      <name>test:app0:roles:role0</name>
      <uuid>b6979607f4be43038df280208521d021</uuid>
    </WsGroup>
  </wsGroups>
  <wsSubjects />
</WsGetPermissionAssignmentsResults>

sdf

  • No labels