Child pages
  • Grouper provision permissions with Rice workflow example
Skip to end of metadata
Go to start of metadata

This is an example of a Kuali edoclite that will auto-provision the requestor into the requested role/permissions at the end of the workflow.  Note in Rice you will have approvals etc before the end, this example just shows the provisioning so there is only one approval

Screenshot of Kuali form

Note, this is the default template, you will customize this for your institution



Screenshot of HTML



HTML to start with

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Provision permissions with workflow</title>
<style type="text/css">

  html, body, td {
    font-family:Tahoma,Arial,Helvetica,sans-serif;
    font-size:11px;
  }

  h1 {
    font-size:22px;
    line-height:22px;
  }

  h2 {
    border-bottom:1px solid #6699CC;
    color:#990000;
    font-size:16px;
    font-weight:bold;
    line-height:20px;
    width:650px;
  }

  .formTable td {
    padding:2px 0;
  }

  .formTable td.fieldLabel {
    color:#011F5B;
    text-align:right;
    vertical-align:top;
    width:238px;
    font-weight:bold;
  }

  .formTable td.fieldAsterisk {
    color:#990000;
    text-align:left;
    width:12px;
    vertical-align:top;
  }

  .formTable td.fieldInfo {
    text-align:left;
    width:auto;
  }

  .extraInstruct {
    color:#6E83AD;
    font-weight:bold;
  }

  p {
    width: 650px;
  }
</style>
</head>
<body>
  <h1>Example provision permissions with workflow</h1>
  <br /><br />

    <table border="0" cellspacing="0" cellpadding="0" class="formTable" width="640">

      <tr>
        <td class="fieldLabel">Role</td>
        <td valign="top" class="fieldAsterisk">*</td>
        <td class="fieldInfo" id="roleTdId">

          <select>
            <option value="some:role:user">User</option>
            <option value="some:role:admin">Admin</option>
          </select>
        </td>
      </tr>

      <tr>
        <td class="fieldLabel">Operation</td>
        <td valign="top" class="fieldAsterisk">*</td>
        <td class="fieldInfo" id="operationTdId">

          <select>
            <option value="add">Add</option>
            <option value="replace">Replace</option>
            <option value="remove">Remove</option>
          </select>
        </td>
      </tr>

      <tr>
        <td class="fieldLabel">Action(s)</td>
        <td valign="top" class="fieldAsterisk">*</td>
        <td class="fieldInfo" id="actionTdId">

          <input type="checkbox" name="actionName0" value="read">Read<br>
          <input type="checkbox" name="actionName1" value="write">Write<br>
        </td>
      </tr>

      <tr>
        <td class="fieldLabel">Permission(s)</td>
        <td valign="top" class="fieldAsterisk">*</td>
        <td class="fieldInfo" id="permissionTdId">

          <input type="checkbox" name="permissionName0" value="english">English<br>
          <input type="checkbox" name="permissionName1" value="physics">Physics<br>
        </td>
      </tr>

      <tr>
        <td class="fieldLabel">Enabled date</td>
        <td valign="top" class="fieldAsterisk"></td>
        <td class="fieldInfo" id="enabledDateTdId">

          <input type="text" name="enabledDate" width="15" />
          &nbsp; <span class="extraInstruct">(e.g. 2001/02/03)</span>
        </td>
      </tr>

      <tr>
        <td class="fieldLabel">Disabled date</td>
        <td valign="top" class="fieldAsterisk"></td>
        <td class="fieldInfo" id="disabledDateTdId">

          <input type="text" name="disabledDate" width="15" />
          &nbsp; <span class="extraInstruct">(e.g. 2001/02/03)</span>
        </td>
      </tr>

      <tr>
        <td class="fieldLabel">Ability to delegate</td>
        <td valign="top" class="fieldAsterisk">*</td>
        <td class="fieldInfo" id="delegationTdId">

          <input type="radio" name="delegate0" value="FALSE">No &nbsp;
          <input type="radio" name="delegate1" value="TRUE">Yes &nbsp;
          <input type="radio" name="delegate2" value="GRANT">Yes, and can grant ability to delegate
        </td>
      </tr>

    </table>


    <br /><br />

  </body>
</html>

Groups

If you arent using grouper for groups in Rice, then ingest this xml in Rice.  Otherwise, create this group in our rice base folder in Grouper

<?xml version="1.0" encoding="UTF-8"?>
<data xmlns="ns:workflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="ns:workflow resource:WorkflowData">
  <groups xmlns="ns:workflow/Group" xsi:schemaLocation="ns:workflow/Group resource:Group">
    <group>
      <namespace>KUALI</namespace>
      <name>samplePermissions</name>
      <description>route to group1</description>
      <members>
        <principalName>user1</principalName>
        <principalName>user2</principalName>
      </members>
    </group>
  </groups>
</data>

If your kuali root stem is:, then your GSH might look like this:

gsh 0% grouperSession = GrouperSession.startRootSession();
gsh 1% permissionsGroup = new GroupSave(grouperSession).assignName("penn:isc:ait:apps:kualiRice:KUALI:samplePermissions").assignGroupNameToEdit("penn:isc:ait:apps:kualiRice:KUALI:samplePermissions").assignCreateParentStemsIfNotExist(true).save();
gsh 2% addMember("penn:isc:ait:apps:kualiRice:KUALI:samplePermissions", "user1");
gsh 3% addMember("penn:isc:ait:apps:kualiRice:KUALI:samplePermissions", "user2");
gsh 4% grantPriv("penn:isc:ait:apps:kualiRice:KUALI:samplePermissions", "riceGrouper/medley.isc-seo.upenn.edu", AccessPrivilege.READ);

Note, you will also have to create the roles / permissions that will be provisioned (from the HTML above), and grant access to the kuali rice grouper web service client user, e.g.

gsh 0% grouperSession = GrouperSession.startRootSession();
gsh 1% role0 = new GroupSave(grouperSession).assignName("some:role:user").assignGroupNameToEdit("some:role:user").assignTypeOfGroup(TypeOfGroup.role).assignCreateParentStemsIfNotExist(true).save();
gsh 2% role1 = new GroupSave(grouperSession).assignName("some:role:admin").assignGroupNameToEdit("some:role:admin").assignTypeOfGroup(TypeOfGroup.role).assignCreateParentStemsIfNotExist(true).save();
gsh 3% role0.grantPriv(SubjectFinder.findById("riceGrouper/server.school.edu", true), AccessPrivilege.UPDATE);
gsh 4% role0.grantPriv(SubjectFinder.findById("riceGrouper/server.school.edu", true), AccessPrivilege.READ);
gsh 5% role1.grantPriv(SubjectFinder.findById("riceGrouper/server.school.edu", true), AccessPrivilege.UPDATE)
gsh 6% role1.grantPriv(SubjectFinder.findById("riceGrouper/server.school.edu", true), AccessPrivilege.READ);
gsh 7% orgAttributeDef = new AttributeDefSave(grouperSession).assignName("penn:isc:ait:apps:someApp.permissions.orgs").assignAttributeDefType(AttributeDefType.perm).assignToEffMembership(true).assignToGroup(true).save();
gsh 8% orgAttributeDef.getAttributeDefActionDelegate().configureActionList(GrouperUtil.toSet(new Object[]{"read", "write"}));
gsh 9% wsSubject = SubjectFinder.findById("riceGrouper/server.school.edu", true);
gsh 10% orgAttributeDef.getPrivilegeDelegate().grantPriv(wsSubject, AttributeDefPrivilege.ATTR_READ, false);
gsh 11% orgAttributeDef.getPrivilegeDelegate().grantPriv(wsSubject, AttributeDefPrivilege.ATTR_UPDATE, false);
gsh 12% orgAttributeDef.getAttributeDefScopeDelegate().assignOwnerGroup(role0);
gsh 13% orgAttributeDef.getAttributeDefScopeDelegate().assignOwnerGroup(role1);
gsh 14% english = new AttributeDefNameSave(grouperSession, orgAttributeDef).assignName("penn:isc:ait:apps:someApp:permissions:english").assignCreateParentStemsIfNotExist(true).save();
gsh 15% physics = new AttributeDefNameSave(grouperSession, orgAttributeDef).assignName("penn:isc:ait:apps:someApp:permissions:physics").assignCreateParentStemsIfNotExist(true).save();


Rule template

Ingest this to Kuali Rice in the admin console.  This allows us to route to a group (not required for provisioning, just giving the workflow one hop)

<?xml version="1.0" encoding="UTF-8"?>
<data xmlns="ns:workflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="ns:workflow resource:WorkflowData">
  <ruleTemplates xmlns="ns:workflow/RuleTemplate" xsi:schemaLocation="ns:workflow/RuleTemplate resource:RuleTemplate">
    <ruleTemplate>
      <name>sampleProvisionPermissions.groupRuleTemplate</name>
      <description>Rule template for group to route to</description>
    </ruleTemplate>
  </ruleTemplates>
</data>

Doctype

Ingest this to Kuali Rice in the admin console.  This configures the nodes in the workflow and associated them with rules (i.e. in the group name let anyone in that group know the form is waiting for them, and let any of them approve it.  Note the post processor is the grouper rice post processor

<?xml version="1.0" encoding="UTF-8"?>
<data xmlns="ns:workflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="ns:workflow resource:WorkflowData">
  <documentTypes xmlns="ns:workflow/DocumentType" xsi:schemaLocation="ns:workflow/DocumentType resource:DocumentType">
    <documentType>
      <name>sampleProvisionMultipleGroups.doctype</name>
      <description>sampleProvisionMultipleGroups doctype</description>
      <label>sampleProvisionMultipleGroups DocumentType</label>
      <postProcessorName>edu.internet2.middleware.grouperKimConnector.postProcessor.GrouperEdoclitePostProcessor</postProcessorName>
      <superUserGroupName namespace="KUALI">sampleRouteToGroup1</superUserGroupName>
      <defaultExceptionGroupName namespace="KUALI">sampleRouteToGroup1</defaultExceptionGroupName>
      <docHandler>${workflow.url}/EDocLite</docHandler>
      <active>true</active>
      <routingVersion>2</routingVersion>
      <routePaths>
        <routePath>
          <start name="Initiated" nextNode="groupNode" />
          <requests name="groupNode" />
        </routePath>
      </routePaths>
      <routeNodes>
        <start name="Initiated">
          <activationType>P</activationType>
          <mandatoryRoute>false</mandatoryRoute>
          <finalApproval>false</finalApproval>
        </start>
        <requests name="groupNode">
          <activationType>P</activationType>
          <ruleTemplate>sampleProvisionMultipleGroups.groupRuleTemplate</ruleTemplate>
          <mandatoryRoute>false</mandatoryRoute>
          <finalApproval>false</finalApproval>
        </requests>
      </routeNodes>
    </documentType>
  </documentTypes>
</data>

eDocLite

Ingest this xml into Kuali Rice which has the list of fields and HTML including the options which have the groups to add the requestor to

<?xml version="1.0" encoding="UTF-8"?>
<data xmlns="ns:workflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="ns:workflow resource:WorkflowData">
  <edoclite xmlns="ns:workflow/EDocLite" xsi:schemaLocation="ns:workflow/EDocLite resource:EDocLite">
    <edl name="sampleProvisionPermissions.form" title="sampleProvisionPermissions">
      <security />
      <createInstructions>** Questions with an asterisk are required.</createInstructions>
      <instructions>** Questions with an asterisk are required.</instructions>
      <validations />
      <attributes />

      <fieldDef name="role" title="Role">
        <display>
          <type>radio</type>
          <values title="User">user</values>
          <values title="Admin">admin</values>
        </display>
        <validation required="true">
          <regex>[^select]</regex>
          <message>Please select a role.</message>
        </validation>
      </fieldDef>

      <fieldDef name="operation" title="Operation">
        <display>
          <type>radio</type>
          <values title="Add">assign_permission</values>
          <values title="Replace">replace_permissions</values>
          <values title="Remove">remove_permission</values>
        </display>
        <validation required="true">
          <regex>[^select]</regex>
          <message>Please select an operation.</message>
        </validation>
      </fieldDef>


      <fieldDef name="actionsFieldDef0" title="Read">
        <display>
          <type>checkbox</type>
          <values title="">read</values>
        </display>
      </fieldDef>

      <fieldDef name="actionsFieldDef1" title="Write">
        <display>
          <type>checkbox</type>
          <values title="">write</values>
        </display>
      </fieldDef>

      <fieldDef name="permissionsFieldDef0" title="English">
        <display>
          <type>checkbox</type>
          <!-- note this will have a prefix: penn:isc:ait:apps:someApp.permissions.english -->
          <values title="">english</values>
        </display>
      </fieldDef>

      <fieldDef name="permissionsFieldDef1" title="Physics">
        <display>
          <type>checkbox</type>
          <!-- note this will have a prefix: penn:isc:ait:apps:someApp.permissions.physics -->
          <values title="">physics</values>
        </display>
      </fieldDef>

      <fieldDef name="enabledDate" title="Enabled date">
        <display>
          <type>text</type>
          <meta>
            <name>size</name>
            <value>20</value>
          </meta>
        </display>
      </fieldDef>

      <fieldDef name="disabledDate" title="Disabled date">
        <display>
          <type>text</type>
          <meta>
            <name>size</name>
            <value>20</value>
          </meta>
        </display>
      </fieldDef>

      <fieldDef name="delegation" title="Ability to delegate">
        <display>
          <type>radio</type>
          <values title="No">FALSE</values>
          <values title="Yes">TRUE</values>
          <values title="Yes, and can grant ability to delegate">GRANT</values>
        </display>
        <validation required="true">
          <regex>[^select]</regex>
          <message>Please select a role.</message>
        </validation>
      </fieldDef>


    </edl>
    <style name="sampleProvisionPermissions.style">
      <xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:my-class="xalan://org.kuali.rice.kew.edl.WorkflowFunctions" version="1.0">
        <!-- widgets is simply more xslt that contains common functionality that greatly simplifies html rendering. It is somewhat complicated but does not require changes or full understanding unless enhancements are required.  -->
        <xsl:include href="widgets" />
        <xsl:output indent="yes" method="html" omit-xml-declaration="yes" version="4.01" />
        <!-- variables in the current version of xslt cannot be changed once set. Below they are set to various values often fed by java classes or to values contained in workflow xml. Not all of these are used in this form but are shown because often they can be useful. The ones prefixed with my-class are methods that are exposed by workflow to Edoclite.-->
        <xsl:variable name="actionable" select="/documentContent/documentState/actionable" />
        <xsl:variable name="docHeaderId" select="/documentContent/documentState/docId" />
        <xsl:variable name="editable" select="/documentContent/documentState/editable" />
        <xsl:variable name="globalReadOnly" select="/documentContent/documentState/editable != 'true'" />
        <xsl:variable name="docStatus" select="//documentState/workflowDocumentState/status" />
        <xsl:variable name="isAtNodeInitiated" select="my-class:isAtNode($docHeaderId, 'Initiated')" />
        <xsl:variable name="isPastInitiated" select="my-class:isNodeInPreviousNodeList('Initiated', $docHeaderId)" />
        <xsl:variable name="isUserInitiator" select="my-class:isUserInitiator($docHeaderId)" />
        <xsl:variable name="workflowUser" select="my-class:getWorkflowUser().authenticationUserId().id()" />
        <xsl:param name="overrideMain" select="'true'" />
        <!-- mainForm begins here. Execution of stylesheet begins here. It calls other templates which can call other templates. Position of templates beyond this point do not matter. -->
        <xsl:template name="mainForm">
          <html xmlns="">
            <head>
              <script type="text/javascript" src="../penn/jquery.js" />

              <script>
              $(document).ready(function(){

                 $('#edoclite').submit(function() {

                   //make sure there is at least one permission checkbox checked
                   if ($('#permissionTdId :checked').length == 0) {
                     alert('Please select a permission to assign');
                     return false;
                   }

                   //make sure there is at least one permission checkbox checked
                   if ($('#actionTdId :checked').length == 0) {
                     alert('Please select an action to assign');
                     return false;
                   }

                   return true;
                 });

              });
              </script>


              <xsl:call-template name="htmlHead" />
<style type="text/css">

  html, body, td {
    font-family:Tahoma,Arial,Helvetica,sans-serif;
    font-size:11px;
  }

  h1 {
    font-size:22px;
    line-height:22px;
  }

  h2 {
    border-bottom:1px solid #6699CC;
    color:#990000;
    font-size:16px;
    font-weight:bold;
    line-height:20px;
    width:650px;
  }

  .formTable td {
    padding:2px 0;
  }

  .formTable td.fieldLabel {
    color:#011F5B;
    text-align:right;
    vertical-align:top;
    width:238px;
    font-weight:bold;
  }

  .formTable td.fieldAsterisk {
    color:#990000;
    text-align:left;
    width:12px;
    vertical-align:top;
  }

  .formTable td.fieldInfo {
    text-align:left;
    width:auto;
  }

  .extraInstruct {
    color:#6E83AD;
    font-weight:bold;
  }

  p {
    width: 650px;
  }

  div.mainDiv {
    width: 900px;
  }
</style>
            </head>
            <body onload="onPageLoad()">
              <xsl:call-template name="errors" />
              <!-- the header is usefule because it tells the user whether they are in 'Editing' mode or 'Read Only' mode. -->
              <xsl:call-template name="header" />
              <xsl:call-template name="instructions" />
              <xsl:variable name="formTarget" select="'EDocLite'" />
              <!-- validateOnSubmit is a function in edoclite1.js which also supports edloclite forms and can be somewhat complicated but does not require modification unless enhancements are required. -->
              <form action="{$formTarget}" enctype="multipart/form-data" id="edoclite" method="post" onsubmit="return validateOnSubmit(this)">
                <xsl:call-template name="hidden-params" />
                <xsl:call-template name="mainBody" />
                <xsl:call-template name="notes" />
                <br />
                <xsl:call-template name="buttons" />
                <br />
              </form>
              <xsl:call-template name="footer" />
            </body>
          </html>
        </xsl:template>
        <!-- mainBody template begins here. It calls other templates which can call other templates. Position of templates do not matter. -->
        <xsl:template name="mainBody">
          <!-- to debug, or see values of previously created, the uncomment the following line to see value of $docStatus rendered on form. -->
          <!-- $docStatus=<xsl:value-of select="$docStatus" /> -->
          <!-- rest of this all is within the form table -->
          <h1>Example provision permissions with workflow</h1>
          <br /><br />

          <table border="0" cellspacing="0" cellpadding="0" class="formTable" width="640">

            <tr>
              <td class="fieldLabel">Role</td>
              <td valign="top" class="fieldAsterisk">*</td>
              <td class="fieldInfo" id="roleTdId">

                <xsl:call-template name="widget_render">
                  <xsl:with-param name="fieldName" select="'role'" />
                  <xsl:with-param name="renderCmd" select="'input'" />
                  <xsl:with-param name="readOnly" select="$isPastInitiated" />
                </xsl:call-template>
              </td>
            </tr>

            <tr>
              <td class="fieldLabel">Operation</td>
              <td valign="top" class="fieldAsterisk">*</td>
              <td class="fieldInfo" id="operationTdId">

                <xsl:call-template name="widget_render">
                  <xsl:with-param name="fieldName" select="'operation'" />
                  <xsl:with-param name="renderCmd" select="'input'" />
                  <xsl:with-param name="readOnly" select="$isPastInitiated" />
                </xsl:call-template>
              </td>
            </tr>

            <tr>
              <td class="fieldLabel">Action(s)</td>
              <td valign="top" class="fieldAsterisk">*</td>
              <td class="fieldInfo" id="actionTdId">

                <xsl:call-template name="widget_render">
                  <xsl:with-param name="fieldName" select="'actionsFieldDef0'" />
                  <xsl:with-param name="renderCmd" select="'input'" />
                  <xsl:with-param name="readOnly" select="$isPastInitiated" />
                </xsl:call-template> Read<br />
                <xsl:call-template name="widget_render">
                  <xsl:with-param name="fieldName" select="'actionsFieldDef1'" />
                  <xsl:with-param name="renderCmd" select="'input'" />
                  <xsl:with-param name="readOnly" select="$isPastInitiated" />
                </xsl:call-template> Write
              </td>
            </tr>
            <tr>
              <td class="fieldLabel">Permission(s)</td>
              <td valign="top" class="fieldAsterisk">*</td>
              <td class="fieldInfo" id="permissionTdId">
                <xsl:call-template name="widget_render">
                  <xsl:with-param name="fieldName" select="'permissionsFieldDef0'" />
                  <xsl:with-param name="renderCmd" select="'input'" />
                  <xsl:with-param name="readOnly" select="$isPastInitiated" />
                </xsl:call-template> English<br />
                <xsl:call-template name="widget_render">
                  <xsl:with-param name="fieldName" select="'permissionsFieldDef0'" />
                  <xsl:with-param name="renderCmd" select="'input'" />
                  <xsl:with-param name="readOnly" select="$isPastInitiated" />
                </xsl:call-template> Physics<br />
              </td>
            </tr>

              <tr>
                <td class="fieldLabel">Enabled date</td>
                <td valign="top" class="fieldAsterisk"></td>
                <td class="fieldInfo">

                  <xsl:call-template name="widget_render">
                    <xsl:with-param name="fieldName" select="'enabledDate'" />
                    <xsl:with-param name="renderCmd" select="'input'" />
                    <xsl:with-param name="readOnly" select="$isPastInitiated" />
                  </xsl:call-template> <xsl:call-template name="nbsp" />
                  <span class="extraInstruct">(e.g. 2001/02/03)</span>

                </td>
              </tr>

              <tr>
                <td class="fieldLabel">Disabled date</td>
                <td valign="top" class="fieldAsterisk"></td>
                <td class="fieldInfo">

                  <xsl:call-template name="widget_render">
                    <xsl:with-param name="fieldName" select="'disabledDate'" />
                    <xsl:with-param name="renderCmd" select="'input'" />
                    <xsl:with-param name="readOnly" select="$isPastInitiated" />
                  </xsl:call-template> <xsl:call-template name="nbsp" />
                  <span class="extraInstruct">(e.g. 2001/02/03)</span>

                </td>
              </tr>

              <tr>
                <td class="fieldLabel">Ability to delegate</td>
                <td valign="top" class="fieldAsterisk">*</td>
                <td class="fieldInfo" id="delegationTdId">

                  <xsl:call-template name="widget_render">
                    <xsl:with-param name="fieldName" select="'delegation'" />
                    <xsl:with-param name="renderCmd" select="'input'" />
                    <xsl:with-param name="readOnly" select="$isPastInitiated" />
                  </xsl:call-template>
                </td>
              </tr>


          </table>




          <br /><br />



        </xsl:template>
        <xsl:template name="nbsp">
          <xsl:text disable-output-escaping="yes">&amp;nbsp;</xsl:text>
        </xsl:template>
      </xsl:stylesheet>
    </style>
    <association>
      <docType>sampleProvisionPermissions.doctype</docType>
      <definition>sampleProvisionPermissions.form</definition>
      <style>sampleProvisionPermissions.style</style>
      <active>true</active>
    </association>
  </edoclite>
</data>

Rule

Ingest this rule in Kuali Rice so that this group is notified and allowed to approve the request at this node in the workflow

<?xml version="1.0" encoding="UTF-8"?>
<data xmlns="ns:workflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="ns:workflow resource:WorkflowData">
  <rules xmlns="ns:workflow/Rule" xsi:schemaLocation="ns:workflow/Rule resource:Rule">
    <rule>
      <name>sampleProvisionPermissions.groupRule</name>
      <documentType>sampleProvisionPermissions.doctype</documentType>
      <ruleTemplate>sampleProvisionPermissions.groupRuleTemplate</ruleTemplate>
      <description>Route to group</description>
      <responsibilities>
        <responsibility>
          <groupName namespace="KUALI">samplePermissions</groupName>
          <actionRequested>A</actionRequested>
          <priority>1</priority>
        </responsibility>
      </responsibilities>
    </rule>
  </rules>
</data>

Grouper client properties

Configure the grouper client properties in Kuali Rice which tells the post processor that the document type above is linked to auto provision fields with a certain prefix

###############################
# configure postprocessor actions on document types.  The string "sampleProvisioning" ties the configs
# together, change that label for multiple

###### MISC
# email addresses (comma separated) that should get an admin email that this was done (or errors)
kuali.edoclite.saveMembership.sampleProvisionPermissions.emailAdmins = me@school.edu

# doctype name that this applies to
kuali.edoclite.saveMembership.sampleProvisionPermissions.docTypeName = sampleProvisionPermissions.doctype

###### GROUPS
# regex of group allowed to assign to, extra layer of security, optional
kuali.edoclite.saveMembership.sampleProvisionPermissions.groupRegex = ^some:role:[^:]$

# list of allowed to assign to (comma separate), extra layer of security, optional,
#generally mutually exclusive with the groupRegex
kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedGroups =

# edocliteFieldPrefix if checkboxes or textfields or whatever, put the prefix of the edoclite field here.
# so if the field prefix is "groups", then it will look for groups0, groups1, etc to groups200...
# the value of the field is the group to add to
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPrefix =

# this will be prefixed to the entered group name so the whole stem doesnt
# have to be put on screen (also helps sandbox out the security)
kuali.edoclite.saveMembership.sampleProvisionPermissions.enteredGroupNamePrefix =

# groups (comma separated) id or name which the initiator will be assigned to when the document is final
kuali.edoclite.saveMembership.sampleProvisionPermissions.addMembershipToGroups =

# groups (comma separated) id or name which the initiator will be unassigned from when the document is final
kuali.edoclite.saveMembership.sampleProvisionPermissions.removeMembershipFromGroups =

# delete date: yyyy/mm/dd or dd-Mon-yyyy
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldGroupDisabledDate = disabledDate

# enable date: yyyy/mm/dd or dd-Mon-yyyy
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldGroupEnabledDate = enabledDate

###### PERMISSIONS ROLES
# role to assign permissions to or null if not doing permissions (mutually exclusive with edocliteFieldRoleForPermissions)
kuali.edoclite.saveMembership.sampleProvisionPermissions.roleForPermissions =

# role to assign permissions to (read from edoclite) or empty if not doing permissions (mutually exclusive with roleForPermissions)
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldRoleForPermissions = role

# this will be prefixed to the entered role name so the whole stem doesnt
# have to be put on screen (also helps sandbox out the security)
kuali.edoclite.saveMembership.sampleProvisionPermissions.enteredRoleNamePrefix = some:role:

# allowed roles (e.g. from edoclite form) or empty if not validating
kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedRolesForPermissions = some:role:user, some:role:admin

###### PERMISSIONS OPERATIONS
# operation of assign|remove permissions (mutually exclusive with edocliteFieldOperationForPermissions)
kuali.edoclite.saveMembership.sampleProvisionPermissions.operationForPermissions =

# operation to assign|remove permissions (read from edoclite) or empty if not doing permissions (mutually exclusive with operationForPermissions)
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldOperationForPermissions = operation

# allowed operations (e.g. from edoclite form) or empty if not validating
kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedOperationsForPermissions = assign_permission, remove_permission, replace_permissions

###### ACTIONS
# actions to assign permissions to or null if not doing permissions (mutually exclusive with edocliteFieldRoleForPermissions)
kuali.edoclite.saveMembership.sampleProvisionPermissions.actionsForPermissions =

# actions to assign permissions to (read from edoclite) or empty if not doing permissions (mutually exclusive with actionsForPermissions)
# this is the prefix, appending 0,1,2 etc on the end.  so the fields would be someEdocliteFieldName0, someEdocliteFieldName1, etc
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPrefixActionsForPermissions = actionsFieldDef

# allowed actions (e.g. from edoclite form) or empty if not validating
kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedActionsForPermissions = read, write

###### PERMISSIONS
# permissions to assign or null if not doing permissions (mutually exclusive with edocliteFieldPrefixForPermissions)
kuali.edoclite.saveMembership.sampleProvisionPermissions.permissions =

# permissions to assign (read from edoclite) or empty if not doing permissions (mutually exclusive with permissions)
# this is the prefix, appending 0,1,2 etc on the end.  so the fields would be someEdocliteFieldName0, someEdocliteFieldName1, etc
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPrefixForPermissions = permissionsFieldDef

# allowed permissions (e.g. from edoclite form) or empty if not validating
kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedPermissions =

# regex of permissions allowed to assign, extra layer of security, optional
kuali.edoclite.saveMembership.sampleProvisionPermissions.permissionsRegex = ^penn:isc:ait:apps:someApp:permissions:.*$

#this will be prefixed to the entered permission name so the whole stem doesnt
#have to be put on screen (also helps sandbox out the security)
kuali.edoclite.saveMembership.sampleProvisionPermissions.enteredPermissionNamePrefix = penn:isc:ait:apps:someApp:permissions:

# delete date: yyyy/mm/dd or dd-Mon-yyyy
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPermissionDisabledDate = disabledDate

# enable date: yyyy/mm/dd or dd-Mon-yyyy
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPermissionEnabledDate = enabledDate

# field name which has blank or FALSE, TRUE, or GRANT for if the user can delegate the permissions to others
kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPermissionsDelegatable = delegation

# blank or FALSE, TRUE, or GRANT for if the user can delegate the permissions to others
kuali.edoclite.saveMembership.sampleProvisionPermissions.permissionsDelegatable =

##################################################


Result

After the form is submitted and approved (whatever the approval workflow is), then whatever checkboxes are checked, those roles/permissions will be (un)assigned to the requestor:

gsh 0% grouperSession = GrouperSession.startRootSession();
gsh 1% orgAttributeDef = AttributeDefFinder.findByName("penn:isc:ait:apps:someApp.permissions.orgs", true);
gsh 2% userRole = GroupFinder.findByName(grouperSession, "some:role:user", true);
gsh 3% subject = SubjectFinder.findByIdentifier("myid", true);
gsh 4% member = MemberFinder.findBySubject(grouperSession, subject, true);
gsh 5%     GrouperDAOFactory.getFactory().getPermissionEntry().findPermissions(GrouperUtil.toSetObject(orgAttributeDef.getId()), null, GrouperUtil.toSetObject(userRole.getId()), null, true, GrouperUtil.toSetObject(member.getUuid()));
edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=some:role:user,attributeDefNameName=penn:isc:ait:apps:someApp:permissions:english,action=write,sourceId=pennperson,subjectId=12345678,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=-1,action_depth=0,attrDef_depth=0,perm_type=role_subject]
gsh 6%



Also, if there is an email address in "emailAdmins" config, then an email like this will be sent to as a confirmation to the admins of the form:

-----Original Message-----
From: noreply@school.edu [mailto:noreply@school.edu]
Sent: Tuesday, May 25, 2010 11:10 PM
To: Chris Hyzer
Subject: DEV:Grouper Rice auto-provision for document: sampleProvisionPermissions.doctype


Subject: id: 12345678, name: Michael Christopher Hyzer
name: Michael Christopher Hyzer
description: Michael Christopher Hyzer (myid, 12345678) (active) Staff - Isc Administrative Systems Tools And Technologies - Programmer Analyst Sr (also: Alumni)
PENNNAME: myid
EMAIL: me@school.edu

Group addMember: some:role:user - SUCCESS_ALREADY_EXISTED, disabledDate: 2011-02-03 00:00:00.000

Operation: replace_permissions, overall result: SUCCESS
Permission: penn:isc:ait:apps:someApp:permissions:english, action: read, changed: T, deleted: T, disabled: 2011/02/03 00:00:00.000, delegatable: TRUE
Permission: penn:isc:ait:apps:someApp:permissions:english, action: write, changed: F, deleted: F, disabled: 2011/02/03 00:00:00.000, delegatable: TRUE

sdf

  • No labels