Child pages
  • Grouper rules use case - Composite-ng intersection permissions
Skip to end of metadata
Go to start of metadata

Grouper rules

If an entity is no longer a member of the employee group, remove them from the role for application X which hsa certain permissions assigned; also unassign any direct permissions to the user.

Java example

    //add a rule on stem:permission saying if you are out of stem:employee,
    //then remove assignments to permission, or from roles which have the permission
    AttributeAssign attributeAssign = permissionToAssignRule
      .getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();

    AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate();
    attributeValueDelegate.assignValue(
        RuleUtils.ruleActAsSubjectSourceIdName(), actAs.getSourceId());
    attributeValueDelegate.assignValue(
        RuleUtils.ruleActAsSubjectIdName(), actAs.getId());
    attributeValueDelegate.assignValue(
        RuleUtils.ruleCheckOwnerIdName(), mustBeInGroup.getId());
    attributeValueDelegate.assignValue(
        RuleUtils.ruleCheckTypeName(),
        RuleCheckType.membershipRemove.name());
    attributeValueDelegate.assignValue(
        RuleUtils.ruleIfConditionEnumName(),
        RuleIfConditionEnum.thisPermissionDefHasAssignment.name());
    attributeValueDelegate.assignValue(
        RuleUtils.ruleThenEnumName(),
        RuleThenEnum.removeMemberFromOwnerPermissionDefAssignments.name());

    //should be valid
    String isValidString = attributeValueDelegate.retrieveValueString(
        RuleUtils.ruleValidName());

    if (!StringUtils.equals("T", isValidString)) {
      throw new RuntimeException(isValidString);
    }

GSH shorthand method

RuleApi.permissionGroupIntersection(SubjectFinder.findRootSubject(), permissionDef, groupEmployee);

GSH test case

gsh 0% grouperSession = GrouperSession.startRootSession();
edu.internet2.middleware.grouper.GrouperSession: 9351993908a847b190da1e428033c579,'GrouperSystem','application'

//make a permission definition, which is assignable to roles or users in the context of a role
gsh 1% permissionDef = new AttributeDefSave(grouperSession).assignName("stem:permissionDef").assignCreateParentStemsIfNotExist(true).assignAttributeDefType(AttributeDefType.perm).save();
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=stem:permissionDef,uuid=dde36f66d60841448c217dc009d4eac8]
gsh 2% permissionDef.setAssignToEffMembership(true);
gsh 3% permissionDef.setAssignToGroup(true);
gsh 4% permissionDef.store();

//employee group is the group that if the user falls out of, remove the permissions assignments
gsh 5% groupEmployee = new GroupSave(grouperSession).assignName("stem:employee").assignCreateParentStemsIfNotExist(true).save();
group: name='stem:employee' displayName='stem:employee' uuid='7934203d09bf407bbf813f6768759ea9'

//these are roles for the application
gsh 6% payrollUser = new GroupSave(grouperSession).assignName("apps:payroll:roles:payrollUser").assignTypeOfGroup(TypeOfGroup.role).assignCreateParentStemsIfNotExist(true).save();
group: name='apps:payroll:roles:payrollUser' displayName='apps:payroll:roles:payrollUser' uuid='663d14fda9aa45d48caaab84a4df11dc'
gsh 7% payrollGuest = new GroupSave(grouperSession).assignName("apps:payroll:roles:payrollGuest").assignTypeOfGroup(TypeOfGroup.role).assignCreateParentStemsIfNotExist(true).save();
group: name='apps:payroll:roles:payrollGuest' displayName='apps:payroll:roles:payrollGuest' uuid='bcdce97b557e46c59b663bb3c7db7126'

//subject0 is in payrollUser, subject1 is a payroll guest
gsh 10% addMember("apps:payroll:roles:payrollUser", "test.subject.0");
true
gsh 11% addMember("apps:payroll:roles:payrollGuest", "test.subject.1");
true

//canLogin is a permissions resource in the permission definition
gsh 12% canLogin = new AttributeDefNameSave(grouperSession, permissionDef).assignName("apps:payroll:permissions:canLogin").assignCreateParentStemsIfNotExist(true).save();
edu.internet2.middleware.grouper.attr.AttributeDefName: AttributeDefName[name=apps:payroll:permissions:canLogin,uuid=83107cf902544375a46376c8a4210051]

//for subject0, this permission is assigned to the role, and subject0 gets it from being a member of the role
gsh 13% payrollUser.getPermissionRoleDelegate().assignRolePermission(canLogin);
edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult: edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult@1d74bb1
gsh 16% subject1 = SubjectFinder.findById("test.subject.1", true);
subject: id='test.subject.1' type='person' source='jdbc' name='my name is test.subject.1'
gsh 17% subject0 = SubjectFinder.findById("test.subject.0", true);
subject: id='test.subject.0' type='person' source='jdbc' name='my name is test.subject.0'

//subject1 is a guest, and gets the permission as directly assigned in the context of role payrollGuest
gsh 18% payrollGuest.getPermissionRoleDelegate().assignSubjectRolePermission(canLogin, subject1);
edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult: edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult@c5dbb
gsh 19% member0 = MemberFinder.findBySubject(grouperSession, subject0, false);
gsh 20% member1 = MemberFinder.findBySubject(grouperSession, subject1, false);
member: id='test.subject.1' type='person' source='jdbc' uuid='bc39785bb650459585043d9b4cffc051'

//subject0 and subject1 each have one permission
gsh 21% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member0.getUuid());
edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollUser,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.0,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=0,action_depth=0,attrDef_depth=0,perm_type=role]
gsh 22% permissions.size()
1
gsh 23% permissions.iterator().next().getAttributeDefNameName()
apps:payroll:permissions:canLogin
gsh 24% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid());
edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollGuest,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.1,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=-1,action_depth=0,attrDef_depth=0,perm_type=role_subject]
gsh 25% permissions.size()
1
gsh 26%  permissions.iterator().next().getAttributeDefNameName();
apps:payroll:permissions:canLogin

//add the rule
gsh 27% RuleApi.permissionGroupIntersection(SubjectFinder.findRootSubject(), permissionDef, groupEmployee);

//add users to employee group
gsh 29% groupEmployee.addMember(subject0);
gsh 30% groupEmployee.addMember(subject1);

//remove the first user
gsh 33% groupEmployee.deleteMember(subject0);

//since the permission was due to role, the user should not be in role anymore, or the permissions
gsh 34% payrollUser.hasMember(subject0);
false
gsh 35% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member0.getUuid());
gsh 36% permissions.size();
0

//subject1 still have permissions in the context of the role
gsh 37% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid());
edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollGuest,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.1,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=-1,action_depth=0,attrDef_depth=0,perm_type=role_subject]
gsh 38% permissions.size()
1
gsh 39% permissions.iterator().next().getAttributeDefNameName();
apps:payroll:permissions:canLogin

//remove subject1 from employee group
gsh 40% groupEmployee.deleteMember(subject1);

//subject1 is still a guest since guest does not have login ability...
gsh 43% payrollGuest.hasMember(subject1);
true

//however, the direct assignment to user in the context of the role is removed
gsh 44% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid());
gsh 45% permissions.size()
0
gsh 46%

GSH daemon test case

Run the above test case, and continue below

gsh 48% addMember("apps:payroll:roles:payrollUser", "test.subject.0");
true
gsh 49% payrollGuest.getPermissionRoleDelegate().assignSubjectRolePermission(canLogin, subject1);
edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult: edu.internet2.middleware.grouper.attr.assign.Attribu
teAssignResult@c50443
gsh 50% status = GrouperLoader.runOnceByJobName(grouperSession, GrouperLoaderType.GROUPER_RULES);
loader ran successfully: Ran rules daemon, changed 0 records
gsh 51% payrollUser.hasMember(subject0);
false
gsh 52% payrollGuest.hasMember(subject1);
true
gsh 53% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid());
gsh 54% permissions.size()
0
gsh 55% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member0.getUuid());
gsh 56% permissions.size()
0
gsh 57%
  • No labels