If an entity falls out of any group in the IT organization groups (meaning not a central IT employee anymore), then remove permissions from a permission definition or remove from roles which have assignments to the permission definition
Java example
//add a rule on stem:permission saying if you are out of stem:employee,
//then remove assignments to permission, or from roles which have the permission
AttributeAssign attributeAssign = permissionToAssignRule
.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate();
attributeValueDelegate.assignValue(
RuleUtils.ruleActAsSubjectSourceIdName(), actAs.getSourceId());
attributeValueDelegate.assignValue(
RuleUtils.ruleActAsSubjectIdName(), actAs.getId());
//folder where membership was removed
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckOwnerIdName(), mustBeInGroupInFolder.getUuid());
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckTypeName(),
RuleCheckType.membershipRemoveInFolder.name());
//SUB for all descendants, ONE for just children
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckStemScopeName(),
stemScope.name());
//if there is no more membership in the folder, and there is a membership in the group
attributeValueDelegate.assignValue(
RuleUtils.ruleIfConditionEnumName(),
RuleIfConditionEnum.thisPermissionDefHasAssignmentAndNotFolder.name());
attributeValueDelegate.assignValue(
RuleUtils.ruleThenEnumName(),
RuleThenEnum.removeMemberFromOwnerPermissionDefAssignments.name());
//should be valid
String isValidString = attributeValueDelegate.retrieveValueString(
RuleUtils.ruleValidName());
if (!StringUtils.equals("T", isValidString)) {
throw new RuntimeException(isValidString);
}
GSH shorthand method
RuleApi.permissionFolderIntersection(actAsSubject, permissionDef, itEmployeeStem, Stem.Scope.SUB);
GSH test case
gsh 0% grouperSession = GrouperSession.startRootSession();
edu.internet2.middleware.grouper.GrouperSession: a22fcbc1abb749b6bf3afd5f441896ca,'GrouperSystem','application'
//definition for permission
gsh 1% permissionDef = new AttributeDefSave(grouperSession).assignName("stem:permissionDef").assignCreateParentStemsIfNotExist(true).assignAttributeDefType(AttributeDefType.perm).save();
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=stem:permissionDef,uuid=a20cf95b75154a2da7b817d19a37cf73]
gsh 2% permissionDef.setAssignToEffMembership(true);
gsh 3% permissionDef.setAssignToGroup(true);
gsh 4% permissionDef.store();
//two groups in the org chart for the IT department
gsh 5% groupProgrammers = new GroupSave(grouperSession).assignName("stem:orgs:itEmployee:programmers").assignCreateParentStemsIfNotExist(true).save();
group: name='stem:orgs:itEmployee:programmers' displayName='stem:orgs:itEmployee:programmers' uuid='e9c49da6801446538372ef6f583b7df2'
gsh 6% groupSysadmins = new GroupSave(grouperSession).assignName("stem:orgs:itEmployee:sysadmins").assignCreateParentStemsIfNotExist(true).save();
group: name='stem:orgs:itEmployee:sysadmins' displayName='stem:orgs:itEmployee:sysadmins' uuid='14728c7b48fd4ecc82cbf692ab2aba13'
//folder for IT employee
gsh 7% itEmployee = StemFinder.findByName(grouperSession, "stem:orgs:itEmployee", true);
stem: name='stem:orgs:itEmployee' displayName='stem:orgs:itEmployee' uuid='3d55c81499ce4b059c8e1f2a147c71ae'
//two roles for the application
gsh 8% payrollUser = new GroupSave(grouperSession).assignName("apps:payroll:roles:payrollUser").assignTypeOfGroup(TypeOfGroup.role).assignCreateParentStemsIfNotExist(true).save();
group: name='apps:payroll:roles:payrollUser' displayName='apps:payroll:roles:payrollUser' uuid='0e93b9d5802c475f8d98350226679313'
gsh 9% payrollGuest = new GroupSave(grouperSession).assignName("apps:payroll:roles:payrollGuest").assignTypeOfGroup(TypeOfGroup.role).assignCreateParentStemsIfNotExist(true).save();
group: name='apps:payroll:roles:payrollGuest' displayName='apps:payroll:roles:payrollGuest' uuid='11efd3897df241e2a51e57742296aa08'
gsh 10% subject0 = SubjectFinder.findByIdAndSource("test.subject.0", "jdbc", true);
subject: id='test.subject.0' type='person' source='jdbc' name='my name is test.subject.0'
gsh 11% subject1 = SubjectFinder.findByIdAndSource("test.subject.1", "jdbc", true);
subject: id='test.subject.1' type='person' source='jdbc' name='my name is test.subject.1'
gsh 12% subject2 = SubjectFinder.findByIdAndSource("test.subject.2", "jdbc", true);
subject: id='test.subject.2' type='person' source='jdbc' name='my name is test.subject.2'
//subject0 is assigned to payrollUser role, and that role has the permission (RBAC)
gsh 13% payrollUser.addMember(subject0, false);
true
//subject1 is a guest, and has the permission directly assigned
gsh 14% payrollGuest.addMember(subject1, false);
true
//this is the permission resource
gsh 15% canLogin = new AttributeDefNameSave(grouperSession, permissionDef).assignName("apps:payroll:permissions:canLogin").assignCreateParentStemsIfNotExist(true).save();
edu.internet2.middleware.grouper.attr.AttributeDefName: AttributeDefName[name=apps:payroll:permissions:canLogin,uuid=bc135affbeb84c069cf53a89833c0cca]
gsh 16% payrollUser.getPermissionRoleDelegate().assignRolePermission(canLogin);
edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult: edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult@1dd66fd
gsh 17% payrollGuest.getPermissionRoleDelegate().assignSubjectRolePermission(canLogin, subject1);
edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult: edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult@e5d155
gsh 18% member0 = MemberFinder.findBySubject(grouperSession, subject0, false);
member: id='test.subject.0' type='person' source='jdbc' uuid='d65c59dac1494a84940c45190dd44f3e'
gsh 19% member1 = MemberFinder.findBySubject(grouperSession, subject1, false);
member: id='test.subject.1' type='person' source='jdbc' uuid='94a1f7bbc08f4c0c962b4c19b1dbecbe'
//subject0 and subject1 both have the permission
gsh 20% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member0.getUuid());
edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollUser,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.0,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=0,action_depth=0,attrDef_depth=0,perm_type=role]
gsh 21% permissions.size()
1
gsh 22% permissions.iterator().next().getAttributeDefNameName()
apps:payroll:permissions:canLogin
gsh 23% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid());
edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollGuest,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.1,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=-1,action_depth=0,attrDef_depth=0,perm_type=role_subject]
gsh 24% permissions.size()
1
gsh 25% permissions.iterator().next().getAttributeDefNameName()
apps:payroll:permissions:canLogin
//configure the rule
gsh 26% RuleApi.permissionFolderIntersection(SubjectFinder.findRootSubject(), permissionDef, itEmployee, Stem.Scope.SUB);
gsh 27% groupProgrammers.addMember(subject0, false);
gsh 28% groupSysadmins.addMember(subject0, false);
true
gsh 29% groupProgrammers.addMember(subject1, false);
true
gsh 30% groupSysadmins.addMember(subject1, false);
true
gsh 31% groupProgrammers.addMember(subject2, false);
true
gsh 32% groupSysadmins.addMember(subject2, false);
true
//if subject2 is removed, nothing should happen (subject2 didnt have permissions)
gsh 33% groupProgrammers.deleteMember(subject2);
gsh 34% groupSysadmins.deleteMember(subject2);
//remove subject0 from one group, should still have permissions
gsh 35% groupProgrammers.deleteMember(subject0);
gsh 36% GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member0.getUuid()).size();
1
//remove from the other org group, and the permissions should be gone, should not be in the role anymore
gsh 37% groupSysadmins.deleteMember(subject0);
gsh 38% GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member0.getUuid()).size();
0
//subject1 still have permission
gsh 39% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid());
edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollGuest,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.1,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=-1,action_depth=0,attrDef_depth=0,perm_type=role_subject]
gsh 40% permissions.size()
1
gsh 41% permissions.iterator().next().getAttributeDefNameName()
apps:payroll:permissions:canLogin
//remove subject1 from one org, should still have permission
gsh 42% groupSysadmins.deleteMember(subject1);
gsh 43% GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid()).size();
1
//remove from other and loses permission
gsh 44% groupProgrammers.deleteMember(subject1);
gsh 45% payrollGuest.hasMember(subject1)
true
gsh 46% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid())
gsh 47% permissions.size();
0
GSH daemon test case
Run the above GSH commands, then continue below:
gsh 48% payrollUser.addMember(subject0, false);
true
gsh 49% payrollGuest.getPermissionRoleDelegate().assignSubjectRolePermission(canLogin, subject1);
edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult: edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult@692a88
gsh 50% payrollUser.addMember(subject2, false);
true
gsh 51% subject3 = SubjectFinder.findByIdAndSource("test.subject.3", "jdbc", true);
subject: id='test.subject.3' type='person' source='jdbc' name='my name is test.subject.3'
gsh 52% payrollGuest.addMember(subject3, false);
true
gsh 53% payrollGuest.getPermissionRoleDelegate().assignSubjectRolePermission(canLogin, subject3);
edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult: edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult@1d6e77
gsh 54% groupProgrammers.addMember(subject2, false);
true
gsh 55% groupProgrammers.addMember(subject3, false);
true
gsh 56% status = GrouperLoader.runOnceByJobName(grouperSession, GrouperLoaderType.GROUPER_RULES);
loader ran successfully: Ran rules daemon, changed 0 records
gsh 57% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member0.getUuid());
gsh 58% permissions.size();
0
gsh 59% payrollUser.hasMember(subject0);
false
gsh 60% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid());
gsh 61% permissions.size();
0
gsh 62% payrollGuest.hasMember(subject1);
true
gsh 65% member2 = MemberFinder.findBySubject(grouperSession, subject2, false);
member: id='test.subject.2' type='person' source='jdbc' uuid='2ccf68d9fe4241888822be1a0546c8e5'
gsh 66% member3 = MemberFinder.findBySubject(grouperSession, subject3, false);
member: id='test.subject.3' type='person' source='jdbc' uuid='efcec181c7e34907abafa6ba1fa1143f'
gsh 67% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member2.getUuid());
edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollUser,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.2,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=0,action_depth=0,attrDef_depth=0,perm_type=role]
gsh 68% permissions.size();
1
gsh 69% permissions.iterator().next().getAttributeDefNameName()
apps:payroll:permissions:canLogin
gsh 70% payrollUser.hasMember(subject2);
true
gsh 71% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member3.getUuid());
edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollGuest,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.3,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=-1,action_depth=0,attrDef_depth=0,perm_type=role_subject]
gsh 72% permissions.size();
1
gsh 73% permissions.iterator().next().getAttributeDefNameName()
apps:payroll:permissions:canLogin
gsh 74% payrollGuest.hasMember(subject3);
true
gsh 75%
sdaf