If an attribute definition is created, and the parent stem CREATE privilege is inherited from a group(s), then remove the individual ATTR_ADMIN privilege from the created attribute definition, and assign the ATTR_ADMIN privilege to the stem CREATE group(s). Note, if the user is a wheel or root, then just remove the individual assignment.
Java example
//add a rule on stem2 saying if you create a group underneath, then remove admin if in another group which has create on stem
AttributeAssign attributeAssign = stem2
.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate();
attributeValueDelegate.assignValue(
RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa");
attributeValueDelegate.assignValue(
RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem");
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckTypeName(), RuleCheckType.attributeDefCreate.name());
//can be SUB or ONE for if in this folder, or in this and all subfolders
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckStemScopeName(), Stem.Scope.SUB.name());
attributeValueDelegate.assignValue(
RuleUtils.ruleThenEnumName(), RuleThenEnum.reassignAttributeDefPrivilegesIfFromGroup.name());
//should be valid
String isValidString = attributeValueDelegate.retrieveValueString(
RuleUtils.ruleValidName());
if (!StringUtils.equals("T", isValidString)) {
throw new RuntimeException(isValidString);
}
GSH shorthand method
RuleApi.reassignAttributeDefPrivilegesIfFromGroup(SubjectFinder.findRootSubject(), stem2, Stem.Scope.SUB);
GSH test case
TODO
GSH daemon
There is no daemon for this rule