Child pages
  • Grouper rules use case - Reassign folder privileges if from group
Skip to end of metadata
Go to start of metadata

Grouper rules

If a folder is created, and the parent stem CREATE privilege is inherited from a group(s), then remove the individual CREATE/STEM privilege from the created stem, and assign those CREATE/STEM privilege to the stem CREATE group(s).  Note, if the user is a wheel or root, then just remove the individual assignment.

Java example

    //add a rule on stem2 saying if you create a stem underneath, then remove admin if in another group which has create on stem
    AttributeAssign attributeAssign = stem2
      .getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
    
    AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate();
    
    attributeValueDelegate.assignValue(
        RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa");
    attributeValueDelegate.assignValue(
        RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem");
    attributeValueDelegate.assignValue(
        RuleUtils.ruleCheckTypeName(), RuleCheckType.stemCreate.name());
    
    //can be SUB or ONE for if in this folder, or in this and all subfolders
    attributeValueDelegate.assignValue(
        RuleUtils.ruleCheckStemScopeName(), Stem.Scope.SUB.name());
    attributeValueDelegate.assignValue(
        RuleUtils.ruleThenEnumName(), RuleThenEnum.reassignStemPrivilegesIfFromGroup.name());
    
    //should be valid
    String isValidString = attributeValueDelegate.retrieveValueString(
        RuleUtils.ruleValidName());

    if (!StringUtils.equals("T", isValidString)) {
      throw new RuntimeException(isValidString);
    }

GSH shorthand method

RuleApi.reassignStemPrivilegesIfFromGroup(SubjectFinder.findRootSubject(), stem2, Stem.Scope.SUB);

GSH test case

TODO

GSH daemon

There is no daemon for this rule

  • No labels