Date: Thu, 28 Mar 2024 16:46:10 +0000 (UTC) Message-ID: <2002650552.6662.1711644370481@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6661_299722241.1711644370478" ------=_Part_6661_299722241.1711644370478 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
If a user is not an employee, do not allow to be added to any group in a= folder. This is a special rule in that only one can fire, and it nee= ds to be hierarchical. i.e. if things are restricted at an ancestor f= older, but opened up in a descendant folder, then allow. The ruleChec= kType subjectAssignInStem uses a custom rules engine processor to accomplis= h this. subjectAssignInStem affects all group memberships, group/fold= er/attributeDef privileges, and permissions (by folder of attributeDefNameN= ame).
Note, the ruleCheckArg0 is the subject source. If it is blank, the= n the rule applies to all subject sources. If it is filled in, then t= he rule only applies to that subject source.
(v2.4 patch) Rules change log consumer will check to see if any membersh= ips need to be removed (based on rule)
(v2.4 patch) Rules daemon will look at memberships in the folder and mak= e sure memberships are valid (based on rule)
Add this rule to the folder that has the groups where the mem= bership is added.
//add a= rule on stem:a saying if not in stem:b, then dont allow add to stem:a AttributeAssign attributeAssign =3D restrictedStem .getAttributeDelegate().addAttribute(RuleUti= ls.ruleAttributeDefName()).getAttributeAssign(); AttributeValueDelegate attributeValueDelegate =3D attrib= uteAssign.getAttributeValueDelegate(); attributeValueDelegate.assignValue( RuleUtils.ruleActAsSubjectSource= IdName(), "g:isa"); attributeValueDelegate.assignValue( RuleUtils.ruleActAsSubjectIdName= (), "GrouperSystem"); //subject use means membership add, privilege assign, pe= rmission assign, etc. attributeValueDelegate.assignValue( RuleUtils.ruleCheckTypeName(), R= uleCheckType.subjectAssignInStem.name()); attributeValueDelegate.assignValue( RuleUtils.ruleCheckStemScopeName= (), "SUB"); //this is optional to restrict to source. I think = you will want to do that, or you //would need to have all the usable groups in the allowe= d group... attributeValueDelegate.assignValue( RuleUtils.ruleCheckArg0Name(), "= jdbc"); attributeValueDelegate.assignValue( RuleUtils.ruleIfConditionEnumNam= e(), RuleIfConditionEnum.groupHasNoEnabledMembership.name()); attributeValueDelegate.assignValue( RuleUtils.ruleIfOwnerNameName(),= employeeGroup.getName()); attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumName(), Ru= leThenEnum.veto.name()); //key which would be used in UI messages file if applica= ble attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumArg0Name()= , "rule.entity.must.be.a.member.of.etc.employee"); //error message (if key in UI messages file not there) attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumArg1Name()= , "Entity cannot be assigned if not a member of etc:employee"); //should be valid String isValidString =3D attributeValueDelegate.retrieve= ValueString( RuleUtils.ruleValidName()); if (!StringUtils.equals("T", isValidString)) { throw new RuntimeException(isValidString); }
RuleApi= .vetoSubjectAssignInFolderIfNotInGroup(SubjectFinder.findRootSubject(), res= trictedStem, employeeGroup, false, "jdbc", Scope.SUB, "rule.entity.must.be.a.member.of= .etc.employee", "Entity cannot be assigned if not a member of etc:employee"= );
gsh 0% = grouperSession =3D GrouperSession.startRootSession(); edu.internet2.middleware.grouper.GrouperSession: 4ed601599087457cb12ab96387= a4e2e7,'GrouperSystem','application' gsh 1% allowedGroup =3D new GroupSave(grouperSession).assignName("stem:allo= wed").assignCreateParentStemsIfNotExist(true).save(); group: name=3D'stem:allowed' displayName=3D'stem:allowed' uuid=3D'6139ad6ec= c004562ab491d97b9ef5829' gsh 2% restrictedGroup =3D new GroupSave(grouperSession).assignName("stem2:= restricted").assignCreateParentStemsIfNotExist(true).save(); group: name=3D'stem2:restricted' displayName=3D'stem2:restricted' uuid=3D'f= e1f2a4f944141d2b77c7400e191e69e' gsh 3% employeeGroup =3D new GroupSave(grouperSession).assignName("etc:empl= oyee").assignCreateParentStemsIfNotExist(true).save(); group: name=3D'etc:employee' displayName=3D'etc:employee' uuid=3D'b969b29cb= 83b48bb99cee3fb71595203' gsh 4% restrictedStem =3D StemFinder.findByName(grouperSession, "stem2", tr= ue); stem: name=3D'stem2' displayName=3D'stem2' uuid=3D'ca3cc1e40f1a413ab8862acc= 5d9c1b29' gsh 6% RuleApi.vetoSubjectAssignInFolderIfNotInGroup(SubjectFinder.findRoot= Subject(), restrictedStem, employeeGroup, false, "jdbc", Stem.Scope.SUB, "r= ule.entity.must.be.a.member.of.etc.employee", "Entity cannot be assigned if= not a member of etc:employee"); edu.internet2.middleware.grouper.attr.assign.AttributeAssign: AttributeAssi= gn[id=3D1567066d80684b849a618e06e89496f1,action=3Dassign,attributeDefName= =3Detc:attribute:rules:rule, stem=3DStem[displayName=3Dstem2,name=3Dstem2,uuid=3Dca3cc1e40f1a413a= b8862acc5d9c1b29,creator=3D41cbc09bf1a54ece8a9761ab8ba68970]] gsh 8% subject0 =3D SubjectFinder.findByIdAndSource("test.subject.0", "jdbc= ", true); subject: id=3D'test.subject.0' type=3D'person' source=3D'jdbc' name=3D'my n= ame is test.subject.0' gsh 9% restrictedGroup.addMember(subject0); edu.internet2.middleware.grouper.rules.RuleVeto: rule.entity.must.be.a.memb= er.of.etc.employee: Entity cannot be assigned if not a member of etc:employ= ee, gsh 12% allowedGroup.addMember(subject0); gsh 13% employeeGroup.addMember(subject0); gsh 14% restrictedGroup.addMember(subject0); gsh 15%
gsh 0% = grouperSession =3D GrouperSession.startRootSession(); gsh 1% allowedGroup =3D new GroupSave(grouperSession).assignName("stem:allo= wed").assignCreateParentStemsIfNotExist(true).save(); gsh 2% restrictedGroup =3D new GroupSave(grouperSession).assignName("stem2:= restricted").assignCreateParentStemsIfNotExist(true).save(); gsh 3% restrictedGroupPart =3D new GroupSave(grouperSession).assignName("st= em2:restrictedPart").assignCreateParentStemsIfNotExist(true).save(); gsh 4% subject1 =3D SubjectFinder.findByIdAndSource("test.subject.1", "jdbc= ", true); gsh 5% subject2 =3D SubjectFinder.findByIdAndSource("test.subject.2", "jdbc= ", true); gsh 6% restrictedGroupPart.addMember(subject1); gsh 7% loaderRunOneJob("CHANGE_LOG_changeLogTempToChangeLog"); gsh 8% restrictedGroupPart.addMember(subject2); gsh 9% restrictedGroup.addMember(restrictedGroupPart.toSubject()); gsh 10% employeeGroup =3D new GroupSave(grouperSession).assignName("etc:emp= loyee").assignCreateParentStemsIfNotExist(true).save(); gsh 11% employeeGroupPart =3D new GroupSave(grouperSession).assignName("etc= :employeePart").assignCreateParentStemsIfNotExist(true).save(); gsh 12% employeeGroup.addMember(employeeGroupPart.toSubject()); gsh 13% restrictedStem =3D StemFinder.findByName(grouperSession, "stem2", t= rue); gsh 14% RuleApi.vetoSubjectAssignInFolderIfNotInGroup(SubjectFinder.findRoo= tSubject(), restrictedStem, employeeGroup, false, "jdbc", Stem.Scope.SUB, "= rule.entity.must.be.a.member.of.etc.employee", "Entity cannot be assigned i= f not a member of etc:employee"); gsh 15% subject0 =3D SubjectFinder.findByIdAndSource("test.subject.0", "jdb= c", true); gsh 16% restrictedGroupPart.addMember(subject0); edu.internet2.middleware.grouper.rules.RuleVeto: rule.entity.must.be.a.memb= er.of.etc.employee: Entity cannot be assigned if not a member of etc:employ= ee, gsh 17% restrictedGroupPart.grantPriv(subject0, AccessPrivilege.READ); edu.internet2.middleware.grouper.rules.RuleVeto: rule.entity.must.be.a.memb= er.of.etc.employee: Entity cannot be assigned if not a member of etc:employ= ee, gsh 18% assign permission where permission name is in restricted stem, to i= ndividual user who is not an employee edu.internet2.middleware.grouper.rules.RuleVeto: rule.entity.must.be.a.memb= er.of.etc.employee: Entity cannot be assigned if not a member of etc:employ= ee, gsh 19% allowedGroup.addMember(subject0); gsh 20% employeeGroupPart.addMember(subject0); gsh 21% restrictedGroupPart.addMember(subject0); gsh 22% restrictedGroup.hasMember(subject2); //yes gsh 23% loaderRunOneJob("CHANGE_LOG_changeLogTempToChangeLog"); gsh 24% loaderRunOneJob("CHANGE_LOG_grouperRules"); gsh 25% restrictedGroup.hasMember(subject2); //no gsh 26% restrictedGroup.hasMember(subject1); //yes gsh 27% status =3D GrouperLoader.runOnceByJobName(grouperSession, GrouperLo= aderType.GROUPER_RULES); loader ran successfully: Ran rules daemon, changed 1 records gsh 28% restrictedGroup.hasMember(subject1); //no