Versions Compared

Old Version 10

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version 11

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0
Include Page
spaceKeyGrouper
pageTitleNavigation

Initializing Administration of Grouper Privileges

GrouperSystem is the root-like principal used to manage assignment of privileges in Grouper. In addition to GrouperSystem, externally authenticated members of the wheel group can choose when to act with root-like privileges.

If you've enabled the wheel group, you must create it and add members. GrouperShell acts as GrouperSystem and can bootstrap the necessary naming stem(s), group, and memberships.

Enabling the Wheel Group

The wheel group is enabled and named in conf/grouper.properties :

No Format
titleconf/grouper.properties
# A wheel group allows you to enable non-GrouperSystem subjects to act
# like a root user when interacting with the registry.
groups.wheel.use                      = true

# Set to the name of the group you want to treat as the wheel group.
# The members of this group will be treated as root-like users.
groups.wheel.group                    = etc:sysadmingroup

Automatically Creating the Wheel Group

To automatically create the wheel group :

No Format
titleconf/grouper.properties
configuration.autocreate.system.groups = true

Using GrouperShell to Create the Wheel Group

To create the wheel group using GrouperShell :

No Format
titleGrouperShell
gsh 0% addRootStem("etc", "Grouper Administration")
stem: name='etc' displayName='Grouper Administration' uuid='f7687876-2c94-4635-997c-f2793fb8152d'
gsh 1% addGroup("etc", "sysadmingroup", "SysAdmin Group")
group: name='etc:sysadmingroup' displayName='Grouper Administration:SysAdmin Group' uuid='6f77fb36-b466-481a-84a7-7af609f1ad09

Adding Members to the Wheel Group

Whether you've set the wheel group to be automatially created, or you've used GrouperShell to create it, you'll need to add members to the wheel group using GrouperShell :

No Format
titleGrouperShell
gsh 0% addMember("etc:sysadmingroup", "SD00125")
true

In this example "SD00125" is the subjectId of a person, as determined outside of gsh by, in this case, an LDAP query to a directory that acts as a subject source to Grouper:

Code Block
% ldapsearch \-b dc=kitn,dc=edu uid=tbarton
dn: kitnEduPersonRegId=SD00125,ou=people,dc=kitn,dc=edu
objectClass: top
objectClass: person
objectClass: inetOrgPerson
objectClass: kitnEduPerson
kitnEduPersonRegId: SD00125
cn: Barton, Tom
sn: Barton
description: Professor, Mathematics
uid: tbarton