| Include Page | ||||
|---|---|---|---|---|
|
(Feature in Grouper 2.4 patch grouper_v2_4_0_api_patch_13)
| Table of Contents |
|---|
Overview
Grouper allows you to assign tags (called types) to objects such as folders and groups. There can be metadata on the assignment.
Grouper types helps support and clarify the usage of types as defined in the TIER the Grouper Deployment Guide.
This is a more structured and consistent way of accomplishing what could also done through the attribute framework.
Attribute definitions
| Definition | Assigned to | Purpose | Value | Cardinality |
|---|---|---|---|---|
| grouperObjectTypeDef | folder, group | identify a group type | marker | Multi assign |
| grouperObjectTypeValueDef | folder assignment, group assignment | name/value pairs | String | Single assign, single valued |
Attribute names
| Name | Definition | Value |
|---|---|---|
| grouperObjectTypeMarker |
grouperObjectTypeDef | <none> |
| grouperObjectTypeName |
grouperObjectTypeValueDef | ref, basis, policy,etc, bundle, org, test, service, app. See the TIER Grouper Deployment Guide for descriptions. |
| grouperObjectTypeDataOwner |
| grouperObjectTypeValueDef | e.g. Registrar's office owns this data |
| grouperObjectTypeMembersDescription |
| grouperObjectTypeValueDef | human readable description |
| grouperObjectTypeDirectAssignment |
| grouperObjectTypeValueDef | if this is directly assigned or inherited |
| grouperObjectTypeServiceName |
| grouperObjectTypeValueDef | name of the service that this app falls under |
| grouperObjectTypeOwnerStemId |
| grouperObjectTypeValueDef | if this is not a direct assignment, then this is the stem id where it is inherited from |
Assign type on UI
On a folder or group, a menu item under the "more actions" button will say "Type." (Shown in screenshot below.) This "Type" option will only show if user can edit types.
...
Group or Folder ADMINs can assign types
View on UI
Note, if a user can view a group, they can view this attribute assignment from a high level.
...
If the type is "service", and it is an indirect assignment, and the folder which assigns it has a display extension of "Student systems", then followup with a sentence (note, the folder should be linkable to that folder): This is the Student systems service.
Available Types
| Type | Owner type | Tooltip |
|---|---|---|
| ref | group/folder | Reference groups are institutionally meaningful cohorts used in access policy. |
| basis | group/folder | Basis groups represent arcane codes or attributes from external systems are used generally in reference groups and not directly in access policy. |
| readonly | group/folder | Read-only groups should not have membership changes except by the process that manages the group; perhaps external from the central authorization system |
| policy | group/folder | Access policy groups are used by downstream systems to allow or deny users access to services or resources. |
| bundle | group/folder | Bundles are reference groups which aggregate multiple other reference groups. Reference groups are institutionally meaningful cohorts used in access policy. |
| security | group/folder | Security groups are collections of entities who have from access privilege on a group/folder/attribute, e.g. studentSystemAdmins. |
| org | group/folder | "Org" or organization groups or folders are delegated to and owned by organizations in the community. |
| test | group/folder | Test groups or folders are not used in production systems. They could be for dev, test, performance, etc environments. |
| app | group/folder | App groups or folders exist to be used in a specific application. |
| service | group/folder | A service is a collection of one or many apps that comprise of a service offered to users. |
Screenshots
Use the "More actions" button to access Type.
...
The screenshots above show Types on folders. Similar Type configuration can be set on groups as well.
Keep inherited attributes up do date
A daemon should work like deprovisioning where inherited attributes are kept up to date.
When an attribute is assigned, it should call the propagate method for this object and subobjects if a stem.
To do now
- Put type name first, then direct/indirect
- When settings changed, it should use logic like deprovisioning where it updates the hierarchy tree
- Types and metadata should be displayed on object page under the description (not in "more")
To do later
- Source basis and ref metadata from loader
- Clarify the difference between app and service
- If there is a blank attribute, it should be unassigned
- Use this as a means to search for things
...