Versions Compared

Old Version 64

changes.mady.by.user Carey Black (osu.edu)

Saved on

compared with

New Version Current

changes.mady.by.user ben.rappleyea.2@at.internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
spaceKeyGrouper
pageTitleNavigation

Panel
borderColor#ccc
bgColor#FcFEFF
titleColorwhite
titleBGColor#00a400

Image Removed  This topic is discussed in the Advanced Topics training video and also in the Rules training video.

Grouper rules are available in Grouper v2.0 and above.

Children Display

Grouper rules are configurable declarative scripts which run at certain times and perform actions on the registry.  They are similar to hooks though you don't have to write Java, and it does not require a change to a config file to enable a rule (i.e. anyone with authority in the folder hierarchy could enable a rule).  This is similar to JBoss drools.  There is no heuristic to find the best rule, it finds all matching rules to fire.  Rules are unordered.  Some rule "Then" clauses could kick off more rules.

Table of Contents


Info

Check out this page from the API docs for help with Grouper rules


Here is an object which has a rule on it.  Note: rules are configured with the attribute framework.  The attributes that set the rules metadata are set in a configured namespace. Ask your Grouper admins which folder holds these attributes.

...

Here is a diagram which describes what happens when rules fire, and in the background

...


...

Use cases

Click here to see the use cases and examples of how the Grouper rules engine can address them

...

  • ifCondition: this might not be needed if the check contains all the information about when the rule should fire.  You can configure a premade check (enum) or a scriptlet or EL (Expression language).  e.g.

    Code Block
    ${!RulesUtils.hasMember(groupName, subjectSourceId, subjectId)}


  • then: this is a premade (enum) or scriptlet (EL: expression language).  e.g. thenType is removeMember and groupName is a:b, or a scriptlet:

    Code Block
    ${RulesUtils.removeMember(groupName, subjectSourceId, subjectId}


...

The check component will see if the rule should continue to the "if condition".  The check part is an enum class: edu.internet2.middleware.grouper.rules.RuleCheckType

Look at the javadoc or source for the most recent check types, currently they are:

...

Code Block
grouperSession = GrouperSession.startRootSession();
stem = StemFinder.findByName(grouperSession, "test:testRules");
RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), stem, Stem.Scope.SUB, SubjectFinder.findRootSubject(), Privilege.getInstances("admin"));
RuleApi.rulesToString(stem);
stem.getAttributeDelegate().removeAttributeByAssignId("af0aa3601b5149a08b71d7d82ea6a906");

 


Error handling

If the rule execution fails for some reason, it should be logged (which could include emailing administrators), but it probably should not affect the transaction of the operation that triggered the rule.  Maybe this can be a setting on a per rule basis and where applicable (e.g. if it is a flattened membership rule trigger, then there is no transaction since the rule fires post commit anyways.

...

Code Block
attributeAssign.getAttributeValueDelegate().assignValue(
        RuleUtils.ruleThenElName(),
        "${myRuleUtils.removeMemberFromGroupId(ownerGroupId, memberId)}");

...


Validate rules dependent groups/stems

Periodically a Grouper administrator should look at rules and see if dependent objects no longer exist.  You should review the offending rules and probably delete them.  Delete them by navigating to the owner object and removing the attribute assignment for that rule.

First look for invalid rules

Code Block
select * from grouper_rules_v where rule_valid != 'T'

Look at the rule_valid column for the reason.  You might want to run this query and see if any of the results are problems.  Note, this will also show some of the invalid rules

Code Block
select assigned_to_type, assigned_to_group_name, assigned_to_stem_name, assigned_to_attribute_def_name, 'memberSubjectIdNotFound' as reason, assigned_to_member_subject_id as the_data
from grouper_rules_v where assigned_to_member_subject_id is not null and 
not exists (select 1 from grouper_members gm where gm.subject_id = assigned_to_member_subject_id)
union all 
select assigned_to_type, assigned_to_group_name, assigned_to_stem_name, assigned_to_attribute_def_name, 'missingRuleCheckOwnerId' as reason, rule_check_owner_id as the_data
from grouper_rules_v where rule_check_owner_id  is not null 
and not exists (select 1 from grouper_groups gg where gg.id = rule_check_owner_id)
and not exists (select 1 from grouper_stems gs where gs.id = rule_check_owner_id)
and not exists (select 1 from grouper_attribute_def gad where gad.id = rule_check_owner_id)
union all 
select assigned_to_type, assigned_to_group_name, assigned_to_stem_name, assigned_to_attribute_def_name, 'missingRuleCheckOwnerName' as reason, rule_check_owner_name as the_data
from grouper_rules_v where rule_check_owner_name is not null 
and not exists (select 1 from grouper_groups gg where gg.name = rule_check_owner_name)
and not exists (select 1 from grouper_stems gs where gs.name = rule_check_owner_name)
and not exists (select 1 from grouper_attribute_def gad where gad.name = rule_check_owner_name)
union all 
select assigned_to_type, assigned_to_group_name, assigned_to_stem_name, assigned_to_attribute_def_name, 'missingRuleIfOwnerId' as reason, rule_if_owner_id as the_data
from grouper_rules_v where rule_if_owner_id is not null 
and not exists (select 1 from grouper_groups gg where gg.id = rule_if_owner_id)
and not exists (select 1 from grouper_stems gs where gs.id = rule_if_owner_id)
and not exists (select 1 from grouper_attribute_def gad where gad.id = rule_if_owner_id)
union all 
select assigned_to_type, assigned_to_group_name, assigned_to_stem_name, assigned_to_attribute_def_name, 'missingRuleIfOwnerName' as reason, rule_if_owner_name as the_data
from grouper_rules_v where rule_if_owner_name is not null 
and not exists (select 1 from grouper_groups gg where gg.name = rule_if_owner_name)
and not exists (select 1 from grouper_stems gs where gs.name = rule_if_owner_name)
and not exists (select 1 from grouper_attribute_def gad where gad.name = rule_if_owner_name)
union all
select assigned_to_type, assigned_to_group_name, assigned_to_stem_name, assigned_to_attribute_def_name, 'missingRuleThenArg0' as reason, rule_then_enum_arg0 as the_data
from grouper_rules_v where rule_then_enum_arg0 like 'g:gsa :::: %' and not exists (select 1 from grouper_groups gg where 
rule_then_enum_arg0 = concat('g:gsa :::: ', gg.id ));

To find a missing group in PIT run this:

Code Block
select * from grouper_pit_groups where source_id = 'f4ae2524dda34129b8b17abeebb7c8c9';


Troubleshooting rules

To troubleshoot rules, set the logging debug level, and check the grouper logs.  Edit the log4j.properties:

...