...
If a group is created under folder a:b, then apply privileges to the group of READ,UPDATE to group a:security:admins
You should use the inherited privileges screen to control this. This rule is on the folder where groups are created (or ancestor folder).
Configure rule for v5+
Configure rule for v4 and previous
Penn example
Penn has Atlassian groups in Grouper. Any group created in Grouper in the jira/confluence folder will be available in jira/confluence. However, the proper privileges need to be assigned to the groups. The Atlassian admins need admin, updaters need update, and readers need read. These assignments are done by 3 people, and it is error prone (assign the wrong thing), sometimes forgotten, and time consuming.
...
| Code Block |
|---|
gsh 18% revokePriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("update"))
false
gsh 19% status = GrouperLoader.runOnceByJobName(grouperSession, GrouperLoaderType.GROUPER_RULES);
loader ran successfully: Ran rules daemon, changed 0 records
gsh 20% hasPriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("update"))
true
|
Apply rule to certain groups
If you want the rule to only apply to groups with certain names, an admin can apply this condition
| Code Block |
|---|
attributeValueDelegate.assignValue( RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.nameMatchesSqlLikeString.name()); attributeValueDelegate.assignValue( RuleUtils.ruleIfConditionEnumArg0Name(), "a:b:%someGroup"); |