...
To use Grouper Custom UI, a group is configured with attributes
...
configure this in the grouper.properties or on the Miscellaneous → Custom UI screen
Then there is link in the More Actions menu if you have the custom UI attributes assigned on the group
...
If a user is a manager (READ/UPDATE), then they will be able to pull users up, see the screen they see, see the answers to all their variables, and enroll or unenroll those users
The configuration is used to be done with JSON from simple javabeans, here is an example, explained more later.
As the Grouper Admin, go to a group (maybe one where people can join/leave), and add attribute assignments. Add "customUi" to the group. Then "add metadata assignment" to the customUi assignment, add customUiTestConfigBeans, and customUiUserQueryConfigBeans. Add a value for each JSON bean. It is multivalued, so add as many as you need
Configuration attributes
The configuration is simple javabeans in JSON format. These JSON strings are assigned as attributes values on a Group (see example above).
User query config bean
These configs identify variables that can be used in the screen to conditionally set text, adjust email text, etc. They are set from some operation like checking a membership in a group or an LDAP or SQL call or something
The queries are of type: userQueryType which is from the enum: CustomUiUserQueryType:
- grouper: check a membership or privilege
- ldap: execute an ldap filter
- sql: run a sql query against grouper or another database
- expressionLanguage: some expression (could call java)
- azure: check an azure membership or user object
- zoom: check zoom api and make attributes available (added 2.5.35+)
The queries assign variables which must be prefixed with "cu_" for "Custom UI"
You can configure a default that will fill in values for all config beans (maybe useful if there are a bunch of similar ldap calls)
but now is done in grouper.properties configuration or from the UI. See the Atlassian Jira Custom UI example for the current way to configure
User query config bean
These configs identify variables that can be used in the screen to conditionally set text, adjust email text, etc. They are set from some operation like checking a membership in a group or an LDAP or SQL call or something
The queries are of type: userQueryType which is from the enum: CustomUiUserQueryType:
- grouper: check a membership or privilege
- ldap: execute an ldap filter
- sql: run a sql query against grouper or another database
- expressionLanguage: some expression (could call java)
- azure: check an azure membership or user object
- zoom: check zoom api and make attributes available (added 2.5.35+)
The queries assign variables which must be prefixed with "cu_" for "Custom UI"
You can configure a default that will fill in values for all config beans (maybe useful if there are a bunch of similar ldap calls)
| Field | Type | Required for type | Optional for type | Description | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| attributeDefId | String | expressionLanguage, grouper, sql | uuid of attribute def to | |||||||||||||
| Field | Type | Required for type | Optional for type | Description | ||||||||||||
| attributeDefId | String | expressionLanguage, grouper, sql | uuid of attribute def to look up | |||||||||||||
| azureGroupId | String | azure | if hardcoding the uuid of group in azure | |||||||||||||
| bindVar0 | String | sql | bind var for sql | |||||||||||||
| bindVar0type | String | sql | bind var type in sql: string or integer | |||||||||||||
| bindVar1 | String | sql | bind var for sql | |||||||||||||
| bindVar1type | String | sql | bind var type in sql: string or integer | |||||||||||||
| bindVar2 | String | sql | bind var for sql | |||||||||||||
| bindVar2type | String | sql | bind var type in sql: string or integer | |||||||||||||
| configId | String | azure, ldap, zoom | sql | id in grouper config for azure, ldap, or sql | ||||||||||||
| enabled | Boolean | azure, expressionLanguage, grouper, ldap, sql, zoom | true or false if this var is enabled | |||||||||||||
| errorLabel | String | azure, zoom | expressionLanguage, grouper, ldap, sql | label on screen for the error variable | ||||||||||||
| fieldNames | String | grouper | comma separated privs in grouper, e.g. members, readers, admins, viewers, updaters, optins, optouts, groupAttrReaders, groupAttrUpdaters, creators, stemAdmins, stemAttrReaders, stemAttrUpdaters, attrReaders, attrUpdaters, attrDefAttrReaders, attrDefAttrUpdaters, attrOptins, attrOptouts, attrAdmins | |||||||||||||
| forLoggedInUser | Boolean | azure, expressionLanguage, grouper, ldap, sql | true if should run this rule for the logged in user (if manager using screen), or by default its the user being acted on (which might be the user logged in) | |||||||||||||
| groupId | String | azure, expressionLanguage, grouper, ldap, sql | group uuid to look up a group | |||||||||||||
| groupName | String | azure, expressionLanguage, grouper, ldap, sql | group name to look up a group | |||||||||||||
| label | String | azure, expressionLanguage, grouper, ldap, sql, zoom | label to see on screen when variables are displayed | |||||||||||||
| ldapAttributeToRetrieve | String | ldap | which attribute in ldap to retrieve | |||||||||||||
| ldapFilter | String | ldap | ldap filter to run | |||||||||||||
| ldapSearchDn | String | ldap | if not using the default dn in connection, search in this dn | |||||||||||||
| nameOfAttributeDef | String | expressionLanguage, grouper, sql | name of attribute definition to lookup | |||||||||||||
| order | Integer | azure, expressionLanguage, grouper, ldap, sql, zoom | integer and rules will be ordered by this integer, when displayed on screen | |||||||||||||
| query | String | sql | sql query to execute | |||||||||||||
| script | String | expressionLanguage | azure(2.5.30+), zoom | EL expression to run | ||||||||||||
| stemId | String | expressionLanguage, grouper, sql | uuid of stem to lookup | |||||||||||||
| stemName | String | expressionLanguage, grouper, sql | name of stem to lookup | |||||||||||||
| userQueryType | String | azure, expressionLanguage, grouper, ldap, sql, zoom | identify the type of query, enter either: azure, expressionLanguage, grouper, ldap, sql. dropdown. | variableToAssign | String | azure, expressionLanguage, grouper, ldap, sql, zoom | name of variable must start with cu_ if the value is "default" then each attribute value will be the default for any bean without that set where its a valid value. dropdown. you cant have two variables with the same name | variableToAssignOnError | String | azure, zoom | expressionLanguage, grouper, ldap, sql | name of variable to assign on error, must start with cu_variableType | String | expressionLanguage, grouper, ldap, sql, azure, zoom | type of variable: boolean, integer, string |
GSH script to generate a user query bean
| Code Block |
|---|
customUiUserQueryConfigBean = new edu.internet2.middleware.grouper.ui.customUi.CustomUiUserQueryConfigBean();
customUiUserQueryConfigBean.setVariableToAssign("cu_o365twoStepRequiredToEnroll");
customUiUserQueryConfigBean.setFieldNames("members");
customUiUserQueryConfigBean.setUserQueryType("grouper");
customUiUserQueryConfigBean.setVariableType("boolean");
customUiUserQueryConfigBean.setGroupName("penn:isc:ait:apps:O365:twoStepProd:o365_two_step_prod_policy");
customUiUserQueryConfigBean.setLabel("${textContainer.text['penn_o365twoStep_cu_o365twoStepRequiredToEnroll']}");
System.out.println(GrouperUtil.jsonConvertTo(customUiUserQueryConfigBean, false)); |
JSON which is generated
...
| sql. dropdown. | ||||
| variableToAssign | String | azure, expressionLanguage, grouper, ldap, sql, zoom | name of variable must start with cu_ if the value is "default" then each attribute value will be the default for any bean without that set where its a valid value. dropdown. you cant have two variables with the same name | |
| variableToAssignOnError | String | azure, zoom | expressionLanguage, grouper, ldap, sql | name of variable to assign on error, must start with cu_ you cant have two variables with the same name |
| variableType | String | expressionLanguage, grouper, ldap, sql, azure, zoom | type of variable: boolean, integer, string |
Examples
Default user query bean to set some LDAP settings
...
| Code Block |
|---|
{
"variableToAssign":"cu_o365twoStepInLdap",
"userQueryType":"ldap",
"variableToAssignOnError":"cu_o365twoStepInLdapError",
"groupName":"penn:isc:ait:apps:O365:twoStepProd:o365_two_step_prod",
"label":"${textContainer.text['penn_o365twoStep_cu_o365twoStepInLdap']}",
"errorLabel":"${textContainer.text['penn_o365twoStep_cu_o365twoStepInLdapError']}",
"order":70,
"configId":"oneProdAd"
} |
Built-in variables
These variables are there for you to key off. Note: you should not start your variable names with "cu_grouper" since that namespace is for built in variables
| Variable name | Description |
|---|---|
| cu_grouperEnroll | true if the user clicked the enroll button, false if the user clicked the unenroll button (e.g. for email templates) |
| cu_grouperTurnOffManager | url variable if you do not want to see the manager panel |
Text config beans
These are a little misnamed, they are for text or for other decisions about the screen. Could be a boolean result. It is strongly encouraged to externalize text in the UI externalized text config
...
| Text type | Type | Description |
|---|---|---|
| canAssignVariables | boolean | if the screen allows variables to be assigned in the URL for testing. e.g. to simulate various users and see how the screen responds note: only allow trusted users to be able to do this. Only Grouper admins can do this by default |
| canSeeScreenState | boolean | if the screen state analysis should be displayed on the screen to help the user understand why access exists or not. By default only Grouper admins can see screen state. Note that more columns of the user environment will also display |
| canSeeUserEnvironment | boolean | if the user variables and results should display. By default group readers and updaters can see this. Note that these are abbreviated if the user cannoy also see screen state |
| emailBccGroupName | String | if there are emails and a group should be bcc'ed then return the group name here |
| emailBody | String | if there are emails then this is the body. Note you can have a template that is dynamic, or different templates in different scenarios |
| emailSubject | String | if there are emails then this is the subject. Note you can have a template that is dynamic, or different templates in different scenarios |
| emailToUser | boolean | true if an email should be sent to user. Note you can send under certain circumstances if you like |
| enrollButtonShow | boolean | true if the enroll button should show. Note that the user cant enroll if they dont have optin on the group |
| enrollButtonText | String | Button text of enroll button. Defaults to: Enroll |
| enrollmentLabel | String | Text above the enrollment button that shows the state of the enrollment or whatever else |
| header | String | The H1 of the page |
| helpLink | String | Link where the help button goes |
| instructions1 | String | Instructions at the top of the page |
| logo | String | Link for logo |
| managerInstructions | String | Instructions to appear for readers/updaters who are managing users in this group |
| unenrollButtonShow | boolean | true if the unenroll button should show. Note that the user cant enroll if they dont have optout on the group. Note that the enroll and unenroll button will not show at once |
| unenrollButtonText | String | Button text of unenroll button. Defaults to: Unenroll |
| manageMembership | boolean | (v2.5.38+) true or false, if the button will add the user to the group or remove them |
| redirectToUrl | String | (v2.5.38+) URL that the user should be redirected to after clicking button |
| gshScript | String | (v2.5.38+) GSH script that should be run. Note this is a stripped down version of GSH, so only use Java (no GSH functions), and fully qualify anything not in the base grouper or util java package. This is for performance reasons. |
GSH script to generate a text bean
| Code Block |
|---|
customUiTextConfigBean = new edu.internet2.middleware.grouper.ui.customUi.CustomUiTextConfigBean();
customUiTextConfigBean.setCustomUiTextType(CustomUiTextType.instructions1.name());
customUiTextConfigBean.setIndex(10);
customUiTextConfigBean.setScript("${cu_o365twoStepRequiredToEnroll}");
customUiTextConfigBean.setText("${textContainer.text['penn_o365twoStep_instructions_requiredToEnroll']}");
customUiTextConfigBean.setEndIfMatches(true);
System.out.println(GrouperUtil.jsonConvertTo(customUiTextConfigBean, false)); |
JSON which is generated
| Code Block |
|---|
{
"variableToAssign":"cu_o365twoStepRequiredToEnroll",
"fieldNames":"members",
"userQueryType":"grouper",
"variableType":"boolean",
"groupName":"penn:isc:ait:apps:O365:twoStepProd:o365_two_step_prod_policy",
"label":"${textContainer.text['penn_o365twoStep_cu_o365twoStepRequiredToEnroll']}",
"order":40
} |
Examples
Always show header, note, this is the default for "header"
...
| Code Block |
|---|
{
"endIfMatches":true,
"customUiTextType":"enrollButtonShow",
"index":0,
"text":"${!cu_o365twoStepEnrolled && cu_o365twoStepCanEnrollUnenroll && cu_twoStepUsers && cu_o365hasMailbox}"
} |
User environment
You can show the variables, and results, and links to the grouper admin, the group manager (default), an arbitrary group, or the end user. This explains the access (if the user needs something, if the access is provisioned, etc)
Note, you can control who has access to the user environment table with the customUiTextType: canSeeUserEnvironment
Text state
You can show another level of debugging by showing the text state. By default only grouper admins can see this but you can show it to an arbitrary group with the customUiTextType: canSeeScreenState. This explains why the decisions and text were made and shown the way they were.
...
- More columns in the user environment
- The decisions for the current user
- All text rules and how they are evaluated for the current user
Assign variables
If you are a Grouper admin (by default), or are allowed since customUiTextType: canAssignVariables. You can send variables in the URL to simulate how the screen would look, to test all the rules
...
Someone enrolled
https://grouper.server.school.edu/grouper/grouperUi/app/UiV2Main.indexCustomUi?operation=UiV2CustomUi.customUiGroup&groupId=61bcaad67d57438ab1fea11c426c2f64&cu_o365twoStepAllowedToManage=false&cu_grouperTurnOffManager=true&cu_o365twoStepInAzure=true&cu_o365twoStepInAzureError=false&cu_o365twoStepCanEnrollUnenroll=true&cu_o365twoStepSelfEnrolled=true&cu_o365twoStepEnrolled=true&cu_o365twoStepRequiredToEnroll=false&cu_twoStepUsers=true&cu_o365hasMailbox=true&cu_o365twoStepInLdap=true&cu_o365twoStepInLdapError=false&cu_o365twoStepRequiredDate=2020/05/01
Azure membership
Configure an azure connection in grouper.properties
...