...
The attribute framework is used for attaching metadata to various objects in the registry. One example is here.
Table of Contents |
---|
Features
- Attributes can be assigned to groups, memberships (immediate or effective), members (i.e. subjects), folders, other attributes, and attribute assignments (one level deep)
- Attribute assignments have an optional "action" qualifier. This is a free form string which is configured per attribute definition
- Attributes could have free-form values, multi-valued, multi-assigned, limits as to where they can be applied, validation on values (TODO on validation), etc
- Attributes can have enabled/disabled dates. This is in progress.
Security on Attributes
- have a definition (attributeDef), and a name (attributeName or aka attributeDefName).
- There is a one-to-many relationship between attributeDef and attributeName.
- The definition has all the configuration, and the name is assigned to the object
Gliffy Diagram name attributeDefToNameOneToMany pagePin 5
- Attributes can be assigned to groups, memberships (immediate or effective), members (i.e. subjects), folders, other attributes, and attribute assignments (one level deep)
Gliffy Diagram name attributeAssignTo pagePin 2
- Attribute assignments that are permissions have an optional "action" qualifier for permission type attributes. This is a free form string which is configured per attribute definition
Gliffy Diagram name attributePermissionAction pagePin 1
- Attributes could have free-form values, multi-valued, multi-assigned, limits as to where they can be applied, validation on values (TODO on validation), etc
Gliffy Diagram name attributeAssignAndValueTypes pagePin 1
- Attributes can have enabled/disabled dates.
Security on Attributes
- Attributes have security, coupled with other objects' security. Each attribute has the following lists:
- ATTR_VIEW: can see that the attribute exists
- ATTR_READ: can see the attribute assignment
- ATTR_UPDATE: can assign or unassign the attribute
- ATTR_ADMIN
- ATTR_VIEW: can see that the attribute exists
- ATTR_READ: can see the attribute assignment
- ATTR_UPDATE: can assign or unassign the attribute
- ATTR_ADMIN: can rename the attribute or assign security
- ATTR_OPTIN: can assign assign the attribute to one's self
- ATTR_OPTOUT: can unassign the attribute to one's self
- ATTR_DEF_ATTR_READ (v2.2+): can see attributes assigned to this attribute definition (note you need READ on the assigned attributes definition too)
- ATTR_OPTOUT: can unassign the attribute to one's self_DEF_ATTR_UPDATE (v2.2+): can assign attributes to this attribute definition (note you need UPDATE on the assigned attributes definition too)
- In order to perform operations on attributes, more security is needed on the underlying objects. For example, to assign an attribute to a group, you need ATTR_UPDATE on the attribute and GROUP_ATTR_UPDATE on the group. In order to assign an attribute to a membership, you need ATTR_UPDATE on the attribute, and UPDATE on the group.
- To make attributes easier to use, you can set these settings in the grouper.properties to make attributes "public". This means that if you have the appropriate security on the underlying object, you can add / edit / delete attributes from the object
- Attribute assignments can be delegatable. You can identify as assignment as true for delegatable, false for not delegatable, or "grant" which means the user can delegate it, and set the delegate flag.
...
Code Block |
---|
studentsAttrDef.setMultiAssignable(true); studentsAttrDef.store(); -- RESTART GSH -- grouperSession = GrouperSession.startRootSession(); groupBrainProject = GroupFinder.findByName(grouperSession, "school:math:brainProject", true); attrArtsAndSciences = AttributeDefNameFinder.findByName("school:attr:students:artsAndSciences", true); groupBrainProject.getAttributeDelegate().addAttribute(attrAtrsAndSciencesattrArtsAndSciences); groupBrainProject.getAttributeDelegate().addAttribute(attrAtrsAndSciencesattrArtsAndSciences); groupBrainProject.getAttributeDelegate().addAttribute(attrAtrsAndSciencesattrArtsAndSciences); groupBrainProject.getAttributeDelegate().retrieveAssignments(attrArtsAndSciences); |
...
Put an attribute on a membership
Code Block |
---|
gsh 0% gsh 1% grouperSession grouperSession = GrouperSession.startRootSession(); edu.internet2.middleware.grouper.GrouperSession: 3c50fffcfb104b39adbd55d05d47355 7,'GrouperSystem','application' gsh 2% folder = GrouperSessionStemFinder.startRootSession(); edu.internet2.middleware.grouper.GrouperSession: 3c50fffcfb104b39adbd55d05d47355 7,'GrouperSystem','application' gsh 2% folder = StemFinder.findByName(grouperSession, "Communities:LVC:LSC:MOU:UWM:UWMGroupAttributes",true) stem: name='findByName(grouperSession, "Communities:LVC:LSC:MOU:UWM:UWMGroupAttributes",true) stem: name='Communities:LVC:LSC:MOU:UWM:UWMGroupAttributes' displayName='Communi ties:LVC:LSC:MOU:UWM:UWMGroupAttributes' uuid='97f4c134149941fbad8906d3a1ed2340' gsh 3% attributeDef = folder.addChildAttributeDef("attr01", AttributeDefType.attr); edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=Communities:LVC:LSC:MOU:UWM:UWMGroupAttributes' displayName='Communi ties:LVC:LSC:MOU:UWM:UWMGroupAttributes' uuid='97f4c134149941fbad8906d3a1ed2340' gsh 3% attributeDef :attr01,uuid=f8756aac777947ff9ae386786de4a287] gsh 4% attributeDef.setAssignToImmMembership(true); gsh 5% attributeDef.store(); gsh 6% myAttributeName = folder.addChildAttributeDefaddChildAttributeDefName(attributeDef,"attr01myAttributeName", AttributeDefType.attr"myAttributeName"); edu.internet2.middleware.grouper.attr.AttributeDefAttributeDefName: AttributeDefAttributeDefName[name=Communities:LVC:LSC:MOU:UWM:UWMGroupAttributes:attr01myAttributeName ,uuid=f8756aac777947ff9ae386786de4a287db8d3c93b30e4e2f96d3cdd9ae1af737] gsh 4% attributeDef.setAssignToImmMembership(true); gsh 5% attributeDef.store(); gsh 6% myAttributeName = folder.addChildAttributeDefName(attributeDef,"myAttributeName","myAttributeName"); edu.internet2.middleware.grouper.attr.AttributeDefName: AttributeDefName[name=Communities:LVC:LSC:MOU:UWM:UWMGroupAttributes:myAttributeName ,uuid=db8d3c93b30e4e2f96d3cdd9ae1af737] gsh 7% subject = SubjectFinder.findById("scott.koranda@LIGO.ORG", true); subject: id='scott.koranda@LIGO.ORG' type='person' source='ligo' name='Scott Koranda' gsh 8% member = MemberFinder.findBySubject(grouperSession, subject, true); member: id='scott.koranda@LIGO.ORG' type='person' source='ligo' uuid='56246fe035bd4266bc92abb617430033' gsh 9% group = GroupFinder.findByName(grouperSession, "Communities:LVC:LSC:MOU:UWM:UWMGroupMembers"); group: name='Communities:LVC:LSC:MOU:UWM:UWMGroupMembers' displayName='Communities:LVC:LSC:MOU:UWM:UWMGroupMembers' uuid='00918b49-ad44-49aa-8b13-49d8a1aa459c' gsh 10% membership = MembershipFinder.findImmediateMembership(grouperSession, group,subject,Group.getDefaultList(), true) 7% subject = SubjectFinder.findById("scott.koranda@LIGO.ORG", true); subject: id='scott.koranda@LIGO.ORG' type='person' source='ligo' name='Scott Koranda' gsh 8% member = MemberFinder.findBySubject(grouperSession, subject, true); member: id='scott.koranda@LIGO.ORG' type='person' source='ligo' uuid='56246fe035bd4266bc92abb617430033' gsh 9% group = GroupFinder.findByName(grouperSession, "Communities:LVC:LSC:MOU:UWM:UWMGroupMembers"); group: name='Communities:LVC:LSC:MOU:UWM:UWMGroupMembers' displayName='Communities:LVC:LSC:MOU:UWM:UWMGroupMembers' uuid='00918b49-ad44-49aa-8b13-49d8a1aa459c' gsh 10% membership = MembershipFinder.findImmediateMembership(grouperSession, group,subject,Group.getDefaultList(), true) edu.internet2.middleware.grouper.Membership: Membership[createTime=1270587726584,creatorUuid=e00f1b26f1c340db8845e1dfe297f01b,depth=0,listName=members,listType=list,memberUuid=56246fe035bd4266bc92abb617430033,groupId=00918b49-ad44-49aa-8b13-49d8a1aa459c,type=immediate,uuid=faefbff7e2ce4561b86c7e070fcd0ac9:a5b12a759438462a996842dca313ccfc] gsh 11% membership.getAttributeDelegate().assignAttribute(myAttributeName); edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult: edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult@488e753c gsh 12% membership.getAttributeDelegate().retrieveAssignments(myAttributeName); edu.internet2.middleware.grouper.attr.Membershipassign.AttributeAssign: MembershipAttributeAssign[createTimeid=1270587726584350594e5dc39431ea56c17635eab253f,creatorUuidaction=e00f1b26f1c340db8845e1dfe297f01bassign,depth=0,listName=members,listType=list,memberUuid=56246fe035bd4266bc92abb617430033,groupId=00918b49-ad44-49aa-8b13-49d8a1aa459c,type=immediate,uuid=faefbff7e2ce4561b86c7e070fcd0ac9:a5b12a759438462a996842dca313ccfc] gsh 11% membership.getAttributeDelegate().assignAttribute(myAttributeName); edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult: edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult@488e753c gsh 12% membership.getAttributeDelegate().retrieveAssignments(myAttributeName); edu.internet2.middleware.grouper.attr.assign.AttributeAssign: AttributeAssign[id=350594e5dc39431ea56c17635eab253f,action=assign,attributeDefName=Communities:LVC:LSC:MOU:UWM:UWMGroupAttributes:evil,membershipId=faefbff7e2ce4561b86c7e070fcd0ac9] gsh 13% |
See Also
attributeDefName=Communities:LVC:LSC:MOU:UWM:UWMGroupAttributes:evil,membershipId=faefbff7e2ce4561b86c7e070fcd0ac9]
gsh 13%
|
Exclude attributes from audits, changelog, and point in time
Code Block |
---|
# comma separated names of attribute defs will not be audited or change log or point in time
# same as ${edu.internet2.middleware.grouper.cfg.GrouperConfig.retrieveConfig().propertyValueStringRequired('grouper.attribute.rootStem')}
grouper.attribute.namesOfAttributeDefsToIgnoreAuditsChangeLogPit.elConfig = $$grouper.attribute.rootStem$$:userData:grouperUserDataValueDef,$$grouper.attribute.rootStem$$:instrumentationData:instrumentationDataInstanceCountsDef,$$grouper.attribute.rootStem$$:instrumentationData:instrumentationDataInstanceDetailsDef,$$grouper.attribute.rootStem$$:instrumentationData:instrumentationDataCollectorDetailsDef
# comma separated names of attribute def names will not be audited or change log or point in time
grouper.attribute.namesOfAttributeDefNamesToIgnoreAuditsChangeLogPit.elConfig = $$grouper.attribute.rootStem$$:attestation:attestationCalculatedDaysLeft,$$grouper.attribute.rootStem$$:attestation:attestationLastEmailedDate,$$grouper.attribute.rootStem$$:loaderMetadata:grouperLoaderMetadataLastFullMillisSince1970,$$grouper.attribute.rootStem$$:loaderMetadata:grouperLoaderMetadataLastIncrementalMillisSince1970,$$grouper.attribute.rootStem$$:loaderMetadata:grouperLoaderMetadataLastSummary
|
See Also
- Attribute Framework UI
- Attribute Based Access Control (ABAC)
- Provisioning Groups Using Attribute Framework
- Presentation that includes an example of the attribute framework
- Attribute Framework UI