...
Grouper rules are available in Grouper v2.0 and above.
| Children Display |
|---|
setup with Grouper Client
Grouper rules are configurable declarative scripts which run at certain times and perform actions on the registry. They are similar to hooks though you don't have to write Java, and it does not require a change to a config file to enable a rule (i.e. anyone with authority in the folder hierarchy could enable a rule). This is similar to JBoss drools. There is no heuristic to find the best rule, it finds all matching rules to fire. Rules are unordered. Some rule "Then" clauses could kick off more rules.
...
- actAs: subject that the rule will act as. If blank, then it will be filled in with the user who created the rule (probably a bad idea since the person might leave at some point, unless it is a service principal). There can be configurations in the grouper.properties (details) which allow users to act as other users or GrouperSysAdmin.
...
ifCondition: this might not be needed if the check contains all the information about when the rule should fire. You can configure a premade check (enum) or a scriptlet or EL (Expression language). e.g.
Code Block ${!RulesUtils.hasMember(groupName, subjectSourceId, subjectId)}then: this is a premade (enum) or scriptlet (EL: expression language). e.g. thenType is removeMember and groupName is a:b, or a scriptlet:
Code Block ${RulesUtils.removeMember(groupName, subjectSourceId, subjectId}
...
The check component will see if the rule should continue to the "if condition". The check part is an enum class: edu.internet2.middleware.grouper.rules.RuleCheckType
Look at the javadoc or source for the most recent check types, currently they are:
...
| Code Block |
|---|
grouperSession = GrouperSession.startRootSession();
stem = StemFinder.findByName(grouperSession, "test:testRules");
RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), stem, Stem.Scope.SUB, SubjectFinder.findRootSubject(), Privilege.getInstances("admin"));
RuleApi.rulesToString(stem);
stem.getAttributeDelegate().removeAttributeByAssignId("af0aa3601b5149a08b71d7d82ea6a906");
|
...
Error handling
If the rule execution fails for some reason, it should be logged (which could include emailing administrators), but it probably should not affect the transaction of the operation that triggered the rule. Maybe this can be a setting on a per rule basis and where applicable (e.g. if it is a flattened membership rule trigger, then there is no transaction since the rule fires post commit anyways.
| Anchor | ||||
|---|---|---|---|---|
|
Note that the subject source should be set before the subject id or identifier (if the id or identifier arent unique). Anyways, you can act as yourself, though I dont know why you would want to do that since if you leave the institution the rule might break. You can configure in the grouper.properties what the act as rules are, similar to the grouper WS act as.
...
| Code Block |
|---|
gsh 0% new GrouperEmail().setTo("something@somewhere.edu").setBody("email body").setSubject("email subject").send();
|
Extended EL API
| Anchor | ||||
|---|---|---|---|---|
|
There is a special group which has access to more objects in EL:
...