...
The rule will be an attribute of a grouper object (group, stem, etc). It will be specified as JSON. We can have a screen There are attributes on the UI assignment which helps create the JSON, or we could split this up into multiple attributes if we like. e.g. the following rule could be an attribute on group: b:c:d, who's name would get the variable "thisGroupName"configure the params
Code Block |
---|
//add a rule on stem:a saying if you are out of stem:b, then remove from stem:a
AttributeAssign attributeAssign = groupA
.getAttributeDelegate().assignAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
attributeAssign.getAttributeValueDelegate().assignValue(
RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa");
attributeAssign.getAttributeValueDelegate().assignValue(
RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem");
attributeAssign.getAttributeValueDelegate().assignValue(
RuleUtils.ruleCheckOwnerNameName(), "stem:b");
attributeAssign.getAttributeValueDelegate().assignValue(
RuleUtils.ruleCheckTypeName(),
RuleCheckType.membershipRemove.name());
attributeAssign.getAttributeValueDelegate().assignValue(
RuleUtils.ruleIfConditionEnumName(),
RuleConditionEnum.thisGroupHasImmediateMember.name());
attributeAssign.getAttributeValueDelegate().assignValue(
RuleUtils.ruleThenElName(),
"${ruleUtils.removeMember(thisGroupId, memberId}");
|
Code Block |
{
"RuleDefinition":{
"actAs":{
"sourceId":"kerberosPrincipals",
"subjectId":"myApp/myServer.school.edu"
},
"check":{
"group":"a:b:c",
"type":"flattenedMembershipRemove"
},
"ifCondition":"",
"then":"${RulesUtils.removeMember(thisGroupName, subjectSourceId, subjectId}"
}
}
|
sadf
Daemon component
If the rule is not scripted, then we have the opportunity to run it in daemon mode at the time the rule was added or changed, or periodically (nightly/weekly) to reduce data corruptions. Some rules might not want this to happen (e.g. on group create set permissions, if you do this nightly then you cant remove permissions)
...