...
Code Block |
---|
2010-08-21 15:24:13,032: [main] INFO RuleEngine.fireRule(248) - Rules engine processing rulesBean: group: stem:b, membership: Membership[createTime=1282418648019,creatorUuid=8b10ad84a2ab4e4d912aeca154866bbc,depth=0,listName=members,listType=list, memberUuid=ddbbbb1615964f109e4b5f85c05098f7,groupId=291dbf3b736e42de9985a70e2ac11177,type=immediate, uuid=4f249fd2636247a78158fc358aa58a32:bb46e541e12049618c199e162056e715], subject: Subject id: test.subject.0, sourceId: jdbc, , found 1 matching rule definitions, ruleDefinition should fire: attributeAssignTypeId: 446bb6b3bbd8417b9a3e386b3bc894c1, sourceId: g:isa, subjectId: GrouperSystem, checkOwnerName: stem:b, checkType: membershipRemove, ifConditionEnum: thisGroupHasImmediateEnabledMembership, thenEl: ${ruleUtils.removeMemberFromGroupId(ownerGroupId, memberId)}, , EL variables: membershipId(4f249fd2636247a78158fc358aa58a32:bb46e541e12049618c199e162056e715),groupId(291dbf3b736e42de9985a70e2ac11177), groupName(stem:b),ruleUtils,ownerGroupId(b38004ccf99d44f08f5a0971153ad6a9),subjectId(test.subject.0),memberId(ddbbbb1615964f109e4b5f85c05098f7), checkOwnerName(stem:b),sourceId(jdbc),, elResult: true, shouldFire count: 1 |
Veto
You can have the "then" clause veto an action (if it is a transactional check), by using the grouper util veto EL method. Note, if you are writing a custom EL class and want a veto, return the exception, dont throw it. Also the exception should be a RuleVeto exception (which is runtime) or a subclass. This example will veto an add to group A if the person is not a member of group B
Code Block |
---|
//act as GrouperSystem
attributeAssign.getAttributeValueDelegate().assignValue(
RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa");
attributeAssign.getAttributeValueDelegate().assignValue(
RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem");
//fire the rule when a membership is added to group A
attributeAssign.getAttributeValueDelegate().assignValue(
RuleUtils.ruleCheckOwnerNameName(), "stem:a");
attributeAssign.getAttributeValueDelegate().assignValue(
RuleUtils.ruleCheckTypeName(),
RuleCheckType.membershipAdd.name());
//continue with the rule if the member is not a member of B
attributeAssign.getAttributeValueDelegate().assignValue(
RuleUtils.ruleIfConditionEnumName(),
RuleIfConditionEnum.groupHasNoImmediateEnabledMembership.name());
attributeAssign.getAttributeValueDelegate().assignValue(
RuleUtils.ruleIfOwnerNameName(),
"stem:b");
//if we get this far, veto the action with a descriptive reason
attributeAssign.getAttributeValueDelegate().assignValue(
RuleUtils.ruleThenElName(),
"${ruleUtils.veto('rule.entity.must.be.a.member.of.stem.b', 'Entity cannot be a member of stem:a if not a member of stem:b')}");
|
Custom EL classes
You can configure custom EL classes to help with logic you need if not in the Grouper API. Here is an example:
...