gsh 0% grouperSession = GrouperSession.startRootSession();
edu.internet2.middleware.grouper.GrouperSession: 9351993908a847b190da1e428033c579,'GrouperSystem','application'
//make a permission definition, which is assignable to roles or users in the context of a role
gsh 1% permissionDef = new AttributeDefSave(grouperSession).assignName("stem:permissionDef").assignCreateParentStemsIfNotExist(true).assignAttributeDefType(AttributeDefType.perm).save();
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=stem:permissionDef,uuid=dde36f66d60841448c217dc009d4eac8]
gsh 2% permissionDef.setAssignToEffMembership(true);
gsh 3% permissionDef.setAssignToGroup(true);
gsh 4% permissionDef.store();
//employee group is the group that if the user falls out of, remove the permissions assignments
gsh 5% groupEmployee = new GroupSave(grouperSession).assignName("stem:employee").assignCreateParentStemsIfNotExist(true).save();
group: name='stem:employee' displayName='stem:employee' uuid='7934203d09bf407bbf813f6768759ea9'
//these are roles for the application
gsh 6% payrollUser = new GroupSave(grouperSession).assignName("apps:payroll:roles:payrollUser").assignTypeOfGroup(TypeOfGroup.role).assignCreateParentStemsIfNotExist(true).save();
group: name='apps:payroll:roles:payrollUser' displayName='apps:payroll:roles:payrollUser' uuid='663d14fda9aa45d48caaab84a4df11dc'
gsh 7% payrollGuest = new GroupSave(grouperSession).assignName("apps:payroll:roles:payrollGuest").assignTypeOfGroup(TypeOfGroup.role).assignCreateParentStemsIfNotExist(true).save();
group: name='apps:payroll:roles:payrollGuest' displayName='apps:payroll:roles:payrollGuest' uuid='bcdce97b557e46c59b663bb3c7db7126'
//subject0 is in payrollUser, subject1 is a payroll guest
gsh 10% addMember("apps:payroll:roles:payrollUser", "test.subject.0");
true
gsh 11% addMember("apps:payroll:roles:payrollGuest", "test.subject.1");
true
//canLogin is a permissions resource in the permission definition
gsh 12% canLogin = new AttributeDefNameSave(grouperSession, permissionDef).assignName("apps:payroll:permissions:canLogin").assignCreateParentStemsIfNotExist(true).save();
edu.internet2.middleware.grouper.attr.AttributeDefName: AttributeDefName[name=apps:payroll:permissions:canLogin,uuid=83107cf902544375a46376c8a4210051]
//for subject0, this permission is assigned to the role, and subject0 gets it from being a member of the role
gsh 13% payrollUser.getPermissionRoleDelegate().assignRolePermission(canLogin);
edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult: edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult@1d74bb1
gsh 16% subject1 = SubjectFinder.findById("test.subject.1", true);
subject: id='test.subject.1' type='person' source='jdbc' name='my name is test.subject.1'
gsh 17% subject0 = SubjectFinder.findById("test.subject.0", true);
subject: id='test.subject.0' type='person' source='jdbc' name='my name is test.subject.0'
//subject1 is a guest, and gets the permission as directly assigned in the context of role payrollGuest
gsh 18% payrollGuest.getPermissionRoleDelegate().assignSubjectRolePermission(canLogin, subject1);
edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult: edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult@c5dbb
gsh 19% member0 = MemberFinder.findBySubject(grouperSession, subject0, false);
gsh 20% member1 = MemberFinder.findBySubject(grouperSession, subject1, false);
member: id='test.subject.1' type='person' source='jdbc' uuid='bc39785bb650459585043d9b4cffc051'
//subject0 and subject1 each have one permission
gsh 21% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member0.getUuid());
edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollUser,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.0,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=0,action_depth=0,attrDef_depth=0,perm_type=role]
gsh 22% permissions.size()
1
gsh 23% permissions.iterator().next().getAttributeDefNameName()
apps:payroll:permissions:canLogin
gsh 24% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid());
edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollGuest,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.1,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=-1,action_depth=0,attrDef_depth=0,perm_type=role_subject]
gsh 25% permissions.size()
1
gsh 26% permissions.iterator().next().getAttributeDefNameName();
apps:payroll:permissions:canLogin
//add the rule
gsh 27% RuleApi.permissionGroupIntersection(SubjectFinder.findRootSubject(), permissionDef, groupEmployee);
//add users to employee group
gsh 29% groupEmployee.addMember(subject0);
gsh 30% groupEmployee.addMember(subject1);
//remove the first user
gsh 33% groupEmployee.deleteMember(subject0);
//since the permission was due to role, the user should not be in role anymore, or the permissions
gsh 34% payrollUser.hasMember(subject0);
false
gsh 35% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member0.getUuid());
gsh 36% permissions.size();
0
//subject1 still have permissions in the context of the role
gsh 37% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid());
edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollGuest,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.1,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=-1,action_depth=0,attrDef_depth=0,perm_type=role_subject]
gsh 38% permissions.size()
1
gsh 39% permissions.iterator().next().getAttributeDefNameName();
apps:payroll:permissions:canLogin
//remove subject1 from employee group
gsh 40% groupEmployee.deleteMember(subject1);
//subject1 is still a guest since guest does not have login ability...
gsh 43% payrollGuest.hasMember(subject1);
true
//however, the direct assignment to user in the context of the role is removed
gsh 44% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid());
gsh 45% permissions.size()
0
gsh 46%
|