Include Page |
---|
spaceKey | Grouper |
---|
pageTitle | Navigation |
---|
|
Grouper rules
If an attributeDef is created under folder a:b, then apply privileges to the attributeDef of attrRead,attrUpdate to group a:security:admins
Java example
Code Block |
---|
//add a rule on stem2 saying if you create a group underneath, then assign a reader group
AttributeAssign attributeAssign = stem2
.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate();
attributeValueDelegate.assignValue(
RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa");
attributeValueDelegate.assignValue(
RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem");
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckTypeName(), RuleCheckType.attributeDefCreate.name());
//can be SUB or ONE for if in this folder, or in this and all subfolders
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckStemScopeName(), Stem.Scope.SUB.name());
attributeValueDelegate.assignValue(
RuleUtils.ruleThenEnumName(), RuleThenEnum.assignAttributeDefPrivilegeToAttributeDefId.name());
//this is the subject string for the subject to assign to
//e.g. sourceId :::::: subjectIdentifier
//or sourceId :::: subjectId
//or :::: subjectId
//or sourceId ::::::: subjectIdOrIdentifier
//etc
attributeValueDelegate.assignValue(
RuleUtils.ruleThenEnumArg0Name(), "g:gsa :::::: stem1:admins");
//can be: attrRead, attrUpdate, attrView, attrAdmin, attrOptin, attrOptout
attributeValueDelegate.assignValue(
RuleUtils.ruleThenEnumArg1Name(), "attrRead,attrUpdate");
//should be valid
String isValidString = attributeValueDelegate.retrieveValueString(
RuleUtils.ruleValidName());
if (!StringUtils.equals("T", isValidString)) {
throw new RuntimeException(isValidString);
}
|
GSH shorthand method
Code Block |
---|
RuleApi.inheritAttributeDefPrivileges(SubjectFinder.findRootSubject(), stem2, Scope.SUB, groupA.toSubject(), Privilege.getInstances("attrRead, attrUpdate"));
|
GSH test case
Code Block |
---|
gsh 0% grouperSession = GrouperSession.startRootSession();
edu.internet2.middleware.grouper.GrouperSession: ad1415e66401474880e1322c250aa0fb,'GrouperSystem','application'
gsh 1% stem2 = new edu.internet2.middleware.grouper.StemSave(grouperSession).assignName("stem2").assignCreateParentStemsIfNotExist(true).save();
stem: name='stem2' displayName='stem2' uuid='f76ea3ea4ebc4b28a3a7ce650def5c8a'
gsh 2% groupA = new GroupSave(grouperSession).assignName("stem1:admins").assignCreateParentStemsIfNotExist(true).save();
group: name='stem1:admins' displayName='stem1:admins' uuid='f10fdb4776484c94a4196c2c858eb9fb'
gsh 3% addMember("stem1:admins", "test.subject.0");
true
gsh 4% subjectActAs = SubjectFinder.findByIdAndSource("GrouperSystem", "g:isa", true);
subject: id='GrouperSystem' type='application' source='g:isa' name='GrouperSysAdmin'
gsh 5% RuleApi.inheritAttributeDefPrivileges(subjectActAs, stem2, Stem.Scope.SUB, groupA.toSubject(), Privilege.getInstances("attrRead, attrUpdate"));
gsh 6% attributeDefB = new AttributeDefSave(grouperSession).assignName("stem2:b").assignCreateParentStemsIfNotExist(true).save();
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=stem2:b,uuid=960b452a59494a5c9a393906903b6b1b]
gsh 7% hasPriv("stem2:b", "test.subject.0", Privilege.getInstance("attrRead"))
true
gsh 8% hasPriv("stem2:b", "test.subject.0", Privilege.getInstance("attrUpdate"))
true
gsh 9% attributeDefD = new AttributeDefSave(grouperSession).assignName("stem3:d").assignCreateParentStemsIfNotExist(true).save();
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=stem3:d,uuid=6545585416004e52a49535efba1fe1b0]
gsh 10% hasPriv("stem3:d", "test.subject.0", Privilege.getInstance("attrRead"))
false
gsh 11% hasPriv("stem3:d", "test.subject.0", Privilege.getInstance("attrUpdate"))
false
gsh 12% attributeDefC = new AttributeDefSave(grouperSession).assignName("stem2:sub:c").assignCreateParentStemsIfNotExist(true).save();
edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=stem2:sub:c,uuid=405cfab803524de59fca1e93218aa9d6]
gsh 13% hasPriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("attrRead"))
true
gsh 14% hasPriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("attrUpdate"))
true
|
GSH daemon
Run the above GSH code, then continue below
Code Block |
---|
gsh 15% revokePriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("attrUpdate"))
false
gsh 16% status = GrouperLoader.runOnceByJobName(grouperSession, GrouperLoaderType.GROUPER_RULES);
loader ran successfully: Ran rules daemon, changed 0 records
gsh 17% hasPriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("attrUpdate"))
true
|
sdf