Include Page | ||||
---|---|---|---|---|
|
We want to be able to craft policies by an expression instead of creating loaders or tons of reference groups based on cartesian products of basis/ref groups.
...
- Reduces pre-loaded rollups that might not be used
- You dont don't need a loader job for each one of these groups
- Any Grouper user could edit the policies if they can READ underlying groups. The expressions are secure
- The memberships of the ABAC groups are real time based on an intelligent change log consumer
- You can have a UI to help build it and give good error messages
- Could visualize the policies. Perhaps could be integrated into existing visualization
- This solved the issue of composites with any number of factors
...
grouper_abac_group_attributes | |||||
Group name | Attribute name | Attribute value | Active | Next start time | Last end time |
---|---|---|---|---|---|
ref:course:term:cis123 | campus | palmer | |||
ref:course:term:cis123 | campus | southern | |||
ref:course:term:cis123 | mode | ||||
ref:course:term:cis124 | campus | northern | |||
ref:course:term:cis124 | termStart | 8/1/2020 (note, this is actually integer seconds since 1970) | |||
ref:course:term:cis124 | termEnd | 1/1/2020 | |||
ref:course:term:cis124 | thisTerm | T |
...
Group | Type | Expression | Description |
---|---|---|---|
org:whatever:app:somePolicy | ref/bassis basis groups as members | (group.campus =~ ['palmer', southern'] and termStart - 7 > sysdate and termEnd + 7 < sysdate) | Give me groups as members where campus and term match |
org:whatever2:app2:somePolicy2 | subjects as members | person.primaryAffiliation =~ ['faculty', 'staff'] and person.dept =~ ['physics', 'math'] | Subjects in a role and dept |
org:whatever3:app3:somePolicy3 | could have some groups and subjects | (group.campus =~ ['palmer', southern'] and termStart - 7 > sysdate and termEnd + 7 < sysdate) or (person.primaryAffiliation =~ ['faculty', 'staff'] and person.dept =~ ['physics', 'math']) | Take some group populations and some subjects |
...