Page History

Include Page

spaceKey	Grouper
pageTitle	Navigation

We want to be able to craft policies by an expression instead of creating loaders or tons of reference groups based on cartesian products of basis/ref groups.

...

Reduces pre-loaded rollups that might not be used
You dont don't need a loader job for each one of these groups
Any Grouper user could edit the policies if they can READ underlying groups. The expressions are secure
The memberships of the ABAC groups are real time based on an intelligent change log consumer
You can have a UI to help build it and give good error messages
Could visualize the policies. Perhaps could be integrated into existing visualization
This solved the issue of composites with any number of factors

...

Group name	Attribute name	Attribute value
grouper_abac_group_attributes
ref:course:term:cis123	campus	palmer
ref:course:term:cis123	campus	southern
ref:course:term:cis123	mode
ref:course:term:cis124	campus	northern
ref:course:term:cis124	termStart	8/1/2020 (note, this is actually integer seconds since 1970)
ref:course:term:cis124	termEnd	1/1/2020
ref:course:term:cis124	thisTerm	T

...

Group

Type

Expression

Description

org:whatever:app:somePolicy

ref/bassis basis groups as members

(group.campus =~ ['palmer', southern'] and termStart - 7 > sysdate and termEnd + 7 < sysdate)

Give me groups as members where campus and term match

org:whatever2:app2:somePolicy2

subjects as members

person.primaryAffiliation =~ ['faculty', 'staff'] and person.dept =~ ['physics', 'math']

Subjects in a role and dept

org:whatever3:app3:somePolicy3

could have some groups and subjects

(group.campus =~ ['palmer', southern'] and termStart - 7 > sysdate and termEnd + 7 < sysdate)

or (person.primaryAffiliation =~ ['faculty', 'staff'] and person.dept =~ ['physics', 'math'])

Take some group populations and some subjects

...

Page tree

Versions Compared

Old Version 11

New Version 12

Key