Versions Compared

Old Version 32

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version 44

changes.mady.by.user Chris Hyzer (upenn.edu)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
spaceKeyGrouper
pageTitleNavigation

Panel
borderColor#ccc
bgColor#FcFEFF
titleColorwhite
titleBGColor#00a400

Image Added  This topic is discussed in the Advanced Topics training video.

Grouper users Users of Grouper sometimes need to create and manage entities in Grouper that are not part of a central subject source. An example is where Grouper integrates with an external database that has schemas needed for access management. These schemas must be represented in Grouper so they can be assigned to Groups/Roles/Permissions. Before Grouper 2.1 this could be solved by creating a group to represent the local entity, and not assigning members to the group.  In Grouper 2.1 a .   A "local entity" can be created in the folder structure.

Local entities are not intended to be used to represent people, those should be in your subject source.

Description

A local entity in Grouper is an object in the Grouper namespace (folder structure), that non-grouper-admins can create, manage, use.  It is a Java interface in the API (Entity), which has:

  • id - uuid, doesn't change
  • extension - system name in the folder, shouldn't change
  • display extension - display name in the folder, can change
  • description - free form text documentation about the entity
  • name - fully qualified (including parent folders) system name
  • display name - fully qualified (including parent folders) display name
  • subjectIdentifier attribute - if the identifier of the entity is not valid for the extension (e.g. if it could contain a colon, or other invalid character in the grouper extension namespace), then you can put any fully qualified (including folder names) identifier here.  Note, no two entities can have the same subjectIdentifier.  Also, this attribute is public, meaning anyone can read (if they can VIEW the entity), or update it (if the can ADMIN the entity).  Note, this security to be maintained, this assumes a hierarchical security model for folders... i.e. you must trust the owners of parent folders where the entities are stored since they can have a subjectIdentifier with a colon inside.  The attribute must start with the folder where the entity is stored.  This is autocreated for you, depending on your config, might be here: etc:attribute:entities:entitySubjectIdentifier  Assign this to the local entity (e.g. with UI), and give the string value which is the identifier.  Note: the assignment to the local entity is done with a "group attribute assignment" not an "entity attribute assignment"

For web services, you can set a password on the local entity UUID, and use the UUID as username and password as password to authenticate to web services.  You can also generate a JWT private key, and authenticate that way too though there is encryption involved so its a little more complicated

Local entity subjects

Grouper entities have a subject source different than the Grouper subject source (though similar).  Since there is an optional subjectIdentifier attribute, queries for search or findByIdentifier will consider that value.  Also, the following subject attributes exist in addition to the group subject attributes (name, extension, displayName, description, etc) :

Attribute name

Meaning

entityIdAttribute

if there is an entity id attribute assigned, this is the value

entityId

if there is an entity id attribute assigned, it is used, if not, then this is the name attribute

entityExtension

if there is an entity id attribute assigned, this is the suffix after the entity folder name and colon, if not, then this is the extension (not of attribute)

API

You can create a local entity with the EntitySave class:

Code Block

Entity testEntity = new EntitySave(grouperSession).assignCreateParentStemsIfNotExist(true)
      .assignName("test:testEntity").save();

You can find local entities with the EntityFinder class (note a grouper session must be open, and the grouper session user must have VIEW or ADMIN on the entity to show the result):

Code Block

Set<Entity> entities = new EntityFinder().addName("test:testEntity").findEntities();

...

In the grouper.properties you can designate if entities are viewable by all by default.  This occurs on local entity create, and can be unassigned.  This defaults to false for security reasons

Code Block

# if set to true, then the ALL subject will be granted view on new entities
entities.create.grant.all.view = false

...

You can create a local entity (or edit, delete), with the group web services and typeOfGroup

Code Block

<WsRestGroupSaveRequest>
 <wsGroupToSaves>
  <WsGroupToSave>
   <wsGroupLookup>
    <groupName>aStem:newGroup4</groupName>
   </wsGroupLookup>
   <wsGroup>
    <typeOfGroup>entity</typeOfGroup>
    <displayExtension>newGroup4</displayExtension>
    <name>aStem:newGroup4</name>
   </wsGroup>
  </WsGroupToSave>
 </wsGroupToSaves>
</WsRestGroupSaveRequest>

You can filter group searches by typeOfGroup also

Code Block

<WsRestFindGroupsRequest>
 <wsQueryFilter>
  <typeOfGroups>entity</typeOfGroups>
  <queryFilterType>FIND_BY_GROUP_NAME_APPROXIMATE</queryFilterType>
  <groupName>aStem:aGroup</groupName>
  <stemName>aStem</stemName>
 </wsQueryFilter>
</WsRestFindGroupsRequest>

...

You can create/edit/delete local entities on the UI in a folder you have CREATE on

Image Removed

Other screens are tweaked, e.g. on the permissions screen you can search for entities but not groups/roles for individual permissions:

.  In 2.4 UI patch #27 this is in the new UI

...

Image Added


...


Image Added

...


Local entity icon:

Image Added

...

View an entity

Image Added

...

Menu has entity options

Image Added

...

Delete a local entity

Image Added

...

Edit a local entity

Image Added


...


There is a privilege tab

Image Added


...


Only entity privileges can be assigned

Image AddedImage Removed


...

Limiting the scope of entities

...