Versions Compared

Old Version 36

changes.mady.by.user Robin Naundorf

Saved on

compared with

New Version Current

changes.mady.by.user ben.rappleyea.2@at.internet2.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Grouper has a hierarchical namespace of folders in which to organize Groups, Roles, and Permissions. For large deployments of Grouper, the namespace can make the UI overwhelming for users to find the objects they want to manage.

In current versions of Grouper 2.2, the UI makes it possible to filter the registry by a service. This makes it simpler to navigate the namespace and easier to use the UI. Users can find services in the "services widget" on the main UI screen.

...

Click save.  Now any entities who are members of a group in that folder or subfolder will have that service on the main screen or services screen of the UI.  Any entity who has manage privileges on a group in that folder or subfolder, will be considered an "admin" of the service.  Note with groups as members and with exclude lists, this can not be 100% accurate.
Here is a GSH example of creating a service:

Code Block

AttributeDef jiraServiceDef = new AttributeDefSave(grouperSession)
      .assignCreateParentStemsIfNotExist(true).assignAttributeDefType(AttributeDefType.service)
      .assignName("apps:jira:jiraServiceDefinition").assignToStem(true).save();

AttributeDefName jiraService = new AttributeDefNameSave(grouperSession, jiraServiceDef)
      .assignCreateParentStemsIfNotExist(true)
      .assignName("apps:jira:jiraService").assignDisplayExtension("Central IT production Jira issue tracker").save();

...

GSH/API example of service privileges

Code Block

//the directory is public
directoryServiceDef.getPrivilegeDelegate().grantPriv(SubjectFinder.findAllSubject(), AttributeDefPrivilege.ATTR_VIEW, false);

...

Services should be exposed by the UI/WS/API. i.e. you should be able to do a GroupFinder filter and restrict the results to a certain service. You should be able to list the services for a user. You could be able to browse the repository and operate comboboxes in the context of a particular service.

API

Code Block

Find members in a service:

      MembershipResult membershipResult = new MembershipFinder().assignServiceId(confluenceService.getId())
          .assignServiceRole(ServiceRole.admin).findMembershipResult();
      
      List<Member> members = new ArrayList<Member>(membershipResult.members());


Find services for a user:


      Set<AttributeDefName> attributeDefNames = new AttributeDefNameFinder().assignSubject(SubjectTestHelper.SUBJ0)
        .assignServiceRole(ServiceRole.user).findAttributeNames();

...

  • find members in a service:
Code Block

c:\temp> java -jar grouperClient.jar --operation=getMembershipsWs --serviceName=school:apps:wiki --serviceRole=admin
Index 0: group: school:apps:wiki:groups:admins, subject: jsmith, list: updaters, type: Immediate, enabled: T
Index 1: group: school:apps:wiki:groups:users, subject: hjohnson, list: admins, type: Immediate, enabled: T
  • find services for a user:
Code Block

c:\temp> java -jar grouperClient.jar --operation=findAttributeDefNamesWs --scope=% --serviceRole=user --subjectId=jsmith
Index 0: name: school:apps:wiki, displayName: School:Applications:Wiki
Index 1: name: school:apps:pto, displayName: School:Applications:Paid Time Off

...

  • There is a view that is hibernated and can be joined to for queries: grouper_service_role_v mapped to Java object: ServiceRoleView
  • You can join to this view by group, or attribute, etc. The membership column should have security joined to it:
Code Block

whereClause.append(" and theAttributeDefName.id = theServiceRoleView.serviceNameId ");
   changedQuery = grouperSession.getAccessResolver().hqlFilterGroupsWhereClause(
     grouperSession.getSubject(), byHqlStatic,
     sql, "theServiceRoleView.groupId", AccessPrivilege.READ_PRIVILEGES);

   //fields for the service role
   HibUtils.convertFieldsToSqlInString(serviceRole.fieldsForGroupQuery(), byHqlStatic, whereClause, "theServiceRoleView.fieldId");
   whereClause.append(" and theServiceRoleView.memberId = :groupMemberId ");
   byHqlStatic.setString("groupMemberId", member.getUuid());

...

In the Grouper API you can get services for a user (note, this is for groups in services where the grouper session can read memberships (or admin)

Code Block

Set<AttributeDefName> attributeDefNames = new AttributeDefNameFinder().assignSubject(SubjectTestHelper.SUBJ0)
        .assignServiceRole(ServiceRole.user).findAttributeNames();

Here is a web service request:

Code Block

<WsRestFindAttributeDefNamesRequest>
  <scope>%</scope>
  <serviceRole>user</serviceRole>
  <subjectLookup>
    <subjectId>test.subject.0</subjectId>
  </subjectLookup>
</WsRestFindAttributeDefNamesRequest>

Web service response:

Code Block

<WsFindAttributeDefNamesResults>
  <attributeDefNameResults>
    <WsAttributeDefName>
      <idIndex>10090</idIndex>
      <extension>jiraService</extension>
      <displayExtension>Central IT production Jira issue tracker
      </displayExtension>
      <displayName>apps:jira:Central IT production Jira issue tracker
      </displayName>
      <name>apps:jira:jiraService</name>
      <uuid>d528f5888e964384be6cc7ed39e3d006</uuid>
      <attributeDefId>05b934189bd342aba0979fafec5e9c07</attributeDefId>
      <attributeDefName>apps:jira:jiraServiceDefinition
      </attributeDefName>
    </WsAttributeDefName>
  </attributeDefNameResults>
  <attributeDefs>
    <WsAttributeDef>
      <idIndex>10022</idIndex>
      <extension>jiraServiceDefinition</extension>
      <name>apps:jira:jiraServiceDefinition</name>
      <uuid>05b934189bd342aba0979fafec5e9c07</uuid>
      <attributeDefType>service</attributeDefType>
      <multiAssignable>F</multiAssignable>
      <multiValued>F</multiValued>
      <valueType>marker</valueType>
    </WsAttributeDef>
  </attributeDefs>
  <resultMetadata>
    <resultCode>SUCCESS</resultCode>
    <resultMessage>Success for: clientVersion: 2.2.0, scope: %,
      splitScope: null, wsAttributeDefLookup: null, attributeAssignType:
      null, attributeDefType: null
      wsAttributeDefNameLookups: null
      wsInheritanceSetRelation: null, pageSize: null, pageNumber: null, sortString: null, ascending:
      null, actAsSubject: null, paramNames:
      , params: null
      , wsSubjectLookup: WsSubjectLookup[subjectId=test.subject.0],
      serviceRole: user
    </resultMessage>
    <success>T</success>
  </resultMetadata>
  <responseMetadata>
    <resultWarnings></resultWarnings>
    <millis>9285</millis>
    <serverVersion>2.2.0</serverVersion>
  </responseMetadata>
</WsFindAttributeDefNamesResults>

...