If a student is no longer a member of the course X group, then end date the permissions in the course wiki group with end date in one week, or end date assignments to roles which have those permissions
Java example
//add a rule on stem:permission saying if you are out of stem:employee, //then put disabled date on assignments to permission, or from roles which have the permission AttributeAssign attributeAssign = permissionToAssignRule .getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign(); AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate(); attributeValueDelegate.assignValue( RuleUtils.ruleActAsSubjectSourceIdName(), actAs.getSourceId()); attributeValueDelegate.assignValue( RuleUtils.ruleActAsSubjectIdName(), actAs.getId()); attributeValueDelegate.assignValue( RuleUtils.ruleCheckOwnerIdName(), mustBeInGroup.getId()); attributeValueDelegate.assignValue( RuleUtils.ruleCheckTypeName(), RuleCheckType.membershipRemove.name()); attributeValueDelegate.assignValue( RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.thisPermissionDefHasNoEndDateAssignment.name()); attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumName(), RuleThenEnum.assignDisabledDaysToOwnerPermissionDefAssignments.name()); attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumArg0Name(), "7"); //should be valid String isValidString = attributeValueDelegate.retrieveValueString( RuleUtils.ruleValidName()); if (!StringUtils.equals("T", isValidString)) { throw new RuntimeException(isValidString); }
GSH shorthand method
RuleApi.permissionGroupIntersection(SubjectFinder.findRootSubject(), permissionDef, groupEmployee, 7);
GSH test case
gsh 0% grouperSession = GrouperSession.startRootSession(); edu.internet2.middleware.grouper.GrouperSession: 1e2e6443d9d34012b66f8d970ec16a1b,'GrouperSystem','application' //permissions definition gsh 1% permissionDef = new AttributeDefSave(grouperSession).assignName("stem:permissionDef").assignCreateParentStemsIfNotExist(true).assignAttributeDefType(AttributeDefType.perm).save(); edu.internet2.middleware.grouper.attr.AttributeDef: AttributeDef[name=stem:permissionDef,uuid=65b85a8e4bf74780bec99c04e508853e] gsh 2% permissionDef.setAssignToEffMembership(true); gsh 3% permissionDef.setAssignToGroup(true); gsh 4% permissionDef.store(); //employee group which users must be in gsh 5% groupEmployee = new GroupSave(grouperSession).assignName("stem:employee").assignCreateParentStemsIfNotExist(true).save(); group: name='stem:employee' displayName='stem:employee' uuid='61581214aef04fd589a5a24338067021' //roles for permissions gsh 6% payrollUser = new GroupSave(grouperSession).assignName("apps:payroll:roles:payrollUser").assignTypeOfGroup(TypeOfGroup.role).assignCreateParentStemsIfNotExist(true).save(); group: name='apps:payroll:roles:payrollUser' displayName='apps:payroll:roles:payrollUser' uuid='fc738d64b8eb46a1ab78d2e03961129b' gsh 7% payrollGuest = new GroupSave(grouperSession).assignName("apps:payroll:roles:payrollGuest").assignTypeOfGroup(TypeOfGroup.role).assignCreateParentStemsIfNotExist(true).save(); group: name='apps:payroll:roles:payrollGuest' displayName='apps:payroll:roles:payrollGuest' uuid='ac4b956bd8b04e12ac8cc661e104493c' gsh 8% subject0 = SubjectFinder.findByIdAndSource("test.subject.0", "jdbc", true); subject: id='test.subject.0' type='person' source='jdbc' name='my name is test.subject.0' gsh 9% subject1 = SubjectFinder.findByIdAndSource("test.subject.1", "jdbc", true); subject: id='test.subject.1' type='person' source='jdbc' name='my name is test.subject.1' gsh 10% subject2 = SubjectFinder.findByIdAndSource("test.subject.2", "jdbc", true); subject: id='test.subject.2' type='person' source='jdbc' name='my name is test.subject.2' gsh 11% payrollUser.addMember(subject0, false); true gsh 12% payrollGuest.addMember(subject1, false); true //permission resource gsh 13% canLogin = new AttributeDefNameSave(grouperSession, permissionDef).assignName("apps:payroll:permissions:canLogin").assignCreateParentStemsIfNotExist(true).save(); edu.internet2.middleware.grouper.attr.AttributeDefName: AttributeDefName[name=apps:payroll:permissions:canLogin,uuid=f9a2001a66c3427287ae2846cd606dd0] //assign the permission to a role gsh 14% payrollUser.getPermissionRoleDelegate().assignRolePermission(canLogin); edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult: edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult@f8f104 //assign the permission directly to a user in a different role gsh 15% payrollGuest.getPermissionRoleDelegate().assignSubjectRolePermission(canLogin, subject1); edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult: edu.internet2.middleware.grouper.attr.assign.AttributeAssignResult@1c624e2 gsh 16% member0 = MemberFinder.findBySubject(grouperSession, subject0, false); member: id='test.subject.0' type='person' source='jdbc' uuid='c24d4c437d0e439397a66659ee36e548' gsh 17% member1 = MemberFinder.findBySubject(grouperSession, subject1, false); member: id='test.subject.1' type='person' source='jdbc' uuid='df1329086d6a4ae9aea3d6c9777c68d5' //permission that user0 hsa gsh 18% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member0.getUuid()); edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollUser,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.0,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=0,action_depth=0,attrDef_depth=0,perm_type=role] gsh 19% permissions.size() 1 gsh 20% permissions.iterator().next().getAttributeDefNameName() apps:payroll:permissions:canLogin //permission that user1 has gsh 21% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid()); edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollGuest,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.1,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=-1,action_depth=0,attrDef_depth=0,perm_type=role_subject] gsh 22% permissions.size() 1 gsh 23% permissions.iterator().next().getAttributeDefNameName() apps:payroll:permissions:canLogin //assign the rule gsh 24% RuleApi.permissionGroupIntersection(SubjectFinder.findRootSubject(), permissionDef, groupEmployee, 7); //add users to employee role gsh 25% groupEmployee.addMember(subject0); gsh 26% groupEmployee.addMember(subject1); //subject2 has no permissions, so this is a no-op gsh 27% groupEmployee.addMember(subject2); gsh 28% groupEmployee.deleteMember(subject2); //this should set some delete dates gsh 29% groupEmployee.deleteMember(subject0); gsh 30% membership = ((Group)payrollUser).getImmediateMembership(Group.getDefaultList(), member0, true, true); edu.internet2.middleware.grouper.Membership: Membership[createTime=1283882925393,creatorUuid=b0ad34466f1f401ba33c49cba4197cdb,depth=0,listName=members,listType=list,memberUuid=c24d4c437d0e439397a66659ee36e548,groupId=fc738d64b8eb46a1ab78d2e03961129b,type=immediate,uuid=40a51c707a4048f48fca32bd9d0f52c7:9a7d5f4525fe4bbab7bd89d96abd91f9] gsh 31% membership.getDisabledTime() java.sql.Timestamp: 2010-09-14 14:10:55.171 gsh 35% new java.sql.Timestamp(System.currentTimeMillis()); java.sql.Timestamp: 2010-09-07 14:11:53.141 gsh 36% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member0.getUuid()); edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollUser,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.0,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=0,action_depth=0,attrDef_depth=0,perm_type=role] gsh 37% permissions.size() 1 gsh 38% permissions.iterator().next().getAttributeDefNameName() apps:payroll:permissions:canLogin gsh 39% GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid()).size() 1 //delete subject1 from employee group gsh 40% groupEmployee.deleteMember(subject1); //this causes the delete date to be applied to the permission assignment to that user, not to the role assignment gsh 41% payrollGuest.hasMember(subject1) true gsh 42% membership = ((Group)payrollGuest).getImmediateMembership(Group.getDefaultList(), member1, true, true); edu.internet2.middleware.grouper.Membership: Membership[createTime=1283882930256,creatorUuid=b0ad34466f1f401ba33c49cba4197cdb,depth=0,listName=members,listType=list,memberUuid=df1329086d6a4ae9aea3d6c9777c68d5,groupId=ac4b956bd8b04e12ac8cc661e104493c,type=immediate,uuid=8f27f66ad3884c9a89f686a096a43342:3660b4d6c0894c938d24bc7ba2f9d5a7] gsh 44% membership.getDisabledTime() == null true gsh 45% permissions = GrouperDAOFactory.getFactory().getPermissionEntry().findByMemberId(member1.getUuid()); edu.internet2.middleware.grouper.permissions.PermissionEntry: PermissionEntry[roleName=apps:payroll:roles:payrollGuest,attributeDefNameName=apps:payroll:permissions:canLogin,action=assign,sourceId=jdbc,subjectId=test.subject.1,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=-1,action_depth=0,attrDef_depth=0,perm_type=role_subject] gsh 46% permissions.size() 1 gsh 47% permissions.iterator().next().getAttributeDefNameName() apps:payroll:permissions:canLogin gsh 48% permissions.iterator().next().getDisabledTime() java.sql.Timestamp: 2010-09-14 14:12:45.946
sdf