The Grouper custom UI
- Helps end users and administrators view and troubleshoot access state and problems
- Allows end users to easily opt in or opt out of a group without all the bells and whistles of the Grouper UI
This is a new feature in 2.4.57+
To use this a group is configured with attributes
- customUi (marker)
- customUiOverallBean (overall configuration)
- customUiUserQueryConfigBeans (set variables)
- customUiTextConfigBeans (use those variables to change the UI)
Then there is link in the More Actions menu
Example configuration
Configuration attributes
The configuration is simple javabeans in JSON format
Overall bean
Field | Type | Description |
---|---|---|
managersCanSeeUserEnvironment | Boolean | if managers can see user environment (default true) |
managersCanAssignVariables | Boolean | if managers can assign variables in browser for testing (default false) |
managersCanSeeScreenState | Boolean | if managers can see screen state (default false) |
usersCanSeeUserEnvironment | Boolean | if users can see environment table (default false) |
emailEnrollSubject | String | subject of email when someone enrolls |
emailEnrollBody | String | body of email when someone enrolls |
emailUnenrollSubject | String | subject of email when someone unenrolls |
emailUnenrollBody | String | body of email when someone unenrolls |
sendEmailWhenManagerMakesChanges | Boolean | if user is emailed when manager adds/removes from custom ui |
emailToUser | Boolean | if user is emailed when using join/leave |
emailBccToGroupName | String | group name that is bcc'ed on usage |
GSH example to generate the JSON
customUiOverallBean = new edu.internet2.middleware.grouper.ui.customUi.CustomUiOverallBean(); customUiOverallBean.setManagersCanAssignVariables(true); customUiOverallBean.setEmailToUser(true); customUiOverallBean.setEmailBccToGroupName("penn:isc:ait:apps:O365:twoStepProd:simpleEnrollUnenroll:o365twoStepAllowedToAdmin"); customUiOverallBean.setEmailEnrollBody("${textContainer.text['penn_o365twoStep_enroll_emailBody']}"); customUiOverallBean.setEmailEnrollSubject("${textContainer.text['penn_o365twoStep_enroll_emailSubject']}"); customUiOverallBean.setEmailUnenrollBody("${textContainer.text['penn_o365twoStep_unenroll_emailBody']}"); customUiOverallBean.setEmailUnenrollSubject("${textContainer.text['penn_o365twoStep_unenroll_emailSubject']}"); customUiOverallBean.setSendEmailWhenManagerMakesChanges(true); customUiOverallBean.setManagersCanSeeScreenState(true); customUiOverallBean.setManagersCanSeeUserEnvironment(false); System.out.println(GrouperUtil.jsonConvertTo(customUiOverallBean, false));
Example JSON
{ "managersCanSeeUserEnvironment":false, "emailEnrollBody":"${textContainer.text['penn_o365twoStep_enroll_emailBody']}", "emailEnrollSubject":"${textContainer.text['penn_o365twoStep_enroll_emailSubject']}", "emailToUser":true, "emailUnenrollBody":"${textContainer.text['penn_o365twoStep_unenroll_emailBody']}", "emailBccToGroupName":"penn:isc:ait:apps:O365:twoStepProd:simpleEnrollUnenroll:o365twoStepAllowedToAdmin", "sendEmailWhenManagerMakesChanges":true, "managersCanSeeScreenState":true, "emailUnenrollSubject":"${textContainer.text['penn_o365twoStep_unenroll_emailSubject']}", "managersCanAssignVariables":true }
User query config bean
The queries are of type: userQueryType which is form the enum: CustomUiUserQueryType:
- azure: check an azure membership
- expressionLanguage: some expression (could call java)
- grouper: check a membership or privilege
- ldap: execute an ldap filter
- sql: run a sql query
The queries assign variables
Field | Type | Required for type | Optional for type | Description |
---|---|---|---|---|
attributeDefId | String | |||
azureGroupId | String | |||
bindVar0 | String | |||
bindVar0type | String | |||
bindVar1 | String | |||
bindVar1type | String | |||
bindVar2 | String | |||
bindVar2type | String | |||
configId | String | |||
enabled | Boolean | |||
errorLabel | String | |||
fieldNames | String | |||
groupId | String | |||
groupName | String | |||
label | String | |||
ldapAttributeToRetrieve | String | |||
ldapFilter | String | |||
ldapSearchDn | String | |||
nameOfAttributeDef | String | |||
order | Integer | |||
query | String | |||
script | String | |||
stemId | String | |||
stemName | String | |||
userQueryType | String | |||
variableToAssign | String | |||
variableToAssignOnError | String | |||
variableType | String |
Azure membership
Configure in grouper.properties
grouper.azureConnector.myAzure.loginEndpoint = https://login.microsoftonline.com grouper.azureConnector.myAzure.DirectoryID = 6c4dxxx0d grouper.azureConnector.myAzure.client_id = fd805xxxxdfb grouper.azureConnector.myAzure.client_secret = ****************** grouper.azureConnector.myAzure.resource = https://graph.microsoft.com grouper.azureConnector.myAzure.graphEndpoint = https://graph.microsoft.com grouper.azureConnector.myAzure.graphVersion = v1.0 grouper.azureConnector.myAzure.groupLookupAttribute = displayName grouper.azureConnector.myAzure.groupLookupValueFormat = ${group.getName()} grouper.azureConnector.myAzure.requireSubjectAttribute = PENNNAME grouper.azureConnector.myAzure.subjectIdValueFormat = ${subject.getAttributeValue("PENNNAME")}@upenn.edu
Run a membership check