The Grouper custom UI
- Helps end users and administrators view and troubleshoot access state and problems
- (optional) Allows end users to easily opt in or opt out of a group without all the bells and whistles of the Grouper UI
- When the user joins/leaves, or when a manager adds/removes someone, an optional custom email can be sent to the user
This is a new feature in api patch 2.4.96+
To use this a group is configured with attributes
- customUi (marker)
- customUiUserQueryConfigBeans (set variables)
- customUiTextConfigBeans (use those variables to change the UI)
Then there is link in the More Actions menu
That link goes to the custom ui, here is an example from penn:
The configuration is done with JSON from simple javabeans, here is an example, explained more later
Configuration attributes
The configuration is simple javabeans in JSON format
User query config bean
These configs identify variables that can be used in the screen to conditionally set text, adjust email text, etc. They are set from some operation like checking a membership in a group or an LDAP or SQL call or something
The queries are of type: userQueryType which is from the enum: CustomUiUserQueryType:
- azure: check an azure membership
- expressionLanguage: some expression (could call java)
- grouper: check a membership or privilege
- ldap: execute an ldap filter
- sql: run a sql query against grouper or another database
The queries assign variables which must be prefixed with "cu_" for "Custom UI"
| Field | Type | Required for type | Optional for type | Description |
|---|---|---|---|---|
| attributeDefId | String | expressionLanguage, grouper, sql | uuid of attribute def to look up | |
| azureGroupId | String | azure | if hardcoding the uuid of group in azure | |
| bindVar0 | String | sql | bind var for sql | |
| bindVar0type | String | sql | bind var type in sql: string or integer | |
| bindVar1 | String | sql | bind var for sql | |
| bindVar1type | String | sql | bind var type in sql: string or integer | |
| bindVar2 | String | sql | bind var for sql | |
| bindVar2type | String | sql | bind var type in sql: string or integer | |
| configId | String | azure, ldap | sql | id in grouper config for azure, ldap, or sql |
| enabled | Boolean | azure, expressionLanguage, grouper, ldap, sql | true or false if this var is enabled | |
| errorLabel | String | azure | expressionLanguage, grouper, ldap, sql | label on screen for the error variable |
| fieldNames | String | grouper | comma separated privs in grouper, e.g. members, readers, admins, viewers, updaters, optins, optouts, groupAttrReaders, groupAttrUpdaters, creators, stemAdmins, stemAttrReaders, stemAttrUpdaters, attrReaders, attrUpdaters, attrDefAttrReaders, attrDefAttrUpdaters, attrOptins, attrOptouts, attrAdmins | |
| forLoggedInUser | Boolean | azure, expressionLanguage, grouper, ldap, sql | true if should run this rule for the logged in user (if manager using screun), or by default its the user being acted on (which might be the user logged in) | |
| groupId | String | azure, expressionLanguage, grouper, ldap, sql | group uuid to look up a group | |
| groupName | String | azure, expressionLanguage, grouper, ldap, sql | group name to look up a group | |
| label | String | azure, expressionLanguage, grouper, ldap, sql | label to see on screen when variables are displayed | |
| ldapAttributeToRetrieve | String | ldap | which attribute in ldap to retrieve | |
| ldapFilter | String | ldap | ldap filter to run | |
| ldapSearchDn | String | ldap | if not using the default dn in connection, search in this dn | |
| nameOfAttributeDef | String | expressionLanguage, grouper, sql | name of attribute definition to lookup | |
| order | Integer | azure, expressionLanguage, grouper, ldap, sql | integer and rules will be ordered by this integer, when displayed on screen | |
| query | String | sql | sql query to execute | |
| script | String | expressionLanguage | EL expression to run | |
| stemId | String | expressionLanguage, grouper, sql | uuid of stem to lookup | |
| stemName | String | expressionLanguage, grouper, sql | name of stem to lookup | |
| userQueryType | String | azure, expressionLanguage, grouper, ldap, sql | identify the type of query, enter either: azure, expressionLanguage, grouper, ldap, sql | |
| variableToAssign | String | azure, expressionLanguage, grouper, ldap, sql | name of variable must start with cu_ you cant have two variables with the same name | |
| variableToAssignOnError | String | azure | expressionLanguage, grouper, ldap, sql | name of variable to assign on error, must start with cu_ you cant have two variables with the same name |
| variableType | String | expressionLanguage, grouper, ldap, sql | type of variable: boolean, integer, string |
Azure membership
Configure in grouper.properties
grouper.azureConnector.myAzure.loginEndpoint = https://login.microsoftonline.com
grouper.azureConnector.myAzure.DirectoryID = 6c4dxxx0d
grouper.azureConnector.myAzure.client_id = fd805xxxxdfb
grouper.azureConnector.myAzure.client_secret = ******************
grouper.azureConnector.myAzure.resource = https://graph.microsoft.com
grouper.azureConnector.myAzure.graphEndpoint = https://graph.microsoft.com
grouper.azureConnector.myAzure.graphVersion = v1.0
grouper.azureConnector.myAzure.groupLookupAttribute = displayName
grouper.azureConnector.myAzure.groupLookupValueFormat = ${group.getName()}
grouper.azureConnector.myAzure.requireSubjectAttribute = PENNNAME
grouper.azureConnector.myAzure.subjectIdValueFormat = ${subject.getAttributeValue("PENNNAME")}@upenn.edu
Run a membership check