The Grouper custom UI
- Helps end users and administrators view and troubleshoot access state and problems
- (optional) Allows end users to easily opt in or opt out of a group without all the bells and whistles of the Grouper UI
- When the user joins/leaves, or when a manager adds/removes someone, an optional custom email can be sent to the user
This is a new feature in api patch 2.4.96+
To use this a group is configured with attributes
- customUi (marker)
- customUiUserQueryConfigBeans (set variables)
- customUiTextConfigBeans (use those variables to change the UI)
Then there is link in the More Actions menu
That link goes to the custom ui, here is an example from penn:
The configuration is done with JSON from simple javabeans, here is an example, explained more later
Configuration attributes
The configuration is simple javabeans in JSON format
User query config bean
These configs identify variables that can be used in the screen to conditionally set text, adjust email text, etc. They are set from some operation like checking a membership in a group or an LDAP or SQL call or something
The queries are of type: userQueryType which is from the enum: CustomUiUserQueryType:
- azure: check an azure membership
- expressionLanguage: some expression (could call java)
- grouper: check a membership or privilege
- ldap: execute an ldap filter
- sql: run a sql query against grouper or another database
The queries assign variables which must be prefixed with "cu_" for "Custom UI"
You can configure a default that will fill in values for all config beans (maybe useful if there are a bunch of similar ldap calls)
Field | Type | Required for type | Optional for type | Description |
---|---|---|---|---|
attributeDefId | String | expressionLanguage, grouper, sql | uuid of attribute def to look up | |
azureGroupId | String | azure | if hardcoding the uuid of group in azure | |
bindVar0 | String | sql | bind var for sql | |
bindVar0type | String | sql | bind var type in sql: string or integer | |
bindVar1 | String | sql | bind var for sql | |
bindVar1type | String | sql | bind var type in sql: string or integer | |
bindVar2 | String | sql | bind var for sql | |
bindVar2type | String | sql | bind var type in sql: string or integer | |
configId | String | azure, ldap | sql | id in grouper config for azure, ldap, or sql |
enabled | Boolean | azure, expressionLanguage, grouper, ldap, sql | true or false if this var is enabled | |
errorLabel | String | azure | expressionLanguage, grouper, ldap, sql | label on screen for the error variable |
fieldNames | String | grouper | comma separated privs in grouper, e.g. members, readers, admins, viewers, updaters, optins, optouts, groupAttrReaders, groupAttrUpdaters, creators, stemAdmins, stemAttrReaders, stemAttrUpdaters, attrReaders, attrUpdaters, attrDefAttrReaders, attrDefAttrUpdaters, attrOptins, attrOptouts, attrAdmins | |
forLoggedInUser | Boolean | azure, expressionLanguage, grouper, ldap, sql | true if should run this rule for the logged in user (if manager using screun), or by default its the user being acted on (which might be the user logged in) | |
groupId | String | azure, expressionLanguage, grouper, ldap, sql | group uuid to look up a group | |
groupName | String | azure, expressionLanguage, grouper, ldap, sql | group name to look up a group | |
label | String | azure, expressionLanguage, grouper, ldap, sql | label to see on screen when variables are displayed | |
ldapAttributeToRetrieve | String | ldap | which attribute in ldap to retrieve | |
ldapFilter | String | ldap | ldap filter to run | |
ldapSearchDn | String | ldap | if not using the default dn in connection, search in this dn | |
nameOfAttributeDef | String | expressionLanguage, grouper, sql | name of attribute definition to lookup | |
order | Integer | azure, expressionLanguage, grouper, ldap, sql | integer and rules will be ordered by this integer, when displayed on screen | |
query | String | sql | sql query to execute | |
script | String | expressionLanguage | EL expression to run | |
stemId | String | expressionLanguage, grouper, sql | uuid of stem to lookup | |
stemName | String | expressionLanguage, grouper, sql | name of stem to lookup | |
userQueryType | String | azure, expressionLanguage, grouper, ldap, sql | identify the type of query, enter either: azure, expressionLanguage, grouper, ldap, sql | |
variableToAssign | String | azure, expressionLanguage, grouper, ldap, sql | name of variable must start with cu_ you cant have two variables with the same name | |
variableToAssignOnError | String | azure | expressionLanguage, grouper, ldap, sql | name of variable to assign on error, must start with cu_ you cant have two variables with the same name |
variableType | String | expressionLanguage, grouper, ldap, sql | type of variable: boolean, integer, string |
Built-in variables
These variables are there for you to key off. Note: you should not start your variable names with "cu_grouper" since that namespace is for built in variables
TODO
Text config beans
These are a little misnamed, they are for text or for other decisions about the screen. Could be a boolean result. It is strongly encouraged to externalize text in the UI externalized text config
These generally take the variables defined above, and use boolean logic to decide which text to show or who is allowed to do certain things
The type of text is the decision or text to compute. The engine will run through the config and append the ones that match, unless the one that matches says to stop processing. You can also have defaults
Every text bean returns a string, but if its "true" or "false" it will be interpreted as a boolean.
Text type | Type | Description |
---|---|---|
canAssignVariables | boolean | if the screen allows variables to be assigned in the URL for testing. e.g. to simulate various users and see how the screen responds note: only allow trusted users to be able to do this. Only Grouper admins can do this by default |
canSeeScreenState | boolean | if the screen state analysis should be displayed on the screen to help the user understand why access exists or not. By default only Grouper admins can see screen state. Note that more columns of the user environment will also display |
canSeeUserEnvironment | boolean | if the user variables and results should display. By default group readers and updaters can see this. Note that these are abbreviated if the user cannoy also see screen state |
emailBccGroupName | String | if there are emails and a group should be bcc'ed then return the group name here |
emailBody | String | if there are emails then this is the body. Note you can have a template that is dynamic, or different templates in different scenarios |
emailSubject | String | if there are emails then this is the subject. Note you can have a template that is dynamic, or different templates in different scenarios |
emailToUser | boolean | true if an email should be sent to user. Note you can send under certain circumstances if you like |
enrollButtonShow | boolean | true if the enroll button should show. Note that the user cant enroll if they dont have optin on the group |
enrollButtonText | String | Button text of enroll button. Defaults to: Enroll |
enrollmentLabel | String | Text above the enrollment button that shows the state of the enrollment or whatever else |
header | String | The H1 of the page |
helpLink | String | Link where the help button goes |
instructions1 | String | Instructions at the top of the page |
logo | String | Link for logo |
managerInstructions | String | Instructions to appear for readers/updaters who are managing users in this group |
unenrollButtonShow | boolean | true if the unenroll button should show. Note that the user cant enroll if they dont have optout on the group. Note that the enroll and unenroll button will not show at once |
unenrollButtonText | String | Button text of unenroll button. Defaults to: Unenroll |
Azure membership
Configure in grouper.properties
grouper.azureConnector.myAzure.loginEndpoint = https://login.microsoftonline.com grouper.azureConnector.myAzure.DirectoryID = 6c4dxxx0d grouper.azureConnector.myAzure.client_id = fd805xxxxdfb grouper.azureConnector.myAzure.client_secret = ****************** grouper.azureConnector.myAzure.resource = https://graph.microsoft.com grouper.azureConnector.myAzure.graphEndpoint = https://graph.microsoft.com grouper.azureConnector.myAzure.graphVersion = v1.0 grouper.azureConnector.myAzure.groupLookupAttribute = displayName grouper.azureConnector.myAzure.groupLookupValueFormat = ${group.getName()} grouper.azureConnector.myAzure.requireSubjectAttribute = PENNNAME grouper.azureConnector.myAzure.subjectIdValueFormat = ${subject.getAttributeValue("PENNNAME")}@upenn.edu
Run a membership check