We want to be able to craft policies by an expression instead of creating loaders or tons of reference groups based on cartesian products of basis/ref groups.
Individual groups can be configured to automatically have their membership managed with individual subject or other basis groups.
Two Grouper tables will be constructed
| Table name | Description |
|---|---|
| grouper_abac_group_attributes | Rows for groups and attribute names and values |
| grouper_abac_subject_attributes | Row for subjects and attribute names and values |
These tables are managed by grouper based on configuration.
The group attribute values come from the attribute framework which could be automatically fed from external systems of record. For now, an OtherJob could do this on a schedule.
| grouper_abac_group_attributes | ||
| Group name | Attribute name | Attribute value |
|---|---|---|
| ref:course:term:cis123 | campus | palmer |
| ref:course:term:cis123 | campus | southern |
| ref:course:term:cis124 | campus | northern |
| ref:course:term:cis124 | termStart | 8/1/2020 |
| ref:course:term:cis124 | termEnd | 1/1/2020 |
The individual attribute values are fed from basis/ref groups and the values can be transformed from the group name to something that has institutional meaning. This can happen from attribute or from text manipulation
| grouper_abac_subject_attributes | |||
| Subject id | Source id | Attribute name | Attribute value |
|---|---|---|---|
| jsmith | person | affiliation | staff |
| jsmith | person | dept | math |
| jsmith | person | dept | physics |
| rjohnson | person | school | engineering |
| wturner | person | primaryAffiliation | faculty |
Group somewhere in registry has a GraphQL or some other type expression. Boolean logic and wildcards are required
| Group | Type | Expression | Description |
|---|---|---|---|
| org:whatever:app:somePolicy | ref/bassis groups as members | (groups(campus in ['palmer', southern'] and termStart - 7 > sysdate and termEnd + 7 < sysdate)) | Give me groups as members where campus and term match |
| org:whatever2:app2:somePolicy2 | subjects as members | (subjects(primaryAffiliation in ['faculty', 'staff'] and dept in ['physics', 'math'])) | Subjects in a role and dept |
| org:whatever3:app3:somePolicy3 | could have some groups and subjects | (groups(campus in ['palmer', southern'] and termStart - 7 > sysdate and termEnd + 7 < sysdate) or subjects(primaryAffiliation in ['faculty', 'staff'] and dept in ['physics', 'math']))) | Take some group populations and substract out some subject |
The expression can only be written by people who can READ groups in the abac group/subject tables.
A nightly full sync will occur.
An incremental change log consumer can see which memberships change (or attribute values) and which policies those refer to, and incrementally adjust the membership of those groups.