You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

If a user is not an employee, do not allow to be added to any group in a folder.  This is a special rule in that only one can fire, and it needs to be hierarchical.  i.e. if things are restricted at an ancestor folder, but opened up in a descendant folder, then allow.  This will probably require a custom rules engine processor.

Phase 2 would filter subjects in a subject search to only return valid users based on group restrictions.

Phase 2.5 is a change log consumer that sees if subjects are removed from groups. 

Phase 3 could include a daemon (daily? weekly?) to clean up orphans

Java example

    //add a rule on stem:someStem saying if not in stem:employee, then dont allow add to any group under stem:subStem
    AttributeAssign attributeAssign = ruleFolder
      .getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();

    AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate();

    attributeValueDelegate.assignValue(
        RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa");
    attributeValueDelegate.assignValue(
        RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem");

    //subject use means membership add, privilege assign, permission assign, etc.
    attributeValueDelegate.assignValue(
        RuleUtils.ruleCheckTypeName(), RuleCheckType.subjectUseAdd.name());
    attributeValueDelegate.assignValue(
        RuleUtils.ruleCheckStemScope(), "SUB");

    //this is optional to restrict to source.  I think you will want to do that, or you
    //would need to have all the usable groups in the allowed group...
    attributeValueDelegate.assignValue(
        RuleUtils.ruleCheckArg0(), "someSourceId");


    attributeValueDelegate.assignValue(
        RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.groupHasNoEnabledMembership.name());
    attributeValueDelegate.assignValue(
        RuleUtils.ruleIfOwnerNameName(), "stem:employeeGroup");
    attributeValueDelegate.assignValue(
        RuleUtils.ruleThenEnumName(), RuleThenEnum.veto.name());

    //key which would be used in UI messages file if applicable
    attributeValueDelegate.assignValue(
        RuleUtils.ruleThenEnumArg0Name(), "rule.entity.must.be.a.member.of.stem.employeeGroup");

    //error message (if key in UI messages file not there)
    attributeValueDelegate.assignValue(
        RuleUtils.ruleThenEnumArg1Name(), "Entity must be employee for this assignment");

    //should be valid
    String isValidString = attributeValueDelegate.retrieveValueString(
        RuleUtils.ruleValidName());

    if (!StringUtils.equals("T", isValidString)) {
      throw new RuntimeException(isValidString);
    }

GSH shorthand method

RuleApi.vetoAddIfNotInGroup(actAsSubject, ruleStem, mustBeInGroup,
        "rule.entity.must.be.a.member.of.stem.employeeGroup", "Entity must be employee for this assignment");

GSH test case

gsh 0% grouperSession = GrouperSession.startRootSession();
edu.internet2.middleware.grouper.GrouperSession: 9df8fdf1c6dd4629b6c9dacd7e0f6f4a,'GrouperSystem','application'
gsh 1% stemA = new StemSave(grouperSession).assignName("stem:a").assignCreateParentStemsIfNotExist(true).save();
stem: name='stem:a' displayName='stem:a' uuid='de3c5d56d14840ee9c9bded29f7f86b5'
gsh 2% groupB = new GroupSave(grouperSession).assignName("stem:b").assignCreateParentStemsIfNotExist(true).save();
group: name='stem:b' displayName='stem:b' uuid='fc1a3465730a4f0e86d6b0c74dcd8fcb'
gsh 2% groupC = new GroupSave(grouperSession).assignName("stem:a:c").assignCreateParentStemsIfNotExist(true).save();
group: name='stem:a:c' displayName='stem:a:c' uuid='fc1a3465730a4f0e86d6b0c74dcd8123'
gsh 3% subjectActAs = SubjectFinder.findByIdAndSource("GrouperSystem", "g:isa", true);
subject: id='GrouperSystem' type='application' source='g:isa' name='GrouperSysAdmin'
gsh 8% RuleApi.vetoAddIfNotInGroup(subjectActAs, stemA, groupB, "rule.entity.must.be.a.member.of.stem.b", "Entity must be employee for this assignment");gsh 9% addMember("stem:b", "test.subject.1");
true
gsh 9% addMember("stem:b", "test.subject.1");
true
gsh 10% addMember("stem:a:c", "test.subject.1");
true
gsh 11% addMember("stem:a:c", "test.subject.0");
// Error: unable to evaluate command: Sourced file: inline evaluation of: ``addMember("stem:a", "test.subject.0");'' : Error invoking compiled command: : Error in compiled command: edu.internet2.middleware.grouper.rules.RuleVeto: rule.entity.must.be.a.member.of.stem.b, Entity must be employee for this assignment, group name: stem:a, subject: Subject id: test.subject.0, sourceId: jdbc, field: members
gsh 12% hasMember("stem:a:c", "test.subject.0");
false
gsh 13% hasMember("stem:b", "test.subject.1");
true
gsh 14%

sdfa

  • No labels