If a user is not an employee, do not allow to be added to any group in a folder. This is a special rule in that only one can fire, and it needs to be hierarchical. i.e. if things are restricted at an ancestor folder, but opened up in a descendant folder, then allow. This will probably require a custom rules engine processor.
Phase 2 would filter subjects in a subject search to only return valid users based on group restrictions.
Phase 2.5 is a change log consumer that sees if subjects are removed from groups.
Phase 3 could include a daemon (daily? weekly?) to clean up orphans
Java example
//add a rule on stem:someStem saying if not in stem:employee, then dont allow add to any group under stem:subStem AttributeAssign attributeAssign = ruleFolder .getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign(); AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate(); attributeValueDelegate.assignValue( RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa"); attributeValueDelegate.assignValue( RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem"); //subject use means membership add, privilege assign, permission assign, etc. attributeValueDelegate.assignValue( RuleUtils.ruleCheckTypeName(), RuleCheckType.subjectUseAdd.name()); attributeValueDelegate.assignValue( RuleUtils.ruleCheckStemScope(), "SUB"); //this is optional to restrict to source. I think you will want to do that, or you //would need to have all the usable groups in the allowed group... attributeValueDelegate.assignValue( RuleUtils.ruleCheckArg0(), "someSourceId"); attributeValueDelegate.assignValue( RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.groupHasNoEnabledMembership.name()); attributeValueDelegate.assignValue( RuleUtils.ruleIfOwnerNameName(), "stem:employeeGroup"); attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumName(), RuleThenEnum.veto.name()); //key which would be used in UI messages file if applicable attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumArg0Name(), "rule.entity.must.be.a.member.of.stem.employeeGroup"); //error message (if key in UI messages file not there) attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumArg1Name(), "Entity must be employee for this assignment"); //should be valid String isValidString = attributeValueDelegate.retrieveValueString( RuleUtils.ruleValidName()); if (!StringUtils.equals("T", isValidString)) { throw new RuntimeException(isValidString); }
GSH shorthand method
RuleApi.vetoAddIfNotInGroup(actAsSubject, ruleStem, mustBeInGroup, "rule.entity.must.be.a.member.of.stem.employeeGroup", "Entity must be employee for this assignment");
GSH test case
gsh 0% grouperSession = GrouperSession.startRootSession(); edu.internet2.middleware.grouper.GrouperSession: 9df8fdf1c6dd4629b6c9dacd7e0f6f4a,'GrouperSystem','application' gsh 1% stemA = new StemSave(grouperSession).assignName("stem:a").assignCreateParentStemsIfNotExist(true).save(); stem: name='stem:a' displayName='stem:a' uuid='de3c5d56d14840ee9c9bded29f7f86b5' gsh 2% groupB = new GroupSave(grouperSession).assignName("stem:b").assignCreateParentStemsIfNotExist(true).save(); group: name='stem:b' displayName='stem:b' uuid='fc1a3465730a4f0e86d6b0c74dcd8fcb' gsh 2% groupC = new GroupSave(grouperSession).assignName("stem:a:c").assignCreateParentStemsIfNotExist(true).save(); group: name='stem:a:c' displayName='stem:a:c' uuid='fc1a3465730a4f0e86d6b0c74dcd8123' gsh 3% subjectActAs = SubjectFinder.findByIdAndSource("GrouperSystem", "g:isa", true); subject: id='GrouperSystem' type='application' source='g:isa' name='GrouperSysAdmin' gsh 8% RuleApi.vetoAddIfNotInGroup(subjectActAs, stemA, groupB, "rule.entity.must.be.a.member.of.stem.b", "Entity must be employee for this assignment");gsh 9% addMember("stem:b", "test.subject.1"); true gsh 9% addMember("stem:b", "test.subject.1"); true gsh 10% addMember("stem:a:c", "test.subject.1"); true gsh 11% addMember("stem:a:c", "test.subject.0"); // Error: unable to evaluate command: Sourced file: inline evaluation of: ``addMember("stem:a", "test.subject.0");'' : Error invoking compiled command: : Error in compiled command: edu.internet2.middleware.grouper.rules.RuleVeto: rule.entity.must.be.a.member.of.stem.b, Entity must be employee for this assignment, group name: stem:a, subject: Subject id: test.subject.0, sourceId: jdbc, field: members gsh 12% hasMember("stem:a:c", "test.subject.0"); false gsh 13% hasMember("stem:b", "test.subject.1"); true gsh 14%