Child pages
  • Grouper local entities
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Users of Grouper sometimes need to create and manage entities in Grouper which are not part of a central subject source.  An example is an application might manage access to a database where schemas are connecting which are application schemas.  The access management application will need to represent these schemas in Grouper so they can be assigned to Groups/Roles/Permissions.  Before 2.1 this could be solved by creating a Group to represent the entity, and not assign members to the group.  In 2.1 an "entity" can be created in the folder structure.


An entity in Grouper is an object in the Grouper namespace (folder structure), that non-grouper-admins can create, manage, use.  It is a Java interface in the API (Entity), which has:

  • id - uuid, doesnt change
  • extension - system name in the folder, shouldnt change
  • display extension - display name in the folder, can change
  • description - free form text documentation about the entity
  • name - fully qualified (including parent folders) system name
  • display name - fully qualified (including parent folders) display name


You can create an entity with the EntitySave class:

Entity testEntity = new EntitySave(grouperSession).assignCreateParentStemsIfNotExist(true)

You can find entities with the EntityFinder class (note a grouper session must be open, and the grouper session user must have VIEW or ADMIN on the entity to show the result):

Set<Entity> entities = new EntityFinder().addName("test:testEntity").findEntities();


Entity typeOfGroup

The "Group" object in Grouper is close to what we need for entities, they are in the namespace, they have some privileges (only ADMIN and VIEW are needed), and they have UI/WS support.  The implementation of this enhancement is to have a typeOfGroup option as entity.  Currently for v2.1 the options are "group", "role", and "entity".

The implementation of groups in the database has entries in the grouper_group_set table for each of the possible "lists".  The only grouper_group_sets for entities are: admins, viewers.

An entity is modeled as a grouper group object, but you cannot ad members to it, and of course you cannot add role permissions to it.  Though of course if it were a member of a role, you could add individual permissions in the context of that role.

Entity privileges

There are only two privileges for entities: VIEW and ADMIN. 

  • VIEW means you can see it, its name, description, etc.  With VIEW you could add it to a group or assign permissions to it in a role.
  • ADMIN means you can edit it, delete it, assign attributes to it, etc.

In the you can designate if entities are viewable by all by default.  This occurs on entity create, and can be unassigned.  This defaults to false for security reasons

# if set to true, then the ALL subject will be granted view on new entities
entities.create.grant.all.view = false

If you try to assign READ, UPDATE, OPTIN, OPTOUT to an entity, you will get an error

Note: when you assign privileges in the API you use the AccessPrivilege class, e.g. AccessPrivilege.VIEW

Entity auditing, change log, point in time

Entities are auditing like groups, but the categories are: entity, and the actions are addEntity, updateEntity, and deleteEntity.

There are three change log types for entities: ENTITY_ADD, ENTITY_UPDATE, ENTITY_DELETE.  All other actions will appear under groups.  e.g. if you add a privilege to an entity it will appear like a privilege is added to a group.

The point in time information is available, similar to point in time information on groups.


For hooks, just use group hooks and check that typeOfGroup equals 'entity'

You cannot change from an object of type "group" or "role" to "entity", and you cannot change from type "entity" to "group" or "role"

Obviously you cannot make an entity into a composite, or add an entity as a part of a composite


  • No labels