If a user is not an employee, do not allow to be added to any group in a folder. This is a special rule in that only one can fire, and it needs to be hierarchical. i.e. if things are restricted at an ancestor folder, but opened up in a descendant folder, then allow. The ruleCheckType subjectAssignInStem uses a custom rules engine processor to accomplish this. subjectAssignInStem affects all group memberships, group/folder/attributeDef privileges, and permissions (by folder of attributeDefNameName).
Phase 2 would filter subjects in a subject search to only return valid users based on group restrictions.
Phase 2.5 is a change log consumer that sees if subjects are removed from groups.
Phase 3 could include a daemon (daily? weekly?) to clean up orphans
Note, the ruleCheckArg0 is the subject source. If it is blank, then the rule applies to all subject sources. If it is filled in, then the rule only applies to that subject source.
If you want to restrict all of a subject source (or I guess restrict all sources), then you dont need to specify a group to check membership, just dont use a RuleIfCondition (always fire)
If you want to open up access to a subject source or all subject sources, then use RuleIfConditionEnum.never
Java example
//add a rule on stem:a saying if not in stem:b, then dont allow add to stem:a
AttributeAssign attributeAssign = restrictedStem
.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate();
attributeValueDelegate.assignValue(
RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa");
attributeValueDelegate.assignValue(
RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem");
//subject use means membership add, privilege assign, permission assign, etc.
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckTypeName(), RuleCheckType.subjectAssignInStem.name());
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckStemScopeName(), "SUB");
//this is optional to restrict to source. I think you will want to do that, or you
//would need to have all the usable groups in the allowed group...
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckArg0Name(), "jdbc");
attributeValueDelegate.assignValue(
RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.groupHasNoEnabledMembership.name());
attributeValueDelegate.assignValue(
RuleUtils.ruleIfOwnerNameName(), employeeGroup.getName());
attributeValueDelegate.assignValue(
RuleUtils.ruleThenEnumName(), RuleThenEnum.veto.name());
//key which would be used in UI messages file if applicable
attributeValueDelegate.assignValue(
RuleUtils.ruleThenEnumArg0Name(), "rule.entity.must.be.a.member.of.etc.employee");
//error message (if key in UI messages file not there)
attributeValueDelegate.assignValue(
RuleUtils.ruleThenEnumArg1Name(), "Entity cannot be assigned if not a member of etc:employee");
//should be valid
String isValidString = attributeValueDelegate.retrieveValueString(
RuleUtils.ruleValidName());
if (!StringUtils.equals("T", isValidString)) {
throw new RuntimeException(isValidString);
}
GSH shorthand method
RuleApi.vetoSubjectAssignInFolderIfNotInGroup(SubjectFinder.findRootSubject(), restrictedStem, employeeGroup, false, "jdbc", Scope.SUB, "rule.entity.must.be.a.member.of.etc.employee", "Entity cannot be assigned if not a member of etc:employee");
GSH test case
gsh 0% grouperSession = GrouperSession.startRootSession();
edu.internet2.middleware.grouper.GrouperSession: 4ed601599087457cb12ab96387a4e2e7,'GrouperSystem','application'
gsh 1% allowedGroup = new GroupSave(grouperSession).assignName("stem:allowed").assignCreateParentStemsIfNotExist(true).save();
group: name='stem:allowed' displayName='stem:allowed' uuid='6139ad6ecc004562ab491d97b9ef5829'
gsh 2% restrictedGroup = new GroupSave(grouperSession).assignName("stem2:restricted").assignCreateParentStemsIfNotExist(true).save();
group: name='stem2:restricted' displayName='stem2:restricted' uuid='fe1f2a4f944141d2b77c7400e191e69e'
gsh 3% employeeGroup = new GroupSave(grouperSession).assignName("etc:employee").assignCreateParentStemsIfNotExist(true).save();
group: name='etc:employee' displayName='etc:employee' uuid='b969b29cb83b48bb99cee3fb71595203'
gsh 4% restrictedStem = StemFinder.findByName(grouperSession, "stem2", true);
stem: name='stem2' displayName='stem2' uuid='ca3cc1e40f1a413ab8862acc5d9c1b29'
gsh 6% RuleApi.vetoSubjectAssignInFolderIfNotInGroup(SubjectFinder.findRootSubject(), restrictedStem, employeeGroup, false, "jdbc", Stem.Scope.SUB, "rule.entity.must.be.a.member.of.etc.employee", "Entity cannot be assigned if not a member of etc:employee");
edu.internet2.middleware.grouper.attr.assign.AttributeAssign: AttributeAssign[id=1567066d80684b849a618e06e89496f1,action=assign,attributeDefName=etc:attribute:rules:rule,
stem=Stem[displayName=stem2,name=stem2,uuid=ca3cc1e40f1a413ab8862acc5d9c1b29,creator=41cbc09bf1a54ece8a9761ab8ba68970]]
gsh 8% subject0 = SubjectFinder.findByIdAndSource("test.subject.0", "jdbc", true);
subject: id='test.subject.0' type='person' source='jdbc' name='my name is test.subject.0'
gsh 9% restrictedGroup.addMember(subject0);
edu.internet2.middleware.grouper.rules.RuleVeto: rule.entity.must.be.a.member.of.etc.employee: Entity cannot be assigned if not a member of etc:employee,
gsh 12% allowedGroup.addMember(subject0);
gsh 13% employeeGroup.addMember(subject0);
gsh 14% restrictedGroup.addMember(subject0);
gsh 15%
s