This topic is discussed in the "Grouper Permissions" training video and in the "LITE UI Permissions - PART 1" training video and in the "LITE UI Permissions - PART 2" training video. |
Note: there are 4 levels of hierarchies in Grouper permissions.
Here are examples and diagrams of Grouper permissions
Grouper has the capability to manage external applications' roles and permissions, and can function as a central permission management system.
Note that "privilege" is interchangeable with "permission", but Grouper already has documents about internal Grouper privileges on Groups / folders / etc. so the word "permission" is used here.
See also the Overview of Access Management Features page for guidelines of when to use rules, roles, permission limits, and enabled / disabled dates.
Sample
import edu.internet2.middleware.grouper.permissions.*; import edu.internet2.middleware.grouper.permissions.PermissionEntry.PermissionType; GrouperSession grouperSession = GrouperSession.startRootSession(); Group test = new GroupFinder().addGroupName("test:test").findGroup(); AttributeDefName perm = AttributeDefNameFinder.findByName("test:permName", true); test.getPermissionRoleDelegate().assignRolePermission(perm); Subject subject = SubjectFinder.findByIdAndSource("test.subject.0", "jdbc", true); test.getPermissionRoleDelegate().assignSubjectRolePermission(perm, subject); for (PermissionEntry permissionEntry : new PermissionFinder().assignPermissionType(PermissionType.role).assignImmediateOnly(true).addRole("test:test").findPermissions()) { System.out.println(permissionEntry.getAttributeDefNameName()); } |
Create a role
gsh 30% userSharerRole = rolesStem.addChildRole("userSharer", "userSharer"); |
Add a member to a role (in this case a group)
gsh 38% userSharerRole.addMember(studentsGroup.toSubject()); |
Create a permission definition
gsh 51% resourcesDef = resourcesStem.addChildAttributeDef("secureShareWebResources", AttributeDefType.perm); |
Add one permissions resource name to another (permissionSet)
gsh 63% receiveSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(splashResource); |
Assign a permission to a role
gsh 70% userSharerRole.getPermissionRoleDelegate().assignRolePermission(sendSetResource); |
Assign a permission to a member in a role
gsh 73% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(adminEmailButtonResource, schleindMember); |
Get the permission assignments (not necessarily active or allowed), assigned to a role, immediate, based on role name, print these out
gsh 123% for (PermissionEntry permissionEntry : new PermissionFinder().assignPermissionType(edu.internet2.middleware.grouper.permissions.PermissionEntry.PermissionType.role).assignImmediateOnly(true).addRole("a:b").findPermissions()) { System.out.println(permissionEntry.getAttributeDefNameName()); } for (PermissionEntry permissionEntry : new PermissionFinder().assignPermissionType(edu.internet2.middleware.grouper.permissions.PermissionEntry.PermissionType.role).assignImmediateOnly(true).addRole("a:b").findPermissions()) { System.out.println(permissionEntry.getAttributeDefNameName()); } |
Get the permission assignments (not necessarily active or allowed), assigned to a role, immediate, based on permission name, print these out
for (PermissionEntry permissionEntry : new PermissionFinder().assignPermissionType(edu.internet2.middleware.grouper.permissions.PermissionEntry.PermissionType.role).assignImmediateOnly(true).addPermissionName("a:b").findPermissions()) { System.out.println(permissionEntry.getRoleName()); } |
sdf
The view for permissions is grouper_perms_all_v. Note, results here need to be processed is allow/disallow is used, also you should take into account if the records are active or not
get all attributes assigned to a role, assuming direct assignment (unassignable)
SELECT GPAV.ATTRIBUTE_DEF_NAME_NAME FROM grouper_perms_all_v gpav WHERE GPAV.ROLE_NAME = 'a:b' AND gpav.permission_type = 'role' AND GPAV.ROLE_SET_DEPTH = 0 AND GPAV.ATTR_ASSIGN_ACTION_SET_DEPTH = 0 AND GPAV.ATTR_DEF_NAME_SET_DEPTH = 0 AND GPAV.MEMBERSHIP_DEPTH = 0 |
get all roles that are assigned a given attribute, assuming direct assignment (unassignable)
SELECT GPAV.role_name FROM grouper_perms_all_v gpav WHERE GPAV.ATTRIBUTE_DEF_NAME_NAME = 'a:b' AND gpav.permission_type = 'role' AND GPAV.ROLE_SET_DEPTH = 0 AND GPAV.ATTR_ASSIGN_ACTION_SET_DEPTH = 0 AND GPAV.ATTR_DEF_NAME_SET_DEPTH = 0 AND GPAV.MEMBERSHIP_DEPTH = 0 |
Access Management Features Overview