If a user is not an employee, do not allow to be added to application group
You should consider using membership requirements instead of this.
Add this rule to the group where the membership is being added.
//add a rule on stem:a saying if not in stem:b, then dont allow add to stem:a
AttributeAssign attributeAssign = ruleGroup
.getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate();
attributeValueDelegate.assignValue(
RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa");
attributeValueDelegate.assignValue(
RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem");
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckOwnerNameName(), "stem:a");
attributeValueDelegate.assignValue(
RuleUtils.ruleCheckTypeName(), RuleCheckType.membershipAdd.name());
attributeValueDelegate.assignValue(
RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.groupHasNoImmediateEnabledMembership.name());
attributeValueDelegate.assignValue(
RuleUtils.ruleIfOwnerNameName(), "stem:b");
attributeValueDelegate.assignValue(
RuleUtils.ruleThenEnumName(), RuleThenEnum.veto.name());
//key which would be used in UI messages file if applicable
attributeValueDelegate.assignValue(
RuleUtils.ruleThenEnumArg0Name(), "rule.entity.must.be.a.member.of.stem.b");
//error message (if key in UI messages file not there)
attributeValueDelegate.assignValue(
RuleUtils.ruleThenEnumArg1Name(), "Entity cannot be a member of stem:a if not a member of stem:b");
//should be valid
String isValidString = attributeValueDelegate.retrieveValueString(
RuleUtils.ruleValidName());
if (!StringUtils.equals("T", isValidString)) {
throw new RuntimeException(isValidString);
}
|
RuleApi.vetoMembershipIfNotInGroup(actAsSubject, ruleGroup, mustBeInGroup,
"rule.entity.must.be.a.member.of.stem.b", "Entity cannot be a member of stem:a if not a member of stem:b");
|
gsh 0% grouperSession = GrouperSession.startRootSession();
edu.internet2.middleware.grouper.GrouperSession: 9df8fdf1c6dd4629b6c9dacd7e0f6f4a,'GrouperSystem','application'
gsh 1% groupA = new GroupSave(grouperSession).assignName("stem:a").assignCreateParentStemsIfNotExist(true).save();
group: name='stem:a' displayName='stem:a' uuid='de3c5d56d14840ee9c9bded29f7f86b5'
gsh 2% groupB = new GroupSave(grouperSession).assignName("stem:b").assignCreateParentStemsIfNotExist(true).save();
group: name='stem:b' displayName='stem:b' uuid='fc1a3465730a4f0e86d6b0c74dcd8fcb'
gsh 3% subjectActAs = SubjectFinder.findByIdAndSource("GrouperSystem", "g:isa", true);
subject: id='GrouperSystem' type='application' source='g:isa' name='GrouperSysAdmin'
gsh 8% RuleApi.vetoMembershipIfNotInGroup(subjectActAs, groupA, groupB, "rule.entity.must.be.a.member.of.stem.b", "Entity cannot be a member of stem:a if not a member of stem:b");
gsh 9% addMember("stem:b", "test.subject.1");
true
gsh 10% addMember("stem:a", "test.subject.1");
true
gsh 11% addMember("stem:a", "test.subject.0");
// Error: unable to evaluate command: Sourced file: inline evaluation of: ``addMember("stem:a", "test.subject.0");'' : Error invoking compiled command: : Error in compiled command: edu.internet2.middleware.grouper.rules.RuleVeto: rule.entity.must.be.a.member.of.stem.b: Entity cannot be a member of stem:a if not a member of stem:b,
, group name: stem:a, subject: Subject id: test.subject.0, sourceId: jdbc, field: members
gsh 12% hasMember("stem:a", "test.subject.0");
false
gsh 13% hasMember("stem:a", "test.subject.1");
true
gsh 14%
|
Run the above GSH code, then continue below
gsh 14% delMember("stem:b", "test.subject.1");
true
gsh 15% hasMember("stem:a", "test.subject.1");
true
gsh 16% status = GrouperLoader.runOnceByJobName(grouperSession, GrouperLoaderType.GROUPER_RULES);
loader ran successfully: Ran rules daemon, changed 0 records
gsh 17% hasMember("stem:a", "test.subject.1");
false
gsh 18%
|
sdfa