If a group is created under folder a:b, then apply privileges to the group of READ,UPDATE to group a:security:admins, if the name of the group matches: a:b:%someGroup
Add this rule to a folder where privileges are created.
//add a rule on stem2 saying if you create a group underneath, then assign a reader and updater group AttributeAssign attributeAssign = stem2 .getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign(); AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate(); attributeValueDelegate.assignValue( RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa"); attributeValueDelegate.assignValue( RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem"); attributeValueDelegate.assignValue( RuleUtils.ruleCheckTypeName(), RuleCheckType.groupCreate.name()); //can be SUB or ONE for if in this folder, or in this and all subfolders attributeValueDelegate.assignValue( RuleUtils.ruleCheckStemScopeName(), Stem.Scope.SUB.name()); attributeValueDelegate.assignValue( RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.nameMatchesSqlLikeString.name()); attributeValueDelegate.assignValue( RuleUtils.ruleIfConditionEnumArg0Name(), "a:b:%someGroup"); attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumName(), RuleThenEnum.assignGroupPrivilegeToGroupId.name()); //this is the subject string for the subject to assign to //e.g. sourceId :::::: subjectIdentifier //or sourceId :::: subjectId //or :::: subjectId //or sourceId ::::::: subjectIdOrIdentifier //etc attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumArg0Name(), "g:gsa :::::: stem1:admins"); //privileges to assign: read, admin, update, view, optin, optout attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumArg1Name(), "read, update"); //should be valid String isValidString = attributeValueDelegate.retrieveValueString( RuleUtils.ruleValidName()); if (!StringUtils.equals("T", isValidString)) { throw new RuntimeException(isValidString); } |
RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), stem2, Scope.SUB, groupA.toSubject(), Privilege.getInstances("read, update"), "a:b:%someGroup"); |
gsh 0% grouperSession = GrouperSession.startRootSession(); edu.internet2.middleware.grouper.GrouperSession: 847e80d5c2d94803b02da4ed3c131475,'GrouperSystem','application' gsh 1% stem2 = new edu.internet2.middleware.grouper.StemSave(grouperSession).assignName("stem2").assignCreateParentStemsIfNotExist(true).save(); stem: name='stem2' displayName='stem2' uuid='7a6ce531c0654141abdebba87d4f7461' gsh 2% groupA = new GroupSave(grouperSession).assignName("stem1:admins").assignCreateParentStemsIfNotExist(true).save(); group: name='stem1:admins' displayName='stem1:admins' uuid='2d1aee72df264626831cd4bf166f7342' gsh 4% addMember("stem1:admins", "test.subject.0"); true gsh 5% subjectActAs = SubjectFinder.findByIdAndSource("GrouperSystem", "g:isa", true); subject: id='GrouperSystem' type='application' source='g:isa' name='GrouperSysAdmin' gsh 6% RuleApi.inheritGroupPrivileges(subjectActAs, stem2, Stem.Scope.SUB, groupA.toSubject(), Privilege.getInstances("read, update"), "stem2:%someGroup"); gsh 7% groupB = new GroupSave(grouperSession).assignName("stem2:b").assignCreateParentStemsIfNotExist(true).save(); group: name='stem2:b' displayName='stem2:b' uuid='ab4d6d959e51439d8b5a583659c18760' gsh 8% hasPriv("stem2:b", "test.subject.0", Privilege.getInstance("update")) false gsh 9% hasPriv("stem2:b", "test.subject.0", Privilege.getInstance("read")) false gsh 7% groupB = new GroupSave(grouperSession).assignName("stem2:b").assignCreateParentStemsIfNotExist(true).save(); group: name='stem2:b' displayName='stem2:b' uuid='ab4d6d959e51439d8b5a583659c18760' gsh 8% hasPriv("stem2:b", "test.subject.0", Privilege.getInstance("update")) false gsh 9% hasPriv("stem2:b", "test.subject.0", Privilege.getInstance("read")) false gsh 10% groupB2 = new GroupSave(grouperSession).assignName("stem2:whatever:groupBsomeGroup").assignCreateParentStemsIfNotExist(true).save(); group: name='stem3:d' displayName='stem3:d' uuid='d309509da52e4ed2bbca8383246fe3c4' gsh 11% hasPriv("stem2:whatever:groupBsomeGroup", "test.subject.0", Privilege.getInstance("update")) true gsh 12% hasPriv("stem2:whatever:groupBsomeGroup", "test.subject.0", Privilege.getInstance("read")) true gsh 15% groupC = new GroupSave(grouperSession).assignName("stem2:sub:c").assignCreateParentStemsIfNotExist(true).save(); group: name='stem2:sub:c' displayName='stem2:sub:c' uuid='d52f784d88284b4b90e0931ad8581ebc' gsh 16% hasPriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("update")) true gsh 17% hasPriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("read")) true |
Run the above GSH commands, and continue below
gsh 18% revokePriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("update")) false gsh 19% status = GrouperLoader.runOnceByJobName(grouperSession, GrouperLoaderType.GROUPER_RULES); loader ran successfully: Ran rules daemon, changed 0 records gsh 20% hasPriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("update")) false gsh 18% revokePriv("stem2:whatever:groupBsomeGroup", "test.subject.0", Privilege.getInstance("update")) false gsh 19% status = GrouperLoader.runOnceByJobName(grouperSession, GrouperLoaderType.GROUPER_RULES); loader ran successfully: Ran rules daemon, changed 0 records gsh 20% hasPriv("stem2:whatever:groupBsomeGroup", "test.subject.0", Privilege.getInstance("update")) true |
safd