Skip to Content.
Sympa Menu

grouper-dev - assign permissions web service

Subject: Grouper Developers Forum

List archive

assign permissions web service

Chronological Thread 
  • From: Chris Hyzer <>
  • To: Grouper Dev <>
  • Subject: assign permissions web service
  • Date: Mon, 19 Apr 2010 19:37:59 -0400
  • Accept-language: en-US
  • Acceptlanguage: en-US

I finished the assign permissions web service.  This is for Grouper’s permission management capability where it can store central permissions/privileges for applications.









Assign or remove permissions.  These permissions can be on roles or subjects (in the context of a role).

You can lookup permissions to assign by attribute definition name, or attribute definition id

All assignments will be filtered for security based on the logged in or acted as user (security rules (on groups or any memberships) are on attribute framework wiki). Generally you need ATTR_UPDATE on the attributeDef of the permission, and UPDATE on the Role (group).

The returned data will include the attribute assignments and a normalized list of references (owner objects e.g. group/etc, attribute definitions, attribute names, etc), if things changed or were already assigned, etc

You can assign multiple permissions to multiple owners, actions, etc (non-lite)

permissionType is a required field (from enum PermissionType), must be: role or role_subject (for permissions assigned to a subject in the context of a role)

permissionAssignOperation is required and is the operation to perform for attribute on owners, from enum PermissionAssignOperation: assign_permission, remove_permission.  In this case, assigning a permission will not assign if already there (but you can edit its metadata e.g. .


  • Can pass owners, actions, etc.  If multiples are passed, then each permission def name (attributeDefName) will be assigned for each action on each owner.
  • Lookup owner or other objects by object lookup (by id, name, etc)
  • Returns role (group) / subject information, can be detailed or not
  • Can actAs another user

Assign permissions lite service

  • Accepts one role, or one subject/role pair, one action, one permission def name to assign
  • Documentation: SOAP (click on assignPermissionsLite), REST (click on assignPermissionsLite)
  • For REST, the request can put data in query string (in URL or request body)
  • REST request (colon is escaped to %3A):
    • PUT /grouper-ws/servicesRest/v1_6_000/assignPermissions
    • Note: if passing data in request body e.g. actAs, use a POST
  • (see documentation above for details): Request object, response object
  • Response codes
  • Samples (all files with "Lite" in them, click on "download" to see file)

Get permission assignments service

  • Accepts multiple roles or subject/role pairs, permission definitions, actions, etc to assign
  • Documentation: SOAP (click on assignPermissions), REST (click on assignPermissions)
  • REST request (colon is escaped to %3A):
    • POST /grouper-ws/servicesRest/v1_6_000/assignPermissions
  • (see documentation above for details): Request object, response object
  • Response codes overall
  • Returns an overall status
  • Samples (all files without "Lite" in them, click on "download" to see files)


Grouper client (command line) API:


  java -jar grouperClient.jar --operation=assignPermissionsWs --permissionType=role|role_subject --permissionAssignOperation=assign_permission|remove_permission [--permissionDefNameNames=a:b,b:c] [-permissionDefNameUuids=1a,2b] [--roleNames=a:b:c,a:b:d] [--roleUuids=1234,abcd] [--subjectRole0SubjectId=12] [--subjectRole0SubjectIdentifier=ab] [--subjectRole0SourceId=xyz] [--subjectRole0RoleName=3c] [--subjectRole0RoleUuid=1a] [--attributeAssignUuids=a:b,b:c] [--actions=read,write] [--assignmentDisabledTime=2010/03/05_17:05:13.123] [--assignmentEnabledTime=2010/03/05_17:05:13.123] [--assignmentNotes=someNotes] [--delegatable=TRUE|FALSE|GRANT] [--includeGroupDetail=true|false] [--includeSubjectDetail=true|false] [--subjectAttributeNames=name0,name1] [--actAsSubjectId=subjId] [--actAsSubjectIdentifier=subjIdent] [--actAsSubjectSource=source] [--saveResultsToFile=fileName] [--outputTemplate=somePattern] [--paramName0=name0] [--paramValue0=value1] [--paramNameX=xthParamName] [--paramValueX=xthParamValue] [--debug=true] [--clientVersion=someVersion]

  e.g.: java -jar grouperClient.jar --operation=assignPermissionsWs --permissionType=role --permissionAssignOperation=assign_permission --permissionDefNameNames=test:testAttributeAssignDefNameDef --roleNames=a:b:c

  output line: Index: 0: permissionType: role, owner: a:b:c, permissionDefNameName: test:testAttributeAssignDefName, action: assign, enabled: T, attributeAssignId: a9c83eeb78c04ae5befcea36272d318c, changed: T

  • assign permissions web service, Chris Hyzer, 04/19/2010

Archive powered by MHonArc 2.6.16.

Top of Page