grouper-dev - Grouper / rice workflow provisioning roles / permissions
Subject: Grouper Developers Forum
List archive
- From: Chris Hyzer <>
- To: Grouper Dev <>
- Subject: Grouper / rice workflow provisioning roles / permissions
- Date: Tue, 25 May 2010 23:56:40 -0400
- Accept-language: en-US
- Acceptlanguage: en-US
|
Hey, Here is a flushed out example of one of the items I
presented at the internet2 spring member meeting. This is an eform where
the user selects a requested role and permissions (and could request groups
too), and metadata (delete dates, etc), and the workflow progresses, and at the
end the roles and permissions will be assigned. BTW this concludes the
work of Kuali rice integration for Grouper 1.6. This is an
example of a Kuali edoclite that will auto-provision the requestor into the
requested role/permissions at the end of the workflow. Note in Rice you
will have approvals etc before the end, this example just shows the
provisioning so there is only one approval Note, this is
the default template, you will customize this for your institution
Screenshot of
HTML
HTML to start
with <?xml
version="1.0" encoding="UTF-8" ?> <!DOCTYPE
html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html
xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en"> <head> <title>Provision
permissions with workflow</title> <style
type="text/css">
html, body, td {
font-family:Tahoma,Arial,Helvetica,sans-serif;
font-size:11px;
}
h1 {
font-size:22px;
line-height:22px;
}
h2 {
border-bottom:1px solid #6699CC;
color:#990000;
font-size:16px;
font-weight:bold;
line-height:20px;
width:650px;
}
.formTable td {
padding:2px 0;
}
.formTable td.fieldLabel {
color:#011F5B;
text-align:right;
vertical-align:top;
width:238px;
font-weight:bold;
}
.formTable td.fieldAsterisk {
color:#990000;
text-align:left;
width:12px;
vertical-align:top;
}
.formTable td.fieldInfo {
text-align:left;
width:auto;
}
.extraInstruct {
color:#6E83AD;
font-weight:bold;
}
p {
width: 650px;
} </style> </head> <body>
<h1>Example provision permissions with workflow</h1>
<br /><br />
<table border="0" cellspacing="0" cellpadding="0"
class="formTable" width="640">
<tr>
<td class="fieldLabel">Role</td>
<td valign="top" class="fieldAsterisk">*</td>
<td class="fieldInfo" id="roleTdId">
<select>
<option value="some:role:user">User</option>
<option value="some:role:admin">Admin</option>
</select>
</td>
</tr>
<tr>
<td class="fieldLabel">Operation</td>
<td valign="top" class="fieldAsterisk">*</td>
<td class="fieldInfo" id="operationTdId">
<select>
<option value="add">Add</option>
<option value="replace">Replace</option>
<option value="remove">Remove</option>
</select>
</td>
</tr>
<tr>
<td class="fieldLabel">Action(s)</td>
<td valign="top" class="fieldAsterisk">*</td>
<td class="fieldInfo" id="actionTdId">
<input type="checkbox" name="actionName0" value="read">Read<br>
<input type="checkbox" name="actionName1" value="write">Write<br>
</td>
</tr>
<tr>
<td class="fieldLabel">Permission(s)</td>
<td valign="top" class="fieldAsterisk">*</td>
<td class="fieldInfo" id="permissionTdId">
<input type="checkbox" name="permissionName0" value="english">English<br>
<input type="checkbox" name="permissionName1" value="physics">Physics<br>
</td>
</tr>
<tr>
<td class="fieldLabel">Enabled
date</td>
<td valign="top" class="fieldAsterisk"></td>
<td class="fieldInfo" id="enabledDateTdId">
<input type="text" name="enabledDate" width="15"
/>
<span class="extraInstruct">(e.g.
2001/02/03)</span>
</td>
</tr>
<tr>
<td class="fieldLabel">Disabled date</td>
<td valign="top" class="fieldAsterisk"></td>
<td class="fieldInfo" id="disabledDateTdId">
<input type="text" name="disabledDate" width="15"
/>
<span class="extraInstruct">(e.g.
2001/02/03)</span>
</td>
</tr>
<tr>
<td class="fieldLabel">Ability to delegate</td>
<td valign="top" class="fieldAsterisk">*</td>
<td class="fieldInfo" id="delegationTdId">
<input type="radio" name="delegate0" value="FALSE">No
<input type="radio" name="delegate1" value="TRUE">Yes
<input type="radio" name="delegate2" value="GRANT">Yes,
and can grant ability to delegate
</td>
</tr>
</table>
<br /><br />
</body> </html> Groups If you arent
using grouper for groups in Rice, then ingest this xml in Rice.
Otherwise, create this group in our rice base folder in Grouper <?xml
version="1.0" encoding="UTF-8"?> <data
xmlns="ns:workflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="ns:workflow resource:WorkflowData">
<groups xmlns="ns:workflow/Group" xsi:schemaLocation="ns:workflow/Group
resource:Group">
<group>
<namespace>KUALI</namespace>
<name>samplePermissions</name>
<description>route to group1</description>
<members>
<principalName>user1</principalName>
<principalName>user2</principalName>
</members>
</group>
</groups> </data> If your kuali
root stem is:, then your GSH might look like this: gsh
0% grouperSession = GrouperSession.startRootSession(); gsh
1% permissionsGroup = new GroupSave(grouperSession).assignName("penn:isc:ait:apps:kualiRice:KUALI:samplePermissions").assignGroupNameToEdit("penn:isc:ait:apps:kualiRice:KUALI:samplePermissions").assignCreateParentStemsIfNotExist(true).save(); gsh
2% addMember("penn:isc:ait:apps:kualiRice:KUALI:samplePermissions", "user1"); gsh
3% addMember("penn:isc:ait:apps:kualiRice:KUALI:samplePermissions", "user2"); gsh
4% grantPriv("penn:isc:ait:apps:kualiRice:KUALI:samplePermissions", "riceGrouper/medley.isc-seo.upenn.edu",
AccessPrivilege.READ); Note, you will
also have to create the roles / permissions that will be provisioned (from the
HTML above), and grant access to the kuali rice grouper web service client
user, e.g. gsh
0% grouperSession = GrouperSession.startRootSession(); gsh
1% role0 = new GroupSave(grouperSession).assignName("some:role:user").assignGroupNameToEdit("some:role:user").assignTypeOfGroup(TypeOfGroup.role).assignCreateParentStemsIfNotExist(true).save(); gsh
2% role1 = new GroupSave(grouperSession).assignName("some:role:admin").assignGroupNameToEdit("some:role:admin").assignTypeOfGroup(TypeOfGroup.role).assignCreateParentStemsIfNotExist(true).save(); gsh
3% role0.grantPriv(SubjectFinder.findById("riceGrouper/server.school.edu",
true), AccessPrivilege.UPDATE); gsh
4% role0.grantPriv(SubjectFinder.findById("riceGrouper/server.school.edu",
true), AccessPrivilege.READ); gsh
5% role1.grantPriv(SubjectFinder.findById("riceGrouper/server.school.edu",
true), AccessPrivilege.UPDATE) gsh
6% role1.grantPriv(SubjectFinder.findById("riceGrouper/server.school.edu",
true), AccessPrivilege.READ); gsh
7% orgAttributeDef = new AttributeDefSave(grouperSession).assignName("penn:isc:ait:apps:someApp.permissions.orgs").assignAttributeDefType(AttributeDefType.perm).assignToEffMembership(true).assignToGroup(true).save(); gsh
8% orgAttributeDef.getAttributeDefActionDelegate().configureActionList(GrouperUtil.toSet(new
Object[]{"read", "write"})); gsh
9% wsSubject = SubjectFinder.findById("riceGrouper/server.school.edu",
true); gsh
10% orgAttributeDef.getPrivilegeDelegate().grantPriv(wsSubject, AttributeDefPrivilege.ATTR_READ,
false); gsh
11% orgAttributeDef.getPrivilegeDelegate().grantPriv(wsSubject,
AttributeDefPrivilege.ATTR_UPDATE, false); gsh
12% orgAttributeDef.getAttributeDefScopeDelegate().assignOwnerGroup(role0); gsh
13% orgAttributeDef.getAttributeDefScopeDelegate().assignOwnerGroup(role1); gsh
14% english = new AttributeDefNameSave(grouperSession,
orgAttributeDef).assignName("penn:isc:ait:apps:someApp:permissions:english").assignCreateParentStemsIfNotExist(true).save(); gsh
15% physics = new AttributeDefNameSave(grouperSession,
orgAttributeDef).assignName("penn:isc:ait:apps:someApp:permissions:physics").assignCreateParentStemsIfNotExist(true).save(); Rule template Ingest this to
Kuali Rice in the admin console. This allows us to route to a group (not
required for provisioning, just giving the workflow one hop) <?xml
version="1.0" encoding="UTF-8"?> <data
xmlns="ns:workflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="ns:workflow resource:WorkflowData">
<ruleTemplates xmlns="ns:workflow/RuleTemplate"
xsi:schemaLocation="ns:workflow/RuleTemplate resource:RuleTemplate">
<ruleTemplate>
<name>sampleProvisionPermissions.groupRuleTemplate</name>
<description>Rule template for group to route to</description>
</ruleTemplate>
</ruleTemplates> </data> Doctype Ingest this to
Kuali Rice in the admin console. This configures the nodes in the
workflow and associated them with rules (i.e. in the group name let anyone in
that group know the form is waiting for them, and let any of them approve
it. Note the post processor is the grouper rice post processor <?xml
version="1.0" encoding="UTF-8"?> <data
xmlns="ns:workflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="ns:workflow resource:WorkflowData">
<documentTypes xmlns="ns:workflow/DocumentType"
xsi:schemaLocation="ns:workflow/DocumentType resource:DocumentType">
<documentType>
<name>sampleProvisionMultipleGroups.doctype</name>
<description>sampleProvisionMultipleGroups doctype</description>
<label>sampleProvisionMultipleGroups DocumentType</label>
<postProcessorName>edu.internet2.middleware.grouperKimConnector.postProcessor.GrouperEdoclitePostProcessor</postProcessorName>
<superUserGroupName namespace="KUALI">sampleRouteToGroup1</superUserGroupName>
<defaultExceptionGroupName namespace="KUALI">sampleRouteToGroup1</defaultExceptionGroupName>
<docHandler>${workflow.url}/EDocLite</docHandler>
<active>true</active>
<routingVersion>2</routingVersion>
<routePaths>
<routePath>
<start name="Initiated" nextNode="groupNode" />
<requests name="groupNode" />
</routePath>
</routePaths>
<routeNodes>
<start name="Initiated">
<activationType>P</activationType>
<mandatoryRoute>false</mandatoryRoute>
<finalApproval>false</finalApproval>
</start>
<requests name="groupNode">
<activationType>P</activationType>
<ruleTemplate>sampleProvisionMultipleGroups.groupRuleTemplate</ruleTemplate>
<mandatoryRoute>false</mandatoryRoute>
<finalApproval>false</finalApproval>
</requests>
</routeNodes>
</documentType>
</documentTypes> </data> eDocLite Ingest this xml
into Kuali Rice which has the list of fields and HTML including the options
which have the groups to add the requestor to <?xml
version="1.0" encoding="UTF-8"?> <data
xmlns="ns:workflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="ns:workflow resource:WorkflowData">
<edoclite xmlns="ns:workflow/EDocLite" xsi:schemaLocation="ns:workflow/EDocLite
resource:EDocLite">
<edl name="sampleProvisionPermissions.form" title="sampleProvisionPermissions">
<security />
<createInstructions>** Questions with an asterisk are
required.</createInstructions>
<instructions>** Questions with an asterisk are
required.</instructions>
<validations />
<attributes />
<fieldDef name="role" title="Role">
<display>
<type>radio</type>
<values title="User">user</values>
<values title="Admin">admin</values>
</display>
<validation required="true">
<regex>[^select]</regex>
<message>Please select a role.</message>
</validation>
</fieldDef>
<fieldDef name="operation" title="Operation">
<display>
<type>radio</type>
<values title="Add">assign_permission</values>
<values title="Replace">replace_permissions</values>
<values title="Remove">remove_permission</values>
</display>
<validation required="true">
<regex>[^select]</regex>
<message>Please select an operation.</message>
</validation>
</fieldDef>
<fieldDef name="actionsFieldDef0" title="Read">
<display>
<type>checkbox</type>
<values title="">read</values>
</display>
</fieldDef>
<fieldDef name="actionsFieldDef1" title="Write">
<display>
<type>checkbox</type>
<values title="">write</values>
</display>
</fieldDef>
<fieldDef name="permissionsFieldDef0" title="English">
<display>
<type>checkbox</type>
<!-- note this will have a prefix:
penn:isc:ait:apps:someApp.permissions.english -->
<values title="">english</values>
</display>
</fieldDef>
<fieldDef name="permissionsFieldDef1" title="Physics">
<display>
<type>checkbox</type>
<!-- note this will have a prefix:
penn:isc:ait:apps:someApp.permissions.physics -->
<values title="">physics</values>
</display>
</fieldDef>
<fieldDef name="enabledDate" title="Enabled date">
<display>
<type>text</type>
<meta>
<name>size</name>
<value>20</value>
</meta>
</display>
</fieldDef>
<fieldDef name="disabledDate" title="Disabled date">
<display>
<type>text</type>
<meta>
<name>size</name>
<value>20</value>
</meta>
</display>
</fieldDef>
<fieldDef name="delegation" title="Ability to delegate">
<display>
<type>radio</type>
<values title="No">FALSE</values>
<values title="Yes">TRUE</values>
<values title="Yes, and can grant ability to delegate">GRANT</values>
</display>
<validation required="true">
<regex>[^select]</regex>
<message>Please select a role.</message>
</validation>
</fieldDef>
</edl>
<style name="sampleProvisionPermissions.style">
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:my-class="xalan://org.kuali.rice.kew.edl.WorkflowFunctions"
version="1.0">
<!-- widgets is simply more xslt that contains common functionality that
greatly simplifies html rendering. It is somewhat complicated but does not
require changes or full understanding unless enhancements are required.
-->
<xsl:include href=""widgets"" />
<xsl:output indent="yes" method="html"
omit-xml-declaration="yes" version="4.01" />
<!-- variables in the current version of xslt cannot be changed once set.
Below they are set to various values often fed by java classes or to values
contained in workflow xml. Not all of these are used in this form but are shown
because often they can be useful. The ones prefixed with my-class are methods
that are exposed by workflow to Edoclite.-->
<xsl:variable name="actionable" select="/documentContent/documentState/actionable"
/>
<xsl:variable name="docHeaderId" select="/documentContent/documentState/docId"
/>
<xsl:variable name="editable" select="/documentContent/documentState/editable"
/>
<xsl:variable name="globalReadOnly" select="/documentContent/documentState/editable
!= 'true'" />
<xsl:variable name="docStatus" select="//documentState/workflowDocumentState/status"
/>
<xsl:variable name="isAtNodeInitiated" select="my-class:isAtNode($docHeaderId,
'Initiated')" />
<xsl:variable name="isPastInitiated" select="my-class:isNodeInPreviousNodeList('Initiated',
$docHeaderId)" />
<xsl:variable name="isUserInitiator" select="my-class:isUserInitiator($docHeaderId)"
/>
<xsl:variable name="workflowUser" select="my-class:getWorkflowUser().authenticationUserId().id()"
/>
<xsl:param name="overrideMain" select="'true'" />
<!-- mainForm begins here. Execution of stylesheet begins here. It calls
other templates which can call other templates. Position of templates beyond this
point do not matter. -->
<xsl:template name="mainForm">
<html xmlns="">
<head>
<script type="text/_javascript_" src=""../penn/jquery.js""
/>
<script>
$(document).ready(function(){
$('#edoclite').submit(function() {
//make sure there is at least one permission checkbox checked
if ($('#permissionTdId :checked').length == 0) {
alert('Please select a permission to assign');
return false;
}
//make sure there is at
least one permission checkbox checked
if ($('#actionTdId :checked').length == 0) {
alert('Please select an action to assign');
return false;
}
return true;
});
});
</script>
<xsl:call-template name="htmlHead" /> <style
type="text/css">
html, body, td {
font-family:Tahoma,Arial,Helvetica,sans-serif;
font-size:11px;
}
h1 {
font-size:22px;
line-height:22px;
}
h2 {
border-bottom:1px solid #6699CC;
color:#990000;
font-size:16px;
font-weight:bold;
line-height:20px;
width:650px;
}
.formTable td {
padding:2px 0; }
.formTable td.fieldLabel {
color:#011F5B;
text-align:right;
vertical-align:top;
width:238px;
font-weight:bold;
}
.formTable td.fieldAsterisk {
color:#990000;
text-align:left;
width:12px;
vertical-align:top;
}
.formTable td.fieldInfo {
text-align:left;
width:auto;
}
.extraInstruct {
color:#6E83AD;
font-weight:bold;
}
p {
width: 650px;
}
div.mainDiv {
width: 900px;
} </style>
</head> <body >
<xsl:call-template name="errors" />
<!-- the header is usefule because it tells the user whether they are in
'Editing' mode or 'Read Only' mode. -->
<xsl:call-template name="header" />
<xsl:call-template name="instructions" />
<xsl:variable name="formTarget" select="'EDocLite'"
/>
<!-- validateOnSubmit is a function in edoclite1.js which also supports
edloclite forms and can be somewhat complicated but does not require
modification unless enhancements are required. -->
<form action=""{$formTarget}"" enctype="multipart/form-data"
id="edoclite" method="post"
validateOnSubmit(this)">
<xsl:call-template name="hidden-params" />
<xsl:call-template name="mainBody" />
<xsl:call-template name="notes" />
<br />
<xsl:call-template name="buttons" />
<br />
</form>
<xsl:call-template name="footer" />
</body>
</html>
</xsl:template>
<!-- mainBody template begins here. It calls other templates which can call
other templates. Position of templates do not matter. -->
<xsl:template name="mainBody">
<!-- to debug, or see values of previously created, the uncomment the
following line to see value of $docStatus rendered on form. -->
<!-- $docStatus=<xsl:value-of select="$docStatus" /> -->
<!-- rest of this all is within the form table -->
<h1>Example provision permissions with workflow</h1>
<br /><br />
<table border="0" cellspacing="0" cellpadding="0"
class="formTable" width="640">
<tr>
<td class="fieldLabel">Role</td>
<td valign="top" class="fieldAsterisk">*</td>
<td class="fieldInfo" id="roleTdId">
<xsl:call-template name="widget_render">
<xsl:with-param name="fieldName" select="'role'" />
<xsl:with-param name="renderCmd" select="'input'" />
<xsl:with-param name="readOnly" select="$isPastInitiated"
/>
</xsl:call-template>
</td>
</tr>
<tr>
<td class="fieldLabel">Operation</td>
<td valign="top" class="fieldAsterisk">*</td>
<td class="fieldInfo" id="operationTdId">
<xsl:call-template name="widget_render">
<xsl:with-param name="fieldName" select="'operation'"
/>
<xsl:with-param name="renderCmd" select="'input'" />
<xsl:with-param name="readOnly" select="$isPastInitiated"
/>
</xsl:call-template>
</td>
</tr>
<tr>
<td class="fieldLabel">Action(s)</td>
<td valign="top" class="fieldAsterisk">*</td>
<td class="fieldInfo" id="actionTdId">
<xsl:call-template name="widget_render">
<xsl:with-param name="fieldName" select="'actionsFieldDef0'"
/>
<xsl:with-param name="renderCmd" select="'input'" />
<xsl:with-param name="readOnly" select="$isPastInitiated"
/>
</xsl:call-template> Read<br />
<xsl:call-template name="widget_render">
<xsl:with-param name="fieldName" select="'actionsFieldDef1'"
/>
<xsl:with-param name="renderCmd" select="'input'" />
<xsl:with-param name="readOnly" select="$isPastInitiated"
/>
</xsl:call-template> Write
</td>
</tr>
<tr>
<td class="fieldLabel">Permission(s)</td>
<td valign="top" class="fieldAsterisk">*</td>
<td class="fieldInfo" id="permissionTdId">
<xsl:call-template name="widget_render">
<xsl:with-param name="fieldName" select="'permissionsFieldDef0'"
/>
<xsl:with-param name="renderCmd" select="'input'" />
<xsl:with-param name="readOnly" select="$isPastInitiated"
/>
</xsl:call-template> English<br />
<xsl:call-template name="widget_render">
<xsl:with-param name="fieldName" select="'permissionsFieldDef0'"
/>
<xsl:with-param name="renderCmd" select="'input'" />
<xsl:with-param name="readOnly" select="$isPastInitiated"
/>
</xsl:call-template> Physics<br />
</td>
</tr>
<tr>
<td class="fieldLabel">Enabled date</td>
<td valign="top" class="fieldAsterisk"></td>
<td class="fieldInfo">
<xsl:call-template name="widget_render">
<xsl:with-param name="fieldName" select="'enabledDate'"
/>
<xsl:with-param name="renderCmd" select="'input'" />
<xsl:with-param name="readOnly" select="$isPastInitiated"
/>
</xsl:call-template> <xsl:call-template name="nbsp" />
<span class="extraInstruct">(e.g. 2001/02/03)</span>
</td>
</tr>
<tr>
<td class="fieldLabel">Disabled date</td>
<td valign="top" class="fieldAsterisk"></td>
<td class="fieldInfo">
<xsl:call-template name="widget_render">
<xsl:with-param name="fieldName" select="'disabledDate'"
/>
<xsl:with-param name="renderCmd" select="'input'" />
<xsl:with-param name="readOnly" select="$isPastInitiated"
/>
</xsl:call-template> <xsl:call-template name="nbsp" />
<span class="extraInstruct">(e.g. 2001/02/03)</span>
</td>
</tr>
<tr>
<td class="fieldLabel">Ability to delegate</td>
<td valign="top" class="fieldAsterisk">*</td>
<td class="fieldInfo" id="delegationTdId">
<xsl:call-template name="widget_render">
<xsl:with-param name="fieldName" select="'delegation'"
/>
<xsl:with-param name="renderCmd" select="'input'" />
<xsl:with-param
name="readOnly" select="$isPastInitiated" />
</xsl:call-template>
</td>
</tr>
</table>
<br /><br />
</xsl:template>
<xsl:template name="nbsp">
<xsl:text disable-output-escaping="yes">&nbsp;</xsl:text>
</xsl:template>
</xsl:stylesheet>
</style>
<association>
<docType>sampleProvisionPermissions.doctype</docType>
<definition>sampleProvisionPermissions.form</definition>
<style>sampleProvisionPermissions.style</style>
<active>true</active>
</association>
</edoclite> </data> Rule Ingest this rule
in Kuali Rice so that this group is notified and allowed to approve the request
at this node in the workflow <?xml
version="1.0" encoding="UTF-8"?> <data
xmlns="ns:workflow" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="ns:workflow resource:WorkflowData">
<rules xmlns="ns:workflow/Rule" xsi:schemaLocation="ns:workflow/Rule
resource:Rule">
<rule>
<name>sampleProvisionPermissions.groupRule</name>
<documentType>sampleProvisionPermissions.doctype</documentType>
<ruleTemplate>sampleProvisionPermissions.groupRuleTemplate</ruleTemplate>
<description>Route to group</description>
<responsibilities>
<responsibility>
<groupName namespace="KUALI">samplePermissions</groupName>
<actionRequested>A</actionRequested>
<priority>1</priority>
</responsibility>
</responsibilities>
</rule>
</rules> </data> Grouper client
properties Configure the
grouper client properties in Kuali Rice which tells the post processor that the
document type above is linked to auto provision fields with a certain prefix ############################### #
configure postprocessor actions on document types. The string "sampleProvisioning"
ties the configs #
together, change that label for multiple ######
MISC #
email addresses (comma separated) that should get an admin email that this was
done (or errors) kuali.edoclite.saveMembership.sampleProvisionPermissions.emailAdmins
= #
doctype name that this applies to kuali.edoclite.saveMembership.sampleProvisionPermissions.docTypeName
= sampleProvisionPermissions.doctype ######
GROUPS #
regex of group allowed to assign to, extra layer of security, optional kuali.edoclite.saveMembership.sampleProvisionPermissions.groupRegex
= ^some:role:[^:]$ #
list of allowed to assign to (comma separate), extra layer of security,
optional, #generally
mutually exclusive with the groupRegex kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedGroups
= #
edocliteFieldPrefix if checkboxes or textfields or whatever, put the prefix of
the edoclite field here. #
so if the field prefix is "groups", then it will look for groups0,
groups1, etc to groups200... #
the value of the field is the group to add to kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPrefix
= # this
will be prefixed to the entered group name so the whole stem doesnt #
have to be put on screen (also helps sandbox out the security) kuali.edoclite.saveMembership.sampleProvisionPermissions.enteredGroupNamePrefix
= #
groups (comma separated) id or name which the initiator will be assigned to
when the document is final kuali.edoclite.saveMembership.sampleProvisionPermissions.addMembershipToGroups
= #
groups (comma separated) id or name which the initiator will be unassigned from
when the document is final kuali.edoclite.saveMembership.sampleProvisionPermissions.removeMembershipFromGroups
= #
delete date: yyyy/mm/dd or dd-Mon-yyyy kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldGroupDisabledDate
= disabledDate #
enable date: yyyy/mm/dd or dd-Mon-yyyy kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldGroupEnabledDate
= enabledDate ######
PERMISSIONS ROLES #
role to assign permissions to or null if not doing permissions (mutually
exclusive with edocliteFieldRoleForPermissions) kuali.edoclite.saveMembership.sampleProvisionPermissions.roleForPermissions
= #
role to assign permissions to (read from edoclite) or empty if not doing
permissions (mutually exclusive with roleForPermissions) kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldRoleForPermissions
= role # this
will be prefixed to the entered role name so the whole stem doesnt #
have to be put on screen (also helps sandbox out the security) kuali.edoclite.saveMembership.sampleProvisionPermissions.enteredRoleNamePrefix
= some:role: #
allowed roles (e.g. from edoclite form) or empty if not validating kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedRolesForPermissions
= some:role:user, some:role:admin ######
PERMISSIONS OPERATIONS #
operation of assign|remove permissions (mutually exclusive with
edocliteFieldOperationForPermissions) kuali.edoclite.saveMembership.sampleProvisionPermissions.operationForPermissions
= #
operation to assign|remove permissions (read from edoclite) or empty if not
doing permissions (mutually exclusive with operationForPermissions) kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldOperationForPermissions
= operation #
allowed operations (e.g. from edoclite form) or empty if not validating kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedOperationsForPermissions
= assign_permission, remove_permission, replace_permissions ######
ACTIONS #
actions to assign permissions to or null if not doing permissions (mutually
exclusive with edocliteFieldRoleForPermissions) kuali.edoclite.saveMembership.sampleProvisionPermissions.actionsForPermissions
= #
actions to assign permissions to (read from edoclite) or empty if not doing
permissions (mutually exclusive with actionsForPermissions) # this
is the prefix, appending 0,1,2 etc on the end. so the fields would be
someEdocliteFieldName0, someEdocliteFieldName1, etc kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPrefixActionsForPermissions
= actionsFieldDef #
allowed actions (e.g. from edoclite form) or empty if not validating kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedActionsForPermissions
= read, write ######
PERMISSIONS #
permissions to assign or null if not doing permissions (mutually exclusive with
edocliteFieldPrefixForPermissions) kuali.edoclite.saveMembership.sampleProvisionPermissions.permissions
= #
permissions to assign (read from edoclite) or empty if not doing permissions
(mutually exclusive with permissions) # this
is the prefix, appending 0,1,2 etc on the end. so the fields would be
someEdocliteFieldName0, someEdocliteFieldName1, etc kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPrefixForPermissions
= permissionsFieldDef #
allowed permissions (e.g. from edoclite form) or empty if not validating kuali.edoclite.saveMembership.sampleProvisionPermissions.allowedPermissions
= #
regex of permissions allowed to assign, extra layer of security, optional kuali.edoclite.saveMembership.sampleProvisionPermissions.permissionsRegex
= ^penn:isc:ait:apps:someApp:permissions:.*$ #this
will be prefixed to the entered permission name so the whole stem doesnt #have
to be put on screen (also helps sandbox out the security) kuali.edoclite.saveMembership.sampleProvisionPermissions.enteredPermissionNamePrefix
= penn:isc:ait:apps:someApp:permissions: #
delete date: yyyy/mm/dd or dd-Mon-yyyy kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPermissionDisabledDate
= disabledDate #
enable date: yyyy/mm/dd or dd-Mon-yyyy kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPermissionEnabledDate
= enabledDate #
field name which has blank or FALSE, TRUE, or GRANT for if the user can
delegate the permissions to others kuali.edoclite.saveMembership.sampleProvisionPermissions.edocliteFieldPermissionsDelegatable
= delegation #
blank or FALSE, TRUE, or GRANT for if the user can delegate the permissions to
others kuali.edoclite.saveMembership.sampleProvisionPermissions.permissionsDelegatable
= ################################################## Result After the form
is submitted and approved (whatever the approval workflow is), then whatever
checkboxes are checked, those roles/permissions will be (un)assigned to the
requestor: gsh
0% grouperSession = GrouperSession.startRootSession(); gsh
1% orgAttributeDef = AttributeDefFinder.findByName("penn:isc:ait:apps:someApp.permissions.orgs",
true); gsh
2% userRole = GroupFinder.findByName(grouperSession, "some:role:user",
true); gsh
3% subject = SubjectFinder.findByIdentifier("mchyzer", true); gsh
4% member = MemberFinder.findBySubject(grouperSession, subject, true); gsh
5% GrouperDAOFactory.getFactory().getPermissionEntry().findPermissions(GrouperUtil.toSetObject(orgAttributeDef.getId()),
null, GrouperUtil.toSetObject(userRole.getId()), null, true,
GrouperUtil.toSetObject(member.getUuid())); edu.internet2.middleware.grouper.permissions.PermissionEntry:
PermissionEntry[roleName=some:role:user,attributeDefNameName=penn:isc:ait:apps:someApp:permissions:english,action="write,sourceId=pennperson,subjectId=10021368,imm_mem=true,imm_perm=true,mem_depth=0,role_depth=-1,action_depth=0,attrDef_depth=0,perm_type=role_subject] gsh
6% Also, if there
is an email address in "emailAdmins" config, then an email like this
will be sent to as a confirmation to the admins of the form: -----Original
Message----- From:
[mailto:] Sent:
Tuesday, May 25, 2010 11:10 PM To:
Chris Hyzer Subject:
DEV:Grouper Rice auto-provision for document:
sampleProvisionPermissions.doctype Subject:
id: 10021368, name: Michael Christopher Hyzer name:
Michael Christopher Hyzerdescription: Michael Christopher Hyzer (mchyzer,
10021368) (active) Staff - Isc Administrative Systems Tools And Technologies -
Programmer Analyst Sr (also: Alumni) PENNNAME:
mchyzer EMAIL:
Group
addMember: some:role:user - SUCCESS_ALREADY_EXISTED, disabledDate: 2011-02-03
00:00:00.000 Operation:
replace_permissions, overall result: SUCCESS Permission:
penn:isc:ait:apps:someApp:permissions:english, action: read, changed: T,
deleted: T, disabled: 2011/02/03 00:00:00.000, delegatable: TRUE Permission:
penn:isc:ait:apps:someApp:permissions:english, action: write, changed: F,
deleted: F, disabled: 2011/02/03 00:00:00.000, delegatable: TRUE sdf |
- Grouper / rice workflow provisioning roles / permissions, Chris Hyzer, 05/25/2010
Archive powered by MHonArc 2.6.16.