Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] import, command line parameters....

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] import, command line parameters....

Chronological Thread 
  • From: Tom Barton <>
  • To:
  • Subject: Re: [grouper-users] import, command line parameters....
  • Date: Wed, 28 Feb 2007 07:37:00 -0600

Tom Barton wrote:

The Subject API v0.2.1 wiki page has this to say:
I've seen this... but it didn't help enuf....

I'll try to capture the gap and enhance that doc accordingly. Thanks.

The "getSubject" method is used to select a specific subject from the back-end identity store, for example, to show the name and department of a person belonging to a group.

in what context is this selection being done? Here's my guess... inside the Grouper backend, a member of a group is defined by the triple ( subject id, source, and type ... I think). So, is getSubject (subject id) used to retrieve detailed attribute info about that entity from "source"?


So.... subject id should be persistent and non-reassignable? (which you'd suggested in a previous note...)

The grouper API provides methods to reflect changes of subject Id into the groups registry if you don't have or can't use such an identifier. But of course you have to keep up with those changes. Oftentimes it's just easier & better to not go down that path if you can use a subject identifier that doesn't change.

The "getSubjectByIdentifier" method enables identifying a subject by means of a column or attribute different from that used as the subjectId. For example, if a UI user authenticates with a loginId, but the subjectId is an opaque registryId, this method is used to identify the subject given their loginId.

so, this refers to an alternate unique identifier, that exists ONLY in a source? and is probably human-readable? is it ever used by Grouper? not that I see on the screen...?

One or more alternate identifiers. Example, at Chicago we'll probably expose several: use our unchanging "ChicagoId" as subject Id, enable CNetID (username), hospitalId, studentId, alumniId, and maybe even Card ISO as other identifying attributes.

These identifiers are not used or stored by grouper internally. The vanilla grouper UI will display them in its "subject view", so take some care about choice of alternate identifiers vs. UI configuration. And the xml-export properties can be used to associate any of them with a subject's membership in the xml export file. That's to aid provisioning group info to a context in which the subject Id is not the native identifier, but one of the alternate identifiers is.

I'm presuming authn is done external to grouper... does Grouper use this method to obtain my subject ID after I login? so it can show me "my groups"?

Yes. Grouper maps the REMOTE_USER into a subject so that the user's grouper privileges can be established. And yes, the vanilla UI provides 3 tasks that personalize the user's experience accordingly: "my groups", which shows where you are a member (and can join/leave if permitted); "create groups", which rapidly takes the user only to where they have CREATE privilege; and "manage groups", which similarly takes the user only to where they have UPDATE (or ADMIN) privilege.


Archive powered by MHonArc 2.6.16.

Top of Page