grouper-users - [grouper-users] grouper permissions example
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: "" <>, "" <>, "" <>
- Subject: [grouper-users] grouper permissions example
- Date: Sun, 3 Oct 2010 00:54:17 -0400
- Accept-language: en-US
- Acceptlanguage: en-US
On the last mace-paccman call I had to admit the Grouper permissions
framework could be better documented. I took the grouper solution of the CMU
billing use case, updated it, implemented it on the grouper demo server,
added a bunch of diagrams, and made a command line Java client which does
decisions/assignments (via WS).
I think the gaps from where CMU wants to be and what exists in Grouper 1.6 is
a permissions UI, and a way to have the Java decision client hosted as a web
service instead of a WS client.
Well, this might be too complicated of a demo implementation in some places,
and perhaps could have more work in others (e.g. which service principals are
allowed to admin the subsystem), but hopefully if you spend some time reading
it, it will help explain Grouper permissions in a real world use case.
https://spaces.internet2.edu/display/macepaccman/Grouper+and+the+CMU+Billing+Use+Case
One point from the mace-paccman call was whether to use permission assignment
tuples, triples, or n-ples (whats the word for this? Its not anatomy).
Grouper does triples for permissions (subject, action, permission resource),
however, the attribute framework allows as many attributes (and value or
values) as you want to assign to that permission assignment triple. So to
illustrate this, instead of packing the delegateId in the permission resource
name for delegate assignments, I assign it as an attribute (with value) of
the generic permissions assignment for that user. One of the diagrams in the
above link shows this. You could use this for limits on permissions, IP
address ACL's, time constraints, or any other metadata on the permission
assignment you need.
Let me know any feedback / questions / comments / etc.
Thanks!
Chris
ps. Here are two examples of the command line client (which uses web services
via the grouperClient):
C:\temp\cmu>dir
10/02/2010 11:55 PM 14,680 cmuBilling.jar
10/02/2010 12:52 PM 17,532 grouper.client.properties
06/01/2010 06:12 AM 2,619,667 grouperClient.jar
########### Example of someone who is delegated from someone else
C:\temp\cmu>java -cp cmuBilling.jar;grouperClient.jar
edu.cmu.it.apps.billing.CmuBilling --operation=canReadBill
--studentToCheck=stto --personWithAccess=babl
Has allBills permission? false
Is checking own bill? false
Has studentDelegate permission? true
Person has been assigned delegate from: stto
Can read bill? true
C:\temp\cmu>
########### Check bill for local admin in org (hierarchy),
########### student kebr is a major in org 0103, which is a grandchild of the
org BIOB
########### hato can read all of org BIOB (which includes 0103 obviously)
C:\temp\cmu>java -cp cmuBilling.jar;grouperClient.jar
edu.cmu.it.apps.billing.CmuBilling --operation=canReadBill
--studentToCheck=kebr --personWithAccess=hato
Has allBills permission? false
Is checking own bill? false
Has studentDelegate permission? false
Person is local admin on orgs: 0103, 0105, 0333, BIOB, BIOL, BIOT
Student has majors: 0103
Can read bill? true
C:\temp\cmu>
- [grouper-users] grouper permissions example, Chris Hyzer, 10/03/2010
Archive powered by MHonArc 2.6.16.