Skip to Content.
Sympa Menu

grouper-users - [grouper-users] inherited privileges rule example

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] inherited privileges rule example


Chronological Thread 
  • From: Chris Hyzer <>
  • To: "" <>
  • Subject: [grouper-users] inherited privileges rule example
  • Date: Thu, 7 Feb 2013 18:49:26 +0000
  • Accept-language: en-US

FYI, I put an example of inherited privileges for groups from Penn… this is easy to do…

 

https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Inherited+privileges+on+groups

 

Penn has atlassian groups in grouper.  Any group created in grouper in the jira/confluence folder will be available in jira/confluence.  However, the proper privileges need to be assigned to the groups.  The atlassian admins need admin, updaters need update, and readers need read.  These assignments are done by 3 people, and it is error prone (assign the wrong thing), sometimes forgotten, and time consuming.

https://spaces.internet2.edu/download/attachments/15730886/atlassian.jpg?version=1&modificationDate=1360262631241

We assigned rules on the atlassian folder (in test and prod) to automatically make these assignments.  Here is the GSH script to install these 6 rules (admin/update/read for test/prod)

grouperSession = GrouperSession.startRootSession();

atlassian = StemFinder.findByName(grouperSession, "penn:isc:ait:apps:atlassian")

atlassianReaders = GroupFinder.findByName(grouperSession, "penn:isc:ait:apps:atlassian:admin:readers");

RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), atlassian, Stem.Scope.SUB, atlassianReaders.toSubject(), Privilege.getInstances("read"));

atlassianAdmins = GroupFinder.findByName(grouperSession, "penn:isc:ait:apps:atlassian:admin:admins");

RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), atlassian, Stem.Scope.SUB, atlassianAdmins.toSubject(), Privilege.getInstances("admin"));

atlassianUpdaters = GroupFinder.findByName(grouperSession, "penn:isc:ait:apps:atlassian:admin:updaters");

RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), atlassian, Stem.Scope.SUB, atlassianUpdaters.toSubject(), Privilege.getInstances("update"));

 

atlassian = StemFinder.findByName(grouperSession, "test:isc:ait:apps:atlassian")

atlassianReaders = GroupFinder.findByName(grouperSession, "test:isc:ait:apps:atlassian:admin:readers");

RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), atlassian, Stem.Scope.SUB, atlassianReaders.toSubject(), Privilege.getInstances("read"));

atlassianAdmins = GroupFinder.findByName(grouperSession, "test:isc:ait:apps:atlassian:admin:admins");

RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), atlassian, Stem.Scope.SUB, atlassianAdmins.toSubject(), Privilege.getInstances("admin"));

atlassianUpdaters = GroupFinder.findByName(grouperSession, "test:isc:ait:apps:atlassian:admin:updaters");

RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), atlassian, Stem.Scope.SUB, atlassianUpdaters.toSubject(), Privilege.getInstances("update"));

 

Thanks,

Chris


  • [grouper-users] inherited privileges rule example, Chris Hyzer, 02/07/2013

Archive powered by MHonArc 2.6.16.

Top of Page