Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Assigning admin and create privileges hierarchically

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Assigning admin and create privileges hierarchically


Chronological Thread 
  • From: Chris Hyzer <>
  • To: Gagné Sébastien <>, "Omaraie, Brad" <>
  • Cc: "" <>
  • Subject: [grouper-users] RE: Assigning admin and create privileges hierarchically
  • Date: Thu, 2 May 2013 17:11:48 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport07.merit.edu; dkim=neutral (message not signed) header.i=none

Yes, good point.  Just to clarify though, that is set by default in the grouper-loader.properties (which you have to sync up with grouper-loader.example.properties when you upgrade)…  so the important thing is not really that you need to define it, but that you have to not undefine it J

 

Thanks,

Chris

 

From: [mailto:] On Behalf Of Gagné Sébastien
Sent: Thursday, May 02, 2013 10:02 AM
To: Chris Hyzer; Omaraie, Brad
Cc:
Subject: RE: [grouper-users] RE: Assigning admin and create privileges hierarchically

 

For you information, there is also a job in the Grouper Loader that would’ve added the privileges for already created objects, in ‘grouper-loader.propeties’ you have to define :

 

# when the rules validations and daemons run.  Leave blank to not run

rules.quartz.cron = 0 0 1 * * ?

 

De : [] De la part de Chris Hyzer
Envoyé : 2 mai 2013 01:36
À : Omaraie, Brad
Cc :
Objet : [grouper-users] RE: Assigning admin and create privileges hierarchically

 

It works for me, I updated the wiki with this example.  I wonder why it didn’t work for you, what is different?

 

Thanks,

Chris

 

Type help() for instructions

gsh 0% grouperSession = GrouperSession.startRootSession();

edu.internet2.middleware.grouper.GrouperSession: 867846c824334805bc59a369c009acc3,'GrouperSystem','application'

gsh 1% stem_a = new StemSave(grouperSession).assignName("a").assignCreateParentStemsIfNotExist(true).save();

stem: name='a' displayName='a' uuid='30809211370c43a3b234243234234'

gsh 2% stem_a_b = new StemSave(grouperSession).assignName("a:b").assignCreateParentStemsIfNotExist(true).save();

stem: name='a:b' displayName='a:b' uuid='30809211370c43a3b231231231442'

gsh 3% stem_a_b_c = new StemSave(grouperSession).assignName("a:b:c").assignCreateParentStemsIfNotExist(true).save();

stem: name='a:b:c' displayName='a:b:c' uuid='30809211234234243231231442'

gsh 4% stem_a_c = new StemSave(grouperSession).assignName("a:c").assignCreateParentStemsIfNotExist(true).save();

stem: name='a:b:c' displayName='a:b:c' uuid='30809211234234243231231442'

gsh 5% stem_a_b.hasCreate(SubjectFinder.findById("test.subject.2"));

false

gsh 6% stem_a_b_c.hasCreate(SubjectFinder.findById("test.subject.2"));

false

gsh 7% stem_a_c.hasCreate(SubjectFinder.findById("test.subject.2"));

false

gsh 8% RuleApi.inheritFolderPrivileges(SubjectFinder.findRootSubject(), stem_a, Stem.Scope.SUB, SubjectFinder.findById("test.subject.2"), Privilege.getInstances("stem, create"));

edu.internet2.middleware.grouper.attr.assign.AttributeAssign: AttributeAssign[id=681b3033fc044c25b4c4a4ffdbd3958c,action="assign,attributeDefName=etc:attribute:rules:rule,

  stem=Stem[displayName=a,name=a,uuid=ba7b1db6dda044e3933b0bc0df2f9398,creator=f7c2ea49e9de4a1e8e2f46aaf8603092]]

gsh 9% stem_a_b_c.hasCreate(SubjectFinder.findById("test.subject.2"));

false

gsh 10% RuleApi.runRulesForOwner(stem_a)

1

gsh 11% stem_a_c.hasCreate(SubjectFinder.findById("test.subject.2"));

true

gsh 12% stem_a_b_c.hasCreate(SubjectFinder.findById("test.subject.2"));

true

gsh 13% stem_a_b.hasCreate(SubjectFinder.findById("test.subject.2"));

true

gsh 14%

 

From: Omaraie, Brad []
Sent: Wednesday, May 01, 2013 8:03 PM
To: Chris Hyzer
Cc:
Subject: Re: Assigning admin and create privileges hierarchically

 

Hi Chris,

Thanks for the solutions. It seems like the first solution only work if we run RuleApi.inheritFolderPrivileges before creating the new subfolders and groups. In our case they were already created and the script did not modify the privileges. I also ran the daemon for existing objects but it returned "0". But as this was a one time thing for us, I used your second solution to generate grant privilege methods for each group and it worked like charm.

 

Thanks again,

Brad

 

 

From: "" <>
Date: Wednesday, May 1, 2013 7:41 AM
To: ucla <>
Cc: "" <>
Subject: RE: Assigning admin and create privileges hierarchically

 

You can do one of two things:

 

1.       Add a rule to the stem which makes sure all the underlying folders.  The daemon part will take care of all the existing objects

https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Inherited+privileges+on+folders

GSH shorthand method

RuleApi.inheritFolderPrivileges(SubjectFinder.findRootSubject(), stem2, Scope.SUB, groupA.toSubject(), Privilege.getInstances("stem, create"));



https://spaces.internet2.edu/display/Grouper/Grouper+rules

You can run the rules daemon on an owner (daemon mode) with GSH:

RuleApi.runRulesForOwner(groupA)



-or-

2.       If this is a one-time thing, you can make a query from SQL which generates GSH to assign the privileges

 

https://spaces.internet2.edu/display/Grouper/GrouperShell+(gsh)

 

I want all groups in a certain folder which do not have an ADMIN privilege assigned to my application service principal, to assign that privilege.  Here is the query for oracle:

select 'grantPriv("'|| gg.name || '", "someid/server.school.edu", AccessPrivilege.ADMIN);'as script 

from grouper_groups gg where gg.name like school:apps:appName:spaces:%' 

and not exists

(select (1) from grouper_memberships_lw_v gmlv where gg.name = gmlv.group_name and list_name = 'admins' 

and gmlv.subject_id = 'someid/server.school.edu');

 

 

Thanks,

Chris

 

 

From: Omaraie, Brad []
Sent: Tuesday, April 30, 2013 3:05 PM
To: Chris Hyzer
Subject: Assigning admin and create privileges hierarchically

 

Hi Chris,

I know this might have been asked many times, but I was looking around and could not find a good answer. There's this group of applications that are starting to use grouper in our environment. We assigned a main stem to this app and they have the freedom to manage groups and folders in that stem on their own. We loaded their data in that stem and they have about 50 subfolders and groups there. We created an admin group for this app and I want to assign create and admin privileges to all these subfolder to this group. After reading  around I noticed assigning create and admin privileges in grouper is not hierarchical by design. I was hoping it is and by just assigning the correct privileges to that app's stem, all the subfolders will inherit those. But now it seems like I have to go through 50 folders and groups and assign those privileges manually one by one!

 

Is there any other way that we can do this in a more efficient way by the Grouper UI?

 

Thanks,

Brad

 

 




Archive powered by MHonArc 2.6.16.

Top of Page