grouper-users - [grouper-users] RE: Assigning admin and create privileges hierarchically
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: Gagné Sébastien <>, "Omaraie, Brad" <>
- Cc: "" <>
- Subject: [grouper-users] RE: Assigning admin and create privileges hierarchically
- Date: Thu, 2 May 2013 17:11:48 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport07.merit.edu; dkim=neutral (message not signed) header.i=none
Yes, good point. Just to clarify though, that is set by default in the grouper-loader.properties (which you have to sync up with grouper-loader.example.properties
when you upgrade)… so the important thing is not really that you need to define it, but that you have to not undefine it
J Thanks, Chris From: [mailto:]
On Behalf Of Gagné Sébastien For you information, there is also a job in the Grouper Loader that would’ve added the privileges for already created objects, in ‘grouper-loader.propeties’
you have to define : # when the rules validations and daemons run. Leave blank to not run rules.quartz.cron = 0 0 1 * * ? De :
[]
De la part de Chris Hyzer It works for me, I updated the wiki with this example. I wonder why it didn’t work for you, what is different? Thanks, Chris Type help() for instructions gsh 0% grouperSession = GrouperSession.startRootSession(); edu.internet2.middleware.grouper.GrouperSession: 867846c824334805bc59a369c009acc3,'GrouperSystem','application' gsh 1% stem_a = new StemSave(grouperSession).assignName("a").assignCreateParentStemsIfNotExist(true).save(); stem: name='a' displayName='a' uuid='30809211370c43a3b234243234234'
gsh 2% stem_a_b = new StemSave(grouperSession).assignName("a:b").assignCreateParentStemsIfNotExist(true).save(); stem: name='a:b' displayName='a:b' uuid='30809211370c43a3b231231231442'
gsh 3% stem_a_b_c = new StemSave(grouperSession).assignName("a:b:c").assignCreateParentStemsIfNotExist(true).save(); stem: name='a:b:c' displayName='a:b:c' uuid='30809211234234243231231442'
gsh 4% stem_a_c = new StemSave(grouperSession).assignName("a:c").assignCreateParentStemsIfNotExist(true).save(); stem: name='a:b:c' displayName='a:b:c' uuid='30809211234234243231231442'
gsh 5% stem_a_b.hasCreate(SubjectFinder.findById("test.subject.2")); false gsh 6% stem_a_b_c.hasCreate(SubjectFinder.findById("test.subject.2")); false gsh 7% stem_a_c.hasCreate(SubjectFinder.findById("test.subject.2")); false gsh 8% RuleApi.inheritFolderPrivileges(SubjectFinder.findRootSubject(), stem_a, Stem.Scope.SUB, SubjectFinder.findById("test.subject.2"), Privilege.getInstances("stem,
create")); edu.internet2.middleware.grouper.attr.assign.AttributeAssign: AttributeAssign[id=681b3033fc044c25b4c4a4ffdbd3958c,action="assign,attributeDefName=etc:attribute:rules:rule, stem=Stem[displayName=a,name=a,uuid=ba7b1db6dda044e3933b0bc0df2f9398,creator=f7c2ea49e9de4a1e8e2f46aaf8603092]] gsh 9% stem_a_b_c.hasCreate(SubjectFinder.findById("test.subject.2")); false gsh 10% RuleApi.runRulesForOwner(stem_a) 1 gsh 11% stem_a_c.hasCreate(SubjectFinder.findById("test.subject.2")); true gsh 12% stem_a_b_c.hasCreate(SubjectFinder.findById("test.subject.2")); true gsh 13% stem_a_b.hasCreate(SubjectFinder.findById("test.subject.2")); true gsh 14% From: Omaraie, Brad []
Hi Chris, Thanks for the solutions. It seems like the first solution only work if we run RuleApi.inheritFolderPrivileges before
creating the new subfolders and groups. In our case they were already created and the script did not modify the privileges. I also ran the daemon for existing objects but it returned "0". But as this was a one time thing for us, I used your second solution
to generate grant privilege methods for each group and it worked like charm. Thanks again, Brad From:
"" <> You can do one of two things:
1.
Add a rule to the stem which makes sure all the underlying folders. The daemon part will take care of all the existing objects
GSH shorthand method
2.
If this is a one-time thing, you can make a query from SQL which generates GSH to assign the privileges https://spaces.internet2.edu/display/Grouper/GrouperShell+(gsh)
I want all groups in a certain folder which do not have an ADMIN privilege assigned to my application service principal, to assign that privilege. Here is the query for oracle:
Thanks, Chris From: Omaraie, Brad []
Hi Chris, I know this might have been asked many times, but I was looking around and could not find a good answer. There's this group of applications that are starting
to use grouper in our environment. We assigned a main stem to this app and they have the freedom to manage groups and folders in that stem on their own. We loaded their data in that stem and they have about 50 subfolders and groups there. We created an admin
group for this app and I want to assign create and admin privileges to all these subfolder to this group. After reading around I noticed assigning create and admin privileges in grouper is not hierarchical by design. I was hoping it is and by just assigning
the correct privileges to that app's stem, all the subfolders will inherit those. But now it seems like I have to go through 50 folders and groups and assign those privileges manually one by one! Is there any other way that we can do this in a more efficient way by the Grouper UI? Thanks, Brad |
- [grouper-users] RE: Assigning admin and create privileges hierarchically, Chris Hyzer, 05/01/2013
- [grouper-users] Re: Assigning admin and create privileges hierarchically, Omaraie, Brad, 05/01/2013
- [grouper-users] RE: Assigning admin and create privileges hierarchically, Chris Hyzer, 05/02/2013
- <Possible follow-up(s)>
- RE: [grouper-users] RE: Assigning admin and create privileges hierarchically, Gagné Sébastien, 05/02/2013
- [grouper-users] RE: Assigning admin and create privileges hierarchically, Chris Hyzer, 05/02/2013
- [grouper-users] Re: Assigning admin and create privileges hierarchically, Omaraie, Brad, 05/02/2013
- [grouper-users] RE: Assigning admin and create privileges hierarchically, Chris Hyzer, 05/02/2013
- [grouper-users] Re: Assigning admin and create privileges hierarchically, Omaraie, Brad, 05/02/2013
- [grouper-users] RE: Assigning admin and create privileges hierarchically, Chris Hyzer, 05/02/2013
- [grouper-users] Re: Assigning admin and create privileges hierarchically, Omaraie, Brad, 05/02/2013
- [grouper-users] RE: Assigning admin and create privileges hierarchically, Chris Hyzer, 05/02/2013
- [grouper-users] Re: Assigning admin and create privileges hierarchically, Omaraie, Brad, 05/01/2013
Archive powered by MHonArc 2.6.16.