Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Re: Assigning admin and create privileges hierarchically

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Re: Assigning admin and create privileges hierarchically


Chronological Thread 
  • From: "Omaraie, Brad" <>
  • To: Chris Hyzer <>, Gagné Sébastien <>
  • Cc: "" <>
  • Subject: [grouper-users] Re: Assigning admin and create privileges hierarchically
  • Date: Thu, 2 May 2013 19:35:35 +0000
  • Accept-language: en-US
  • Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none

Hmm, I thought I ran that too. But anyways, I did it again and now it works!

Thanks a lot,
Brad

From: "" <>
Date: Thursday, May 2, 2013 12:21 PM
To: ucla <>, Gagné Sébastien <>
Cc: "" <>
Subject: RE: Assigning admin and create privileges hierarchically

This just adds the rule:

 

RuleApi.inheritGroupPrivileges

 

This runs the daemon manually:

 

RuleApi.runRulesForOwner(stem1)

 

Thanks,

Chris

 

From: Omaraie, Brad []
Sent: Thursday, May 02, 2013 3:18 PM
To: Chris Hyzer; Gagné Sébastien
Cc:
Subject: Re: Assigning admin and create privileges hierarchically

 

Hi Chris,

After receiving your e-mail I checked our system one more time and to my surprise I noticed the stem and create privileges were assigned to the sub folders of that app's main stem. To test your solution again, I repeated it for groups under that stem to assign admin privilege. Here's exactly what I ran:

 

gsh 2% grouperSession = GrouperSession.startRootSession();

edu.internet2.middleware.grouper.GrouperSession: 0c93d0045fbf487cb9d854a779af167e,'GrouperSystem','application'

gsh 3% stem1 = StemFinder.findByName(grouperSession, "ucla:services:iwe");

stem: name='ucla:services:iwe' displayName='UCLA:services:iwe' uuid='59f0e696496345d0abb6714195920f39' 

gsh 4% group1 = GroupFinder.findByName(grouperSession, "ucla:services:iwe:admin");

group: name='ucla:services:iwe:admin' displayName='UCLA:services:iwe:admin' uuid='c73a3f1aa24b471b917a356ef3b378af' 

gsh 5% RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), stem1, Stem.Scope.SUB, group1.toSubject(), Privilege.getInstances("admin"));

edu.internet2.middleware.grouper.attr.assign.AttributeAssign: AttributeAssign[id=adbd165d1a81429a9301fd2e41599321,action="assign,attributeDefName=etc:attribute:rules:rule,

  stem=Stem[displayName=UCLA:services:iwe,name=ucla:services:iwe,uuid=59f0e696496345d0abb6714195920f39,creator=e3fffc43e19447b299c225ead4272aee]]

 

It seems it ran fine, but when I tested it I got this:

 

gsh 8% hasPriv("ucla:services:iwe:l:undergraduate-admit:98", "urn:mace:ucla.edu:ppid:person:2d29e47890ec44a5a76536df21351bef", Privilege.getInstance("admin"));

False

 

urn:mace:ucla.edu:ppid:person:2d29e47890ec44a5a76536df21351bef is the id for one of the members in that admin group.

 

I checked our grouper-loader.properties file and the setting for rules job is as follows: 

# when the rules validations and daemons run.  Leave blank to not run

rules.quartz.cron = 0 0 7 * * ?

 

Which means the job was running at 7am. That explains why the stem and create privileges where added today. But I'm wondering why when I run them from directly gsh, they won't get assigned immediately. Am I doing anything wrong?

 

Thanks,

Brad

 

 

From: "" <>
Date: Thursday, May 2, 2013 10:11 AM
To: Gagné Sébastien <>, ucla <>
Cc: "" <>
Subject: RE: Assigning admin and create privileges hierarchically

 

Yes, good point.  Just to clarify though, that is set by default in the grouper-loader.properties (which you have to sync up with grouper-loader.example.properties when you upgrade)…  so the important thing is not really that you need to define it, but that you have to not undefine it J

 

Thanks,

Chris

 

From: [] On Behalf Of Gagné Sébastien
Sent: Thursday, May 02, 2013 10:02 AM
To: Chris Hyzer; Omaraie, Brad
Cc:
Subject: RE: [grouper-users] RE: Assigning admin and create privileges hierarchically

 

For you information, there is also a job in the Grouper Loader that would’ve added the privileges for already created objects, in ‘grouper-loader.propeties’ you have to define :

 

# when the rules validations and daemons run.  Leave blank to not run

rules.quartz.cron = 0 0 1 * * ?

 

De : [] De la part de Chris Hyzer
Envoyé : 2 mai 2013 01:36
À : Omaraie, Brad
Cc :
Objet : [grouper-users] RE: Assigning admin and create privileges hierarchically

 

It works for me, I updated the wiki with this example.  I wonder why it didn’t work for you, what is different?

 

Thanks,

Chris

 

Type help() for instructions

gsh 0% grouperSession = GrouperSession.startRootSession();

edu.internet2.middleware.grouper.GrouperSession: 867846c824334805bc59a369c009acc3,'GrouperSystem','application'

gsh 1% stem_a = new StemSave(grouperSession).assignName("a").assignCreateParentStemsIfNotExist(true).save();

stem: name='a' displayName='a' uuid='30809211370c43a3b234243234234'

gsh 2% stem_a_b = new StemSave(grouperSession).assignName("a:b").assignCreateParentStemsIfNotExist(true).save();

stem: name='a:b' displayName='a:b' uuid='30809211370c43a3b231231231442'

gsh 3% stem_a_b_c = new StemSave(grouperSession).assignName("a:b:c").assignCreateParentStemsIfNotExist(true).save();

stem: name='a:b:c' displayName='a:b:c' uuid='30809211234234243231231442'

gsh 4% stem_a_c = new StemSave(grouperSession).assignName("a:c").assignCreateParentStemsIfNotExist(true).save();

stem: name='a:b:c' displayName='a:b:c' uuid='30809211234234243231231442'

gsh 5% stem_a_b.hasCreate(SubjectFinder.findById("test.subject.2"));

false

gsh 6% stem_a_b_c.hasCreate(SubjectFinder.findById("test.subject.2"));

false

gsh 7% stem_a_c.hasCreate(SubjectFinder.findById("test.subject.2"));

false

gsh 8% RuleApi.inheritFolderPrivileges(SubjectFinder.findRootSubject(), stem_a, Stem.Scope.SUB, SubjectFinder.findById("test.subject.2"), Privilege.getInstances("stem, create"));

edu.internet2.middleware.grouper.attr.assign.AttributeAssign: AttributeAssign[id=681b3033fc044c25b4c4a4ffdbd3958c,action="assign,attributeDefName=etc:attribute:rules:rule,

  stem=Stem[displayName=a,name=a,uuid=ba7b1db6dda044e3933b0bc0df2f9398,creator=f7c2ea49e9de4a1e8e2f46aaf8603092]]

gsh 9% stem_a_b_c.hasCreate(SubjectFinder.findById("test.subject.2"));

false

gsh 10% RuleApi.runRulesForOwner(stem_a)

1

gsh 11% stem_a_c.hasCreate(SubjectFinder.findById("test.subject.2"));

true

gsh 12% stem_a_b_c.hasCreate(SubjectFinder.findById("test.subject.2"));

true

gsh 13% stem_a_b.hasCreate(SubjectFinder.findById("test.subject.2"));

true

gsh 14%

 

From: Omaraie, Brad []
Sent: Wednesday, May 01, 2013 8:03 PM
To: Chris Hyzer
Cc:
Subject: Re: Assigning admin and create privileges hierarchically

 

Hi Chris,

Thanks for the solutions. It seems like the first solution only work if we run RuleApi.inheritFolderPrivileges before creating the new subfolders and groups. In our case they were already created and the script did not modify the privileges. I also ran the daemon for existing objects but it returned "0". But as this was a one time thing for us, I used your second solution to generate grant privilege methods for each group and it worked like charm.

 

Thanks again,

Brad

 

 

From: "" <>
Date: Wednesday, May 1, 2013 7:41 AM
To: ucla <>
Cc: "" <>
Subject: RE: Assigning admin and create privileges hierarchically

 

You can do one of two things:

 

1.       Add a rule to the stem which makes sure all the underlying folders.  The daemon part will take care of all the existing objects

https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Inherited+privileges+on+folders

GSH shorthand method

RuleApi.inheritFolderPrivileges(SubjectFinder.findRootSubject(), stem2, Scope.SUB, groupA.toSubject(), Privilege.getInstances("stem, create"));



https://spaces.internet2.edu/display/Grouper/Grouper+rules

You can run the rules daemon on an owner (daemon mode) with GSH:

RuleApi.runRulesForOwner(groupA)



-or-

2.       If this is a one-time thing, you can make a query from SQL which generates GSH to assign the privileges

 

https://spaces.internet2.edu/display/Grouper/GrouperShell+(gsh)

 

I want all groups in a certain folder which do not have an ADMIN privilege assigned to my application service principal, to assign that privilege.  Here is the query for oracle:

select 'grantPriv("'|| gg.name || '", "someid/server.school.edu", AccessPrivilege.ADMIN);'as script 

from grouper_groups gg where gg.name like school:apps:appName:spaces:%' 

and not exists

(select (1) from grouper_memberships_lw_v gmlv where gg.name = gmlv.group_name and list_name = 'admins' 

and gmlv.subject_id = 'someid/server.school.edu');

 

 

Thanks,

Chris

 

 

From: Omaraie, Brad []
Sent: Tuesday, April 30, 2013 3:05 PM
To: Chris Hyzer
Subject: Assigning admin and create privileges hierarchically

 

Hi Chris,

I know this might have been asked many times, but I was looking around and could not find a good answer. There's this group of applications that are starting to use grouper in our environment. We assigned a main stem to this app and they have the freedom to manage groups and folders in that stem on their own. We loaded their data in that stem and they have about 50 subfolders and groups there. We created an admin group for this app and I want to assign create and admin privileges to all these subfolder to this group. After reading  around I noticed assigning create and admin privileges in grouper is not hierarchical by design. I was hoping it is and by just assigning the correct privileges to that app's stem, all the subfolders will inherit those. But now it seems like I have to go through 50 folders and groups and assign those privileges manually one by one!

 

Is there any other way that we can do this in a more efficient way by the Grouper UI?

 

Thanks,

Brad

 

 




Archive powered by MHonArc 2.6.16.

Top of Page