grouper-users - [grouper-users] Re: Assigning admin and create privileges hierarchically
Subject: Grouper Users - Open Discussion List
List archive
- From: "Omaraie, Brad" <>
- To: Chris Hyzer <>, Gagné Sébastien <>
- Cc: "" <>
- Subject: [grouper-users] Re: Assigning admin and create privileges hierarchically
- Date: Thu, 2 May 2013 19:35:35 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none
Hmm, I thought I ran that too. But anyways, I did it again and now it works!
Thanks a lot,
Brad
From: "" <>
Date: Thursday, May 2, 2013 12:21 PM To: ucla <>, Gagné Sébastien <> Cc: "" <> Subject: RE: Assigning admin and create privileges hierarchically This just adds the rule: RuleApi.inheritGroupPrivileges This runs the daemon manually: RuleApi.runRulesForOwner(stem1) Thanks, Chris From: Omaraie, Brad []
Hi Chris, After receiving your e-mail I checked our system one more time and to my surprise I noticed the stem and create privileges were assigned to the sub folders
of that app's main stem. To test your solution again, I repeated it for groups under that stem to assign admin privilege. Here's exactly what I ran: gsh 2% grouperSession = GrouperSession.startRootSession(); edu.internet2.middleware.grouper.GrouperSession: 0c93d0045fbf487cb9d854a779af167e,'GrouperSystem','application' gsh 3% stem1 = StemFinder.findByName(grouperSession, "ucla:services:iwe"); stem: name='ucla:services:iwe' displayName='UCLA:services:iwe' uuid='59f0e696496345d0abb6714195920f39' gsh 4% group1 = GroupFinder.findByName(grouperSession, "ucla:services:iwe:admin"); group: name='ucla:services:iwe:admin' displayName='UCLA:services:iwe:admin' uuid='c73a3f1aa24b471b917a356ef3b378af' gsh 5% RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), stem1, Stem.Scope.SUB, group1.toSubject(), Privilege.getInstances("admin")); edu.internet2.middleware.grouper.attr.assign.AttributeAssign: AttributeAssign[id=adbd165d1a81429a9301fd2e41599321,action="assign,attributeDefName=etc:attribute:rules:rule, stem=Stem[displayName=UCLA:services:iwe,name=ucla:services:iwe,uuid=59f0e696496345d0abb6714195920f39,creator=e3fffc43e19447b299c225ead4272aee]] It seems it ran fine, but when I tested it I got this: gsh 8% hasPriv("ucla:services:iwe:l:undergraduate-admit:98", "urn:mace:ucla.edu:ppid:person:2d29e47890ec44a5a76536df21351bef", Privilege.getInstance("admin")); False urn:mace:ucla.edu:ppid:person:2d29e47890ec44a5a76536df21351bef is the id for one of the members in that admin group. I checked our grouper-loader.properties file and the setting for rules job is as follows: # when the rules validations and daemons run. Leave blank to not run rules.quartz.cron = 0 0 7 * * ? Which means the job was running at 7am. That explains why the stem and create privileges where added today. But I'm wondering why when I run them from directly
gsh, they won't get assigned immediately. Am I doing anything wrong? Thanks, Brad From:
"" <> Yes, good point. Just to clarify though, that is set by default in the grouper-loader.properties (which you have to sync up with grouper-loader.example.properties
when you upgrade)… so the important thing is not really that you need to define it, but that you have to not undefine it
J Thanks, Chris From:
[]
On Behalf Of Gagné Sébastien For you information, there is also a job in the Grouper Loader that would’ve added the privileges for already created objects, in ‘grouper-loader.propeties’
you have to define : # when the rules validations and daemons run. Leave blank to not run rules.quartz.cron = 0 0 1 * * ? De :
[]
De la part de Chris Hyzer It works for me, I updated the wiki with this example. I wonder why it didn’t work for you, what is different? Thanks, Chris Type help() for instructions gsh 0% grouperSession = GrouperSession.startRootSession(); edu.internet2.middleware.grouper.GrouperSession: 867846c824334805bc59a369c009acc3,'GrouperSystem','application' gsh 1% stem_a = new StemSave(grouperSession).assignName("a").assignCreateParentStemsIfNotExist(true).save(); stem: name='a' displayName='a' uuid='30809211370c43a3b234243234234'
gsh 2% stem_a_b = new StemSave(grouperSession).assignName("a:b").assignCreateParentStemsIfNotExist(true).save(); stem: name='a:b' displayName='a:b' uuid='30809211370c43a3b231231231442'
gsh 3% stem_a_b_c = new StemSave(grouperSession).assignName("a:b:c").assignCreateParentStemsIfNotExist(true).save(); stem: name='a:b:c' displayName='a:b:c' uuid='30809211234234243231231442'
gsh 4% stem_a_c = new StemSave(grouperSession).assignName("a:c").assignCreateParentStemsIfNotExist(true).save(); stem: name='a:b:c' displayName='a:b:c' uuid='30809211234234243231231442'
gsh 5% stem_a_b.hasCreate(SubjectFinder.findById("test.subject.2")); false gsh 6% stem_a_b_c.hasCreate(SubjectFinder.findById("test.subject.2")); false gsh 7% stem_a_c.hasCreate(SubjectFinder.findById("test.subject.2")); false gsh 8% RuleApi.inheritFolderPrivileges(SubjectFinder.findRootSubject(), stem_a, Stem.Scope.SUB, SubjectFinder.findById("test.subject.2"), Privilege.getInstances("stem,
create")); edu.internet2.middleware.grouper.attr.assign.AttributeAssign: AttributeAssign[id=681b3033fc044c25b4c4a4ffdbd3958c,action="assign,attributeDefName=etc:attribute:rules:rule, stem=Stem[displayName=a,name=a,uuid=ba7b1db6dda044e3933b0bc0df2f9398,creator=f7c2ea49e9de4a1e8e2f46aaf8603092]] gsh 9% stem_a_b_c.hasCreate(SubjectFinder.findById("test.subject.2")); false gsh 10% RuleApi.runRulesForOwner(stem_a) 1 gsh 11% stem_a_c.hasCreate(SubjectFinder.findById("test.subject.2")); true gsh 12% stem_a_b_c.hasCreate(SubjectFinder.findById("test.subject.2")); true gsh 13% stem_a_b.hasCreate(SubjectFinder.findById("test.subject.2")); true gsh 14% From: Omaraie, Brad []
Hi Chris, Thanks for the solutions. It seems like the first solution only work if we run RuleApi.inheritFolderPrivileges before
creating the new subfolders and groups. In our case they were already created and the script did not modify the privileges. I also ran the daemon for existing objects but it returned "0". But as this was a one time thing for us, I used your second solution
to generate grant privilege methods for each group and it worked like charm. Thanks again, Brad From:
"" <> You can do one of two things:
1.
Add a rule to the stem which makes sure all the underlying folders. The daemon part will take care of all the existing objects
GSH shorthand method
2.
If this is a one-time thing, you can make a query from SQL which generates GSH to assign the privileges https://spaces.internet2.edu/display/Grouper/GrouperShell+(gsh)
I want all groups in a certain folder which do not have an ADMIN privilege assigned to my application service principal, to assign that privilege. Here is the query for oracle:
Thanks, Chris From: Omaraie, Brad []
Hi Chris, I know this might have been asked many times, but I was looking around and could not find a good answer. There's this group of applications that are starting
to use grouper in our environment. We assigned a main stem to this app and they have the freedom to manage groups and folders in that stem on their own. We loaded their data in that stem and they have about 50 subfolders and groups there. We created an admin
group for this app and I want to assign create and admin privileges to all these subfolder to this group. After reading around I noticed assigning create and admin privileges in grouper is not hierarchical by design. I was hoping it is and by just assigning
the correct privileges to that app's stem, all the subfolders will inherit those. But now it seems like I have to go through 50 folders and groups and assign those privileges manually one by one! Is there any other way that we can do this in a more efficient way by the Grouper UI? Thanks, Brad |
- [grouper-users] RE: Assigning admin and create privileges hierarchically, Chris Hyzer, 05/01/2013
- [grouper-users] Re: Assigning admin and create privileges hierarchically, Omaraie, Brad, 05/01/2013
- [grouper-users] RE: Assigning admin and create privileges hierarchically, Chris Hyzer, 05/02/2013
- <Possible follow-up(s)>
- RE: [grouper-users] RE: Assigning admin and create privileges hierarchically, Gagné Sébastien, 05/02/2013
- [grouper-users] RE: Assigning admin and create privileges hierarchically, Chris Hyzer, 05/02/2013
- [grouper-users] Re: Assigning admin and create privileges hierarchically, Omaraie, Brad, 05/02/2013
- [grouper-users] RE: Assigning admin and create privileges hierarchically, Chris Hyzer, 05/02/2013
- [grouper-users] Re: Assigning admin and create privileges hierarchically, Omaraie, Brad, 05/02/2013
- [grouper-users] RE: Assigning admin and create privileges hierarchically, Chris Hyzer, 05/02/2013
- [grouper-users] Re: Assigning admin and create privileges hierarchically, Omaraie, Brad, 05/02/2013
- [grouper-users] RE: Assigning admin and create privileges hierarchically, Chris Hyzer, 05/02/2013
- [grouper-users] Re: Assigning admin and create privileges hierarchically, Omaraie, Brad, 05/01/2013
Archive powered by MHonArc 2.6.16.