Grouper Users - Open Discussion List

[Chris Hyzer <>]

The group query is a query that returns each group managed by a list of groups, and metadata for them.

 

However, I don’t know how the privileges would work if include/exclude is used.  i.e. normally if you use privs, it will apply to each loader group.  But if you are applying privs to certain of the 5 include/exclude groups, then I don’t think it works like that right now.  Do you want me to take a look and see?

 

Would the managers also need READ access to the overall group, and possibly the system of record group?

 

Thanks,

Chris

 

 

 

From: Bryan E. Wooten [mailto:]
Sent: Monday, January 06, 2014 1:42 PM
To: Chris Hyzer;
Subject: RE: addIncludeExclude groups

 

Yes those are the pages I’ve been trying to get my head around.

 

Ah Ha! Don’t use the addIncludeExclude check box when creating the loader job! Just put that string in the grouperLoaderGroupTypes attribute!

 

I am still having trouble fully understanding the grouperLoaderGroupQuery and how to use it.

 

What I have now is an IncludeExclude group for each Dept. What I would like to do is automatically create a group for each dept that contains just managers. (ie DeptMgr group).  I would like to assign these groups read/update privs to the respective dept’s include and exclude groups only. Or am I thinking about the use case incorrectly?

 

Thanks for all your patience,

 

Bryan

 

From: Chris Hyzer []
Sent: Monday, January 06, 2014 10:35 AM
To: Bryan E. Wooten;
Subject: RE: addIncludeExclude groups

 

The loader job itself shouldn’t be include/exclude, the generated/managed groups should be.

 

https://spaces.internet2.edu/display/Grouper/Grouper+-+Loader

 

Did you see this?

 

https://spaces.internet2.edu/display/Grouper/Grouper+Loader+classlist+example+from+Penn

 

I think the group name from the loader query should end in _systemOfRecord

 

Make the grouperLoaderGroupTypes by addIncludeExclude

 

You can have a query for the users as normal, then a group query.  This has a row for each group, and has the privs associated with it in columns.  In the admins col, put the name of the group which should be an admin.

 

If you cant get it working, give me the detailed design for exactly what you want, which group names, etc. and I can make you an example.

 

Thanks,

Chris

 

 

 

 

 

 

From: Bryan E. Wooten []
Sent: Monday, January 06, 2014 12:03 PM
To: Chris Hyzer;
Subject: RE: addIncludeExclude groups

 

Thanks Chris,

 

Well I think I get it, but now I have confused myself even more. So I created an addIncludeExclude group called foo,  it is a SQL_GROUP_LIST with a grouperLoaderQuery: select group_name, subject_id, 'ldap' from UUIDM.UU_IDM_DEPT (this is a view).

 

When I created the foo group  the UI also created “foo exludes”, “foo_includes”, “foo system of record” and “foo system of record and includes”.  All as expected.

 

However when I run the job I get a group called “deptX_systemOfRecord as expected. But I don’t see any include or exclude groups (or other groups) created.

 

Am I missing something?

 

Also I am unclear on the purpose of the  “grouperLoaderGroupQuery”. I couldn’t find anything in the wiki.

 

Thanks,

 

Bryan

From: Chris Hyzer []
Sent: Monday, January 06, 2014 8:52 AM
To: Bryan E. Wooten;
Subject: RE: addIncludeExclude groups

 

You are talking about a list of groups right?  Do they all have the same admin privs?

 

You need a col in the group query called “admins”, and list the group name there that should be an admin of each loader group.  Then in that group, mark it include/exclude in the UI, or if it is a loader group itself, then do the same thing you did on the other one.

 

Know what I mean?

 

Or if all your loaded groups are in a folder, you could apply a rule in that folder (and subfolders) to have a certain include/exclude group be admin of all groups.

 

Ok?

 

Thanks,

Chris

 

From: [] On Behalf Of Bryan E. Wooten
Sent: Monday, January 06, 2014 10:20 AM
To:
Subject: [grouper-users] addIncludeExclude groups

 

So I can successfully create a grouper loader group with andIncludesExcludes, but now I need to create a grouper loader group with admin privileges to the include and exclude groups. I can’t figure out how to do this.

 

Any hints?

 

Thanks,

 

Bryan