Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] PSP baseStem vs Loader Jobs

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] PSP baseStem vs Loader Jobs


Chronological Thread 
  • From: Chris Hyzer <>
  • To: "Bryan E. Wooten" <>, David Langenberg <>
  • Cc: "" <>
  • Subject: RE: [grouper-users] PSP baseStem vs Loader Jobs
  • Date: Mon, 17 Mar 2014 14:28:02 +0000
  • Accept-language: en-US

Are you looking at display name or system name?

 

From: Bryan E. Wooten [mailto:]
Sent: Monday, March 17, 2014 10:09 AM
To: David Langenberg; Chris Hyzer
Cc:
Subject: RE: [grouper-users] PSP baseStem vs Loader Jobs

 

Thanks for this tip. But I have an observation. When I create my includeExclude group (for departments) I get the following groups:

 

00001_systemOfRecord

00001 system of record and includes

00001 includes

00001 excludes

00001 (the overall group).

 

Note the lack 0f underscores.

 

I like the idea of using the minus operation to exclude all but the overall group. But reading the wiki here (https://spaces.internet2.edu/display/Grouper/Grouper+and+Shibboleth+Integration) I get a little lost. I see how to use minus to exclude all groups in a stem or specific group.

But I don’t see how to exclude groups in a stem using a wild card group name. I think I want to exclude all groups that have the word “excludes”, “includes” or “systemOfRecord” in the group name.

So I think I a filter like this:

<resolver:DataConnector id="MinusFilter" xsi:type="grouper:GroupDataConnector">

  <grouper:GroupFilter xsi:type="grouper:Minus">

    <grouper:GroupFilter xsi:type="grouper:StemName" name="${edu.internet2.middleware.psp.baseStem}"scope="SUB" />

    <grouper:GroupFilter xsi:type="grouper:ExactAttribute" name="name" value="group_name" />

  </grouper:GroupFilter>

</resolver:DataConnector>

 

I get confused on the ExactAttribute line. What is the difference between name and value? I think value should be my wild card value? Can this be a RegEx?

 

Thanks,

 

Bryan

 

 

 

From: David Langenberg []
Sent: Friday, March 14, 2014 9:39 AM
To: Chris Hyzer
Cc: Bryan E. Wooten;
Subject: Re: [grouper-users] PSP baseStem vs Loader Jobs

 

Yeah, using MINUS filters would work too.


Dave

 

On Fri, Mar 14, 2014 at 9:19 AM, Chris Hyzer <> wrote:

I think with the filters you can push all the loader groups and minus (filter out) the ones with _systemOfRecord, _includes, _excludes, and _systemOfRecordAndIncludes, right?  Then you are left with the overall groups.  Maybe that is what Dave said…  J

 

Thanks

Chris

 

From: [mailto:] On Behalf Of David Langenberg
Sent: Friday, March 14, 2014 11:04 AM
To: Bryan E. Wooten
Cc:
Subject: Re: [grouper-users] PSP baseStem vs Loader Jobs

 

Hi Bryan,

 

One suggestion would be to put those groups you want pushed one layer down.

 

loader:courses:groupa

loader:courses:groupb

loader:courses:push:groupc

 

loader:staff:groupa

loader:staff:push:groupb

 

I'd suggest you look at the psp-resolver.xml and modify the grouper:Filters a little bit to look for the groups you care about.  An example:

 

<resolver:DataConnector

    id="GroupDataConnector"

    xsi:type="grouper:GroupDataConnector">

    <!-- The MINUS filter matches stems which match the first child filter and not the second. -->

    <grouper:Filter xsi:type="grouper:MINUS">

      <!-- The GroupInStem filter matches groups which are children of the given stem. -->

      <grouper:Filter

        xsi:type="grouper:GroupInStem"

        name="${edu.internet2.middleware.psp.baseStem}"

        scope="SUB" />

      <grouper:Filter

        xsi:type="grouper:GroupInStem"

        name="etc"

        scope="SUB" />

    </grouper:Filter>

    <!-- The "members" attribute values are equivalent to group.getMembers(). -->

    <grouper:Attribute id="members" />

    <!-- The "groups" attribute values are equivalent to group.getGroups(). -->

    <grouper:Attribute id="groups" />

  </resolver:DataConnector>

 

In the above, you're looking for all groups under baseStem minus those in etc (incase etc happens to be in the baseStem).  Let's assume you also want to include groups either under baseStem or a stem with the name "push".  What you'd want to do is OR the above filter with the "push" filter:

 

<resolver:DataConnector

    id="GroupDataConnector"

    xsi:type="grouper:GroupDataConnector">

 

<grouper:Filter xsi:type="grouper:OR">   

<grouper:Filter xsi:type="grouper:NameInStem" name="push" scope="SUB" />

 

 

 <!-- The MINUS filter matches stems which match the first child filter and not the second. -->

    <grouper:Filter xsi:type="grouper:MINUS">

      <!-- The GroupInStem filter matches groups which are children of the given stem. -->

      <grouper:Filter

        xsi:type="grouper:GroupInStem"

        name="${edu.internet2.middleware.psp.baseStem}"

        scope="SUB" />

      <grouper:Filter

        xsi:type="grouper:GroupInStem"

        name="etc"

        scope="SUB" />

    </grouper:Filter>

 

</grouper:Filter>

 

    <!-- The "members" attribute values are equivalent to group.getMembers(). -->

    <grouper:Attribute id="members" />

    <!-- The "groups" attribute values are equivalent to group.getGroups(). -->

    <grouper:Attribute id="groups" />

  </resolver:DataConnector>

 

That, combined with a few other relevant updates should cause all groups under baseStem to be pushed as well as groups with the word push in the stem.

 

Dave

 

 

On Thu, Mar 13, 2014 at 9:46 AM, Bryan E. Wooten <> wrote:

I have a Grouper loader job that is an addIncludeExclude type. It puts all the groups (systemORecord, includes, excludes and overall group) in the same stem.

 

That stem is NOT under the baseStem for the PSP. If I put the loader groups under the baseStem the PSP will provision ALL the groups to AD. But I just want the overall group provisioned to AD.

 

Is there any way to accomplish this?

 

All I can think to do is to create another loader job that creates a group for each overall group with the overall group as its member. And this group created under the base stem so the PSP will provision it. But I have no clue as to what the SQL would look like to accomplish this.

 

Thoughts?

 

-Bryan



 

--
David Langenberg

Identity & Access Management

The University of Chicago



 

--
David Langenberg

Identity & Access Management

The University of Chicago




Archive powered by MHonArc 2.6.16.

Top of Page