Grouper Users - Open Discussion List

[Chris Hyzer <>]

We say that the grouper_memberships_lw_v is usable from outside, and if you 
are looking up the uuid from the name of the grouper_groups table, that is a 
safe bet.  

I forget why the classlist example has all those other grouper tables, but 
you shouldn't really need them (need to spend some time to study that doc 
again).

I think in your case you shouldn't really need anything else, right?  :)

Attached is an email where I wrote that link, there are other discussions 
with Bryan Wooten on the topic.

Thanks,
Chris

-----Original Message-----
From: Scott Koranda 
[mailto:]
 
Sent: Friday, March 21, 2014 1:10 PM
To: Chris Hyzer
Cc: grouper-users
Subject: Re: [grouper-users] roll ups using the loader?

Hi,

On Fri, Mar 21, 2014 at 11:36 AM, Chris Hyzer 
<>
 wrote:
>
> Yes, that is what the classlist at penn and the joins to the grouper_groups 
> table does...

Thanks.

> obviously I need to revist that doc, its hard to understand.

Well, the data point you have is that I find it hard to understand. It
may not be a universal problem. :-)

>
>
>
> I wrote this up earlier this year with a long discussion on the list:

I am having trouble finding the relevant discussion in the archives.
If you have time to point me to one of the URLs for the thread I would
be grateful.

>
> https://spaces.internet2.edu/display/Grouper/Grouper+loader+example+include+exclude+and+privileges

I had not found that page, thanks, I will study it.

An issue for me is trying to decide what is possible and recommended
if you are Chris Hyzer or Shilen Patel versus what is possible and
recommended if you are anybody else. I need to weigh the risks of
complexity and maintenance costs against the extra functionality when
doing SQL queries directly across Grouper database tables.

Thanks,

Scott K

--- Begin Message ---

• From: Chris Hyzer <>
• To: "Bryan E. Wooten" <>, "" <>
• Subject: RE: addIncludeExclude groups
• Date: Thu, 9 Jan 2014 19:40:06 +0000

Ok, you don’t need any updates in grouper, you can make a couple queries to handle include/exclude in the loader, and you can also assign privileges dynamically.  I recommend only doing includes since normally you need to whitelist people, not exclude people.  Also, composites with the loader would be more tricky (would need code for that).  Here is a writeup, can you make that work if that is the direction you want to go?  J

 

https://spaces.internet2.edu/display/Grouper/Grouper+loader+example+include+exclude+and+privileges

 

There are three examples there, simple list of groups with privs.  Include/exclude.  And include only with privs (I think that is closer to what you want).

 

Thanks,

Chris

 

From: Bryan E. Wooten [mailto:]
Sent: Tuesday, January 07, 2014 12:27 PM
To: Chris Hyzer;
Subject: RE: addIncludeExclude groups

 

I guess I am really thick skulled, I still can’t figure out what the group query really does.

 

Anyway, what I really would to do is create automatically create a group for each include and exclude group whose members would have rights to add / remove members from the include or exclude groups. In my current use case this would allow dept managers to add people to their overall group.

 

In the future I want to create include/exclude groups for each course:section and then have a corresponding instructor group that would have rights to add/remove from the include and exclude groups. This would allow instructors to add un-enrolled guests to the overall class group. The goal is to empower end users to maintain their own groups without having to depend on the IT dept.

 

Finally I want to provision the overall group to LDAP. The overall group is only of use if it get provisioned to LDAP. Virtually every application wants to perform authorization base on group membership.

 

Of course my design might be fundamentally flawed so I open to other solutions / designs that meet my goal.

 

Thanks,

 

Bryan

 

From: Chris Hyzer []
Sent: Monday, January 06, 2014 1:58 PM
To: Bryan E. Wooten;
Subject: RE: addIncludeExclude groups

 

The group query is a query that returns each group managed by a list of groups, and metadata for them.

 

However, I don’t know how the privileges would work if include/exclude is used.  i.e. normally if you use privs, it will apply to each loader group.  But if you are applying privs to certain of the 5 include/exclude groups, then I don’t think it works like that right now.  Do you want me to take a look and see?

 

Would the managers also need READ access to the overall group, and possibly the system of record group?

 

Thanks,

Chris

 

 

 

From: Bryan E. Wooten []
Sent: Monday, January 06, 2014 1:42 PM
To: Chris Hyzer;
Subject: RE: addIncludeExclude groups

 

Yes those are the pages I’ve been trying to get my head around.

 

Ah Ha! Don’t use the addIncludeExclude check box when creating the loader job! Just put that string in the grouperLoaderGroupTypes attribute!

 

I am still having trouble fully understanding the grouperLoaderGroupQuery and how to use it.

 

What I have now is an IncludeExclude group for each Dept. What I would like to do is automatically create a group for each dept that contains just managers. (ie DeptMgr group).  I would like to assign these groups read/update privs to the respective dept’s include and exclude groups only. Or am I thinking about the use case incorrectly?

 

Thanks for all your patience,

 

Bryan

 

From: Chris Hyzer []
Sent: Monday, January 06, 2014 10:35 AM
To: Bryan E. Wooten;
Subject: RE: addIncludeExclude groups

 

The loader job itself shouldn’t be include/exclude, the generated/managed groups should be.

 

https://spaces.internet2.edu/display/Grouper/Grouper+-+Loader

 

Did you see this?

 

https://spaces.internet2.edu/display/Grouper/Grouper+Loader+classlist+example+from+Penn

 

I think the group name from the loader query should end in _systemOfRecord

 

Make the grouperLoaderGroupTypes by addIncludeExclude

 

You can have a query for the users as normal, then a group query.  This has a row for each group, and has the privs associated with it in columns.  In the admins col, put the name of the group which should be an admin.

 

If you cant get it working, give me the detailed design for exactly what you want, which group names, etc. and I can make you an example.

 

Thanks,

Chris

 

 

 

 

 

 

From: Bryan E. Wooten []
Sent: Monday, January 06, 2014 12:03 PM
To: Chris Hyzer;
Subject: RE: addIncludeExclude groups

 

Thanks Chris,

 

Well I think I get it, but now I have confused myself even more. So I created an addIncludeExclude group called foo,  it is a SQL_GROUP_LIST with a grouperLoaderQuery: select group_name, subject_id, 'ldap' from UUIDM.UU_IDM_DEPT (this is a view).

 

When I created the foo group  the UI also created “foo exludes”, “foo_includes”, “foo system of record” and “foo system of record and includes”.  All as expected.

 

However when I run the job I get a group called “deptX_systemOfRecord as expected. But I don’t see any include or exclude groups (or other groups) created.

 

Am I missing something?

 

Also I am unclear on the purpose of the  “grouperLoaderGroupQuery”. I couldn’t find anything in the wiki.

 

Thanks,

 

Bryan

From: Chris Hyzer []
Sent: Monday, January 06, 2014 8:52 AM
To: Bryan E. Wooten;
Subject: RE: addIncludeExclude groups

 

You are talking about a list of groups right?  Do they all have the same admin privs?

 

You need a col in the group query called “admins”, and list the group name there that should be an admin of each loader group.  Then in that group, mark it include/exclude in the UI, or if it is a loader group itself, then do the same thing you did on the other one.

 

Know what I mean?

 

Or if all your loaded groups are in a folder, you could apply a rule in that folder (and subfolders) to have a certain include/exclude group be admin of all groups.

 

Ok?

 

Thanks,

Chris

 

From: [] On Behalf Of Bryan E. Wooten
Sent: Monday, January 06, 2014 10:20 AM
To:
Subject: [grouper-users] addIncludeExclude groups

 

So I can successfully create a grouper loader group with andIncludesExcludes, but now I need to create a grouper loader group with admin privileges to the include and exclude groups. I can’t figure out how to do this.

 

Any hints?

 

Thanks,

 

Bryan

--- End Message ---