grouper-users - Re: [grouper-users] Custom Rule Validation
Subject: Grouper Users - Open Discussion List
List archive
- From: "Waldbieser, Carl" <>
- To: "Hyzer, Chris" <>
- Cc: ,
- Subject: Re: [grouper-users] Custom Rule Validation
- Date: Fri, 24 Mar 2017 15:07:59 -0400 (EDT)
- Ironport-phdr: 9a23:xG/jcxQDCEaF6szbDIybenWdctpsv+yvbD5Q0YIujvd0So/mwa6ybBaN2/xhgRfzUJnB7Loc0qyN4v2mBjFLuM/Q+Fk5M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe71/IRG2oAnLtMQbgYRuJrssxhbNv3BFZ/lYyWR0KFyJgh3y/N2w/Jlt8yRRv/Iu6ctNWrjkcqo7ULJVEi0oP3g668P3uxbDSxCP5mYHXWUNjhVIGQnF4wrkUZr3ryD3q/By2CiePc3xULA0RTGv5LplRRP0lCsKMSMy/WfKgcJyka1bugqsqRJ/zYDKY4+aNvR+cL7SctwGSmRBX8FfVzBaD4OgbYYAE/YNMPxEo4T/oVYFsBuwBROrBOPq0jJEiH/50rc+0+s8Cg7G3RIvH8kQv3TOtNn+KbkfXvqvzKnMwznIcvRb2Dnn54jMbx8uuvCMUqxsfsfKzUkgDQ3FgU+QqIP7IzOVyvoCv3KF4OV9SOKikmgqoBx/rDiow8cjkIjJhoQNx1DF8yV53Jg6Jce+SEFlfd6oDoFcuD+HOItrRM4pXmJmuD4ix7Ebt5O2eDIGxIkoyhPdcfCLbpWE7gj+WOuRPDt0nG9pdby7ihqo7EStxe/xWtOp3FtKtCZJjMXAum0V2xDO5MWKTuFx8lqu1DuNzQzf9/xILVopmafVNZIsxKM7mIAJvkTZBCD2nV37jK+IeUUg/eil8+HnYqn8qZKTLYN0jhvxMqo0lc2/H+s4LhQOUHaB9euiybLj4FX1QLRMjvIojqnUqI3WKMofq6KjHgNY3YQu5wyiAzu7ytgUgHkKIE9ddBKClYfpOlXOIP7iDfe4hlShiDlqyOrCPrL8GZrNL2bMn6v6cLZ58UFcxhA8zNBB6JJIFrEOPuj/VVHsu9zFFhM5KRC7w/77CNVh0YMTQW2PArWeMKPPqV+H+PgvL/CRZI8Opjn9MeMl6uXqjX84gl8dYbKp0YUNZHC5GPRmP1uWYWDqgtgfDWcGoBAyQ/L3h12fAnZvYCP4f7Mu6yt/QKmmF4bYDMj5hbeBzTW2BLVXfWsAF0iBF3GueomZDaQiciWXd4VemzgIX7msUII7kVmFvRX+gfIzMePQ9icZuJnL0NF77vzeiQ0/szF4EpLOgCm2U2hokzZQFHcN16dlrBklxw==
Chris,
I think because we are still on Grouper v2.2, the issue was that GRP-1377
made rules behave in a somewhat unexpected way. The cron job cleanup
corrects that.
It might be nice if there was an option to prevent groups/permissions from
allowing individual subjects to be added as direct members (as opposed to
adding other groups). The Grouper deployment guide mentions that as a best
practice for policies on page 7, I think. If that could be enforced
technically, that could be useful ...
Thanks,
Carl
----- Original Message -----
From: "Hyzer, Chris"
<>
To: "waldbiec"
<>,
Cc:
Sent: Friday, March 24, 2017 2:45:23 PM
Subject: RE: [grouper-users] Custom Rule Validation
You could put these rules on your root stem to accomplish this:
https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Reassign+group+privileges+if+from+group
https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Reassign+folder+privileges+if+from+group
https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Reassign+attribute+definition+privileges+if+from+group
Or we could have something in grouper default to having this on and you could
disable it... thoughts?
Thanks
Chris
-----Original Message-----
From: Waldbieser, Carl
[mailto:]
Sent: Friday, March 24, 2017 1:44 PM
To:
Cc:
;
Hyzer, Chris
<>
Subject: Re: [grouper-users] Custom Rule Validation
At Lafayette College we take this approach to normalize the permissions for
our Grouper "apps" policies. When someone creates a policy group via the UI,
Grouper rules automatically add the correct administrator groups to the
permissions, However, the creator of the group is granted permissions by
default. A cron job sweeps through these folder trees each night and removes
permissions granted directly to subjects from our people LDAP source.
Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College
----- Original Message -----
From: "Hyzer, Chris"
<>
To:
,
Sent: Friday, March 24, 2017 1:27:24 PM
Subject: RE: [grouper-users] Custom Rule Validation
If you want a scheduled task, and you are in 2.3, you can configure something
in the grouper-loader.properties called "otherJob" which can have a cron
schedule and run like another grouper daemon or loader job or whatever.
However, in 2.2.2, that doesnt exist. Can I suggest just writing a java
program and running it with unix cron command line? :) It would be run
something like this:
java -Xmx500m -classpath
${GROUPER_HOME}/classes:${GROUPER_HOME}/lib/*:/location/to/your.jar
some.package.YourClass
Thanks
Chris
-----Original Message-----
From:
[mailto:]
On Behalf Of
Sent: Wednesday, March 08, 2017 2:30 PM
To:
Subject: [grouper-users] Custom Rule Validation
We are currently looking at a rule validation tool for Grouper v2.2.2. This
should run once a day and it would make sure that every folder down a certain
path contains groups X,Y and Z or every group has "these" privileges. If it
doesn't contain one of these, then it will fix it. We were wondering what is
the best way to do this.
The Grouper Rule Consumer uses the changelog and since we want this to run
daily, we may not have an event occurring at the time of day we want this to
occur, the tool should also check for preexisting groups. Would just creating
some grouper rules be the best way to do this?
- [grouper-users] Custom Rule Validation, sdavis11, 03/08/2017
- RE: [grouper-users] Custom Rule Validation, Hyzer, Chris, 03/24/2017
- Re: [grouper-users] Custom Rule Validation, Waldbieser, Carl, 03/24/2017
- RE: [grouper-users] Custom Rule Validation, Hyzer, Chris, 03/24/2017
- Re: [grouper-users] Custom Rule Validation, Waldbieser, Carl, 03/24/2017
- RE: [grouper-users] Custom Rule Validation, Hyzer, Chris, 03/24/2017
- Re: [grouper-users] Custom Rule Validation, Waldbieser, Carl, 03/24/2017
- RE: [grouper-users] Custom Rule Validation, Hyzer, Chris, 03/24/2017
- Re: [grouper-users] Custom Rule Validation, Waldbieser, Carl, 03/24/2017
- RE: [grouper-users] Custom Rule Validation, Hyzer, Chris, 03/24/2017
- Re: [grouper-users] Custom Rule Validation, Waldbieser, Carl, 03/24/2017
- RE: [grouper-users] Custom Rule Validation, Hyzer, Chris, 03/24/2017
Archive powered by MHonArc 2.6.19.