Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Custom Rule Validation

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Custom Rule Validation

Chronological Thread 
  • From: "Waldbieser, Carl" <>
  • To: "Hyzer, Chris" <>
  • Cc: ,
  • Subject: Re: [grouper-users] Custom Rule Validation
  • Date: Fri, 24 Mar 2017 15:07:59 -0400 (EDT)
  • Ironport-phdr: 9a23:xG/jcxQDCEaF6szbDIybenWdctpsv+yvbD5Q0YIujvd0So/mwa6ybBaN2/xhgRfzUJnB7Loc0qyN4v2mBjFLuM/Q+Fk5M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe71/IRG2oAnLtMQbgYRuJrssxhbNv3BFZ/lYyWR0KFyJgh3y/N2w/Jlt8yRRv/Iu6ctNWrjkcqo7ULJVEi0oP3g668P3uxbDSxCP5mYHXWUNjhVIGQnF4wrkUZr3ryD3q/By2CiePc3xULA0RTGv5LplRRP0lCsKMSMy/WfKgcJyka1bugqsqRJ/zYDKY4+aNvR+cL7SctwGSmRBX8FfVzBaD4OgbYYAE/YNMPxEo4T/oVYFsBuwBROrBOPq0jJEiH/50rc+0+s8Cg7G3RIvH8kQv3TOtNn+KbkfXvqvzKnMwznIcvRb2Dnn54jMbx8uuvCMUqxsfsfKzUkgDQ3FgU+QqIP7IzOVyvoCv3KF4OV9SOKikmgqoBx/rDiow8cjkIjJhoQNx1DF8yV53Jg6Jce+SEFlfd6oDoFcuD+HOItrRM4pXmJmuD4ix7Ebt5O2eDIGxIkoyhPdcfCLbpWE7gj+WOuRPDt0nG9pdby7ihqo7EStxe/xWtOp3FtKtCZJjMXAum0V2xDO5MWKTuFx8lqu1DuNzQzf9/xILVopmafVNZIsxKM7mIAJvkTZBCD2nV37jK+IeUUg/eil8+HnYqn8qZKTLYN0jhvxMqo0lc2/H+s4LhQOUHaB9euiybLj4FX1QLRMjvIojqnUqI3WKMofq6KjHgNY3YQu5wyiAzu7ytgUgHkKIE9ddBKClYfpOlXOIP7iDfe4hlShiDlqyOrCPrL8GZrNL2bMn6v6cLZ58UFcxhA8zNBB6JJIFrEOPuj/VVHsu9zFFhM5KRC7w/77CNVh0YMTQW2PArWeMKPPqV+H+PgvL/CRZI8Opjn9MeMl6uXqjX84gl8dYbKp0YUNZHC5GPRmP1uWYWDqgtgfDWcGoBAyQ/L3h12fAnZvYCP4f7Mu6yt/QKmmF4bYDMj5hbeBzTW2BLVXfWsAF0iBF3GueomZDaQiciWXd4VemzgIX7msUII7kVmFvRX+gfIzMePQ9icZuJnL0NF77vzeiQ0/szF4EpLOgCm2U2hokzZQFHcN16dlrBklxw==


I think because we are still on Grouper v2.2, the issue was that GRP-1377
made rules behave in a somewhat unexpected way. The cron job cleanup
corrects that.
It might be nice if there was an option to prevent groups/permissions from
allowing individual subjects to be added as direct members (as opposed to
adding other groups). The Grouper deployment guide mentions that as a best
practice for policies on page 7, I think. If that could be enforced
technically, that could be useful ...


----- Original Message -----
From: "Hyzer, Chris"
To: "waldbiec"


Sent: Friday, March 24, 2017 2:45:23 PM
Subject: RE: [grouper-users] Custom Rule Validation

You could put these rules on your root stem to accomplish this:

Or we could have something in grouper default to having this on and you could
disable it... thoughts?


-----Original Message-----
From: Waldbieser, Carl

Sent: Friday, March 24, 2017 1:44 PM

Hyzer, Chris
Subject: Re: [grouper-users] Custom Rule Validation

At Lafayette College we take this approach to normalize the permissions for
our Grouper "apps" policies. When someone creates a policy group via the UI,
Grouper rules automatically add the correct administrator groups to the
permissions, However, the creator of the group is granted permissions by
default. A cron job sweeps through these folder trees each night and removes
permissions granted directly to subjects from our people LDAP source.

Carl Waldbieser
ITS Identity Management
Lafayette College

----- Original Message -----
From: "Hyzer, Chris"

Sent: Friday, March 24, 2017 1:27:24 PM
Subject: RE: [grouper-users] Custom Rule Validation

If you want a scheduled task, and you are in 2.3, you can configure something
in the called "otherJob" which can have a cron
schedule and run like another grouper daemon or loader job or whatever.

However, in 2.2.2, that doesnt exist. Can I suggest just writing a java
program and running it with unix cron command line? :) It would be run
something like this:

java -Xmx500m -classpath


-----Original Message-----

On Behalf Of

Sent: Wednesday, March 08, 2017 2:30 PM

Subject: [grouper-users] Custom Rule Validation

We are currently looking at a rule validation tool for Grouper v2.2.2. This
should run once a day and it would make sure that every folder down a certain
path contains groups X,Y and Z or every group has "these" privileges. If it
doesn't contain one of these, then it will fix it. We were wondering what is
the best way to do this.

The Grouper Rule Consumer uses the changelog and since we want this to run
daily, we may not have an event occurring at the time of day we want this to
occur, the tool should also check for preexisting groups. Would just creating
some grouper rules be the best way to do this?

Archive powered by MHonArc 2.6.19.

Top of Page