Grouper Users - Open Discussion List

["Waldbieser, Carl" <>]

Or not allow non-groups to be members in general.  That seems like a 
worthwhile rule for a particular category of groups.

Thanks,
Carl

----- Original Message -----
From: "Hyzer, Chris" 
<>
To: "waldbiec" 
<>
Cc: 
,
 

Sent: Friday, March 24, 2017 4:15:22 PM
Subject: RE: [grouper-users] Custom Rule Validation

Ok, I will add GRP-1377 to the list of things to do :)

You are saying you want an option to not allow non groups to have privileges? 
 :)

Thanks
Chris

-----Original Message-----
From: Waldbieser, Carl 
[mailto:]
 
Sent: Friday, March 24, 2017 3:08 PM
To: Hyzer, Chris 
<>
Cc: 
;
 

Subject: Re: [grouper-users] Custom Rule Validation

Chris,

I think because we are still on Grouper v2.2, the issue was that GRP-1377 
made rules behave in a somewhat unexpected way.  The cron job cleanup 
corrects that.
It might be nice if there was an option to prevent groups/permissions from 
allowing individual subjects to be added as direct members (as opposed to 
adding other groups).  The Grouper deployment guide mentions that as a best 
practice for policies on page 7, I think.  If that could be enforced 
technically, that could be useful ...

Thanks,
Carl

----- Original Message -----
From: "Hyzer, Chris" 
<>
To: "waldbiec" 
<>,
 

Cc: 

Sent: Friday, March 24, 2017 2:45:23 PM
Subject: RE: [grouper-users] Custom Rule Validation

You could put these rules on your root stem to accomplish this:

https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Reassign+group+privileges+if+from+group
https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Reassign+folder+privileges+if+from+group
https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Reassign+attribute+definition+privileges+if+from+group

Or we could have something in grouper default to having this on and you could 
disable it... thoughts?

Thanks
Chris

-----Original Message-----
From: Waldbieser, Carl 
[mailto:]
 
Sent: Friday, March 24, 2017 1:44 PM
To: 

Cc: 
;
 Hyzer, Chris 
<>
Subject: Re: [grouper-users] Custom Rule Validation


At Lafayette College we take this approach to normalize the permissions for 
our Grouper "apps" policies.  When someone creates a policy group via the UI, 
Grouper rules automatically add the correct administrator groups to the 
permissions, However, the creator of the group is granted permissions by 
default.  A cron job sweeps through these folder trees each night and removes 
permissions granted directly to subjects from our people LDAP source.

Thanks,
Carl Waldbieser
ITS Identity Management
Lafayette College

----- Original Message -----
From: "Hyzer, Chris" 
<>
To: 
,
 

Sent: Friday, March 24, 2017 1:27:24 PM
Subject: RE: [grouper-users] Custom Rule Validation

If you want a scheduled task, and you are in 2.3, you can configure something 
in the grouper-loader.properties called "otherJob" which can have a cron 
schedule and run like another grouper daemon or loader job or whatever.

However, in 2.2.2, that doesnt exist.  Can I suggest just writing a java 
program and running it with unix cron command line?  :)  It would be run 
something like this:

java -Xmx500m -classpath 
${GROUPER_HOME}/classes:${GROUPER_HOME}/lib/*:/location/to/your.jar 
some.package.YourClass

Thanks
Chris

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of 

Sent: Wednesday, March 08, 2017 2:30 PM
To: 

Subject: [grouper-users] Custom Rule Validation

We are currently looking at a rule validation tool for Grouper v2.2.2. This
should run once a day and it would make sure that every folder down a certain
path contains groups X,Y and Z or every group has "these" privileges. If it
doesn't contain one of these, then it will fix it. We were wondering what is
the best way to do this.

The Grouper Rule Consumer uses the changelog and since we want this to run
daily, we may not have an event occurring at the time of day we want this to
occur, the tool should also check for preexisting groups. Would just creating
some grouper rules be the best way to do this?