Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Grouper and "Service accounts"

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Grouper and "Service accounts"

Chronological Thread 
  • From: "Black, Carey M." <>
  • To: "" <>
  • Subject: [grouper-users] Grouper and "Service accounts"
  • Date: Fri, 26 May 2017 17:06:02 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is;; dkim=none (message not signed) header.d=none;; dmarc=pass action=none;
  • Ironport-phdr: 9a23:f9yVYBSqP7UjmI7KRFv8iS1sQdpsv+yvbD5Q0YIujvd0So/mwa6zYx2N2/xhgRfzUJnB7Loc0qyN4v+mAjJLuM7d+Fk5M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe71/IRG0oAnLuMQbgIRuJrstxhbGv3BFZ/lYyWR0KFyJgh3y/N2w/Jlt8yRRv/Iu6ctNWrjkcqo7ULJVEi0oP3g668P3uxbDSxCP5mYHXWUNjhVIGQnF4wrkUZr3ryD3q/By2CiePc3xULA0RTGv5LplRRP0lCsKMSMy/WfKgcJyka1bugqsqRxhzYDJfIGbOvlwfqLBctwVXmdORNpdWihbD4+gc4cDEewMNvtYoYnnoFsOqAOzCQexCePr0DBHmnz20bUn2Ok/Cw7GxhIvHtITu3rTttn5OroZXOeuw6nM1zrMc/BW1S3g5ITWfB0suvaMXaltccbL10YgCh7Fg0yWpIf4MT2V0eENvHKa7+pmTe+vimgnqx1vrTi1wMcjlJXJipwPxl/a6Cp53YA4LsC7Rk5jedOoDoFfuz2HO4ZzX88uXnxktSM0yrAJpZK3YC0HyJo5yBPQd/CKdo2F7xD9WOafOTt0mWxpdbGlixqv/kWty/fwWtS73VpQsyZJj8XAumgD1xPN6cWLVv5w80Kh1DmTyw/T5ORJLV47mKfaNpEsx7E9m5oRvEnNGyL5hF75g7SMeUgi5+Om8f7oYq/8qZ+ZL4J0ih/xMqApmsGnGeo1Lg8AU3SG9eilybPt5VD1TKxNjvItjKbVqpfaJdkHpqGiBA9Vz4Aj5AulAze+ytQYmmUHI0xZdxKbjojpPFfOLOr/Dfein1SslDBrx/fFPrH7HprNKX3DnK/gfbZ79UFc1BI+wc5F6J5IF70MJe//VlLsuNHdAB80PBC4z/riBdVzyIwTVn6DD6qcPa7Qr1OI6PojI+yWa48UvDb9JeIl5/nrjXIhglAdebOm0ocUaHyiA/hqPUuUbGHrgtcaDGcGpBQxQ/H3iFGaSz5ce26yX74g5jE8EI+mAp3DRoewgLyZwii7BIRaZn1dCl+SC3fobJ6JW/MNaCKJPs9hiSIIWaKgS48nyRGhqhX6y7x5IerI5CEUr4zs28Vo576bqRZnvzNuCNmF3nvIUnp5hHggRjkq0bp5rFAnjFqPzOIw1/NCEsFL6ukMTxw3L4X0zupmBsr0Vx6bONqFVQD1bM+hBGR7ZNY4yNxKK210AdizxjWFlWL+CbscnL/NXcZv2qXHwj78K9srmCWO77Uok1RzGpgHDmahnKMqrwU=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99



I have been trying to wrap my head around how Grouper deals with “local subjects”. Specifically for the use case of “Service Accounts”. Specifically for WebService clients to get data from Grouper.

                Note: I am not talking about how the authentication is done in this inquiry. Just how the “username”(AKA: Subject ID ?) is managed for this class of accounts.

                Note: I think I am getting wrapped around “old docs” and “old term in different contexts”…..



I think I have stumbled into a confusion on my part and I am hopful that someone can answer a few questions for me.


                REF:   ( GSH page)



I think there are two ways to make a “Local Subject” in grouper.

1)      Lite UI “Create or edit groups / roles / local entities”

a.       Which looks like the result from the gsh EntitySave()….. functions…

2)      gsh via the “addSubject” (function?)



However, these two paths appear to result in rather different things. (Thus my confusion.)


Option 1 appears to produce an object that is visible in Grouper( via the Grouper “new” UI ). However, it uses icons/language that implies that the thing that is created is a “Group” or some other type of object than a “person”.  ( The GSH output indicates this: type='application' )

                Example: I created a  Entity…


Entity testEntity = new EntitySave(rsess).assignCreateParentStemsIfNotExist(true).assignName("…:TEST-AGAIN").save();


subject: id='734731…..ee9b' type='application' source='grouperEntities' name='…:TEST-AGAIN'



Option 2 appears to produce an object that is NOT visible in Grouper( via the Grouper “new” UI ). However, it (the New UI) uses icons/language that implies that it is a “person”. (more like a “real subject from a Subject API”.)

                Example: I “addSubject”’ed a user called “WS-TESTING” and I get this back from GSH


                                id='…:WS-TESTING’ type='person' source='jdbc' name='WS-TESTING”






Personally I like the idea of the service accounts being a “first class citizen” (in the Grouper UI, AKA Option 1) but I am concerned that there is some subtle thing that I am not anticipating that will make me want to have gone the other way later. Due to the type value, or some other hang up down the road.



Can any one explain why one path would be better than the other?

Can any one explain why these two paths appear to be so different?

Can anyone explain how to remove an entry that was added with “addSubject”? (Since they are not “first class objects” in the Grouper UI I have not found the “delete/remove” gsh function/code yet. It is likely “obvious” but I am not seeing it.)



Carey Matthew


Archive powered by MHonArc 2.6.19.

Top of Page