Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Grouper REST API for Privilege Inheritance

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Grouper REST API for Privilege Inheritance


Chronological Thread 
  • From: "Black, Carey M." <>
  • To: "Vachon, Thomas" <>
  • Cc: "Hyzer, Chris" <>, "" <>
  • Subject: RE: [grouper-users] Grouper REST API for Privilege Inheritance
  • Date: Tue, 7 Aug 2018 20:15:39 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is 128.146.138.9) smtp.mailfrom=osu.edu; harvard.edu; dkim=pass (signature was verified) header.d=osu.edu;harvard.edu; dmarc=pass action=none header.from=osu.edu;
  • Authentication-results-original: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:d8Gm8BQm/et1ZdaSW7HzgAsUfdpsv+yvbD5Q0YIujvd0So/mwa67ZBCGt8tkgFKBZ4jH8fUM07OQ7/i+HzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba9zIRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KpwVhTmlDkIOCI48GHPi8x/kqRboA66pxdix4LYeZyZOOZicq/Ye94RWGhPUdtLVyFZAo2ycZYBD/YPM+hboYnypVoOogexCgS3HuPj1iNEi2Xq0aEmzegsFxzN0gw6H9IJtXTZtNv5OboWUe+v0KbIzi3PZO5I1Djn8ojHbBAgquyLU75qf8ba1E4iGBjBjlqKtYPlPCmZ2vkTv2WV9OdgUvmvi3M9pw5vvzev294hh4/UjYwbzVDE8D92wIczJdCgSU57Z8KkH4VKtyGcKYR2Xt0uT3t2tykn170Lv4OwcisSyJk/2RLQceCLf5WN7x7+SeqdPDJ1hHxqdb6jmxq/9EagxfPzW8Wp1VtHqyhInsTQuXwVyRDe69aLRud480u93DuDyhrc5vxYLU0xl6fWKYAtz7E1m5YOvknOECH2lUD5gaKSbUop+e2l5uDpYrr9vJCRMo95hR3kPakhgsC/D/o3PwsSU2We/Omx0LLu8E/kTLhPivA6j7fWvZPfKMkZuKK1Hw1Y34M95xu+EziqztIVlmQdIl1fYhKIlY3pNknOIP/mCfe/hEyhni93yv7BIrHtH4zBI2XbnrrvZLp97FVTxxQpwdBY+pJUFqoOIPXuWk/3qdPUFAc5Mxazw+b7Ftpyyp8eWWOIAq+fKq/StkKI5v4rI+mLY48VuyzxJOQi5/7rlXM5mFkdcre13ZYPdny3BOhqL1icbHbxn9sNDGIHvgQxQeD2lFGPVDBTaGi9Uq4h4zw2DYCrAZrfSYy1hbyOxia7HplYZmBcDVCMFG/leJ6AW/gWdC2SIdVtniEaWbWvUIIh0gqutBLgx7V5M+XU5zUUtYj/29ht++3TiRYy+CR7D8SH1GGNUnl0kX0SRzMvwaB/ulJyyk2Y0aVjh/xYFMdT5+9SUgskL5Lczup6C8zsVQLbeNeGVkqmTsu8DT4vU90x3oxGX0EoUeurhRDE2W7iP78SkrWQTtRg7qLb2nHqENh0wHbB0oEhhkM4S9FDc2Cqm/gs2RLUAtuDuUGQnKXuPY8VxiPcvELFhyLatkVRWw02CP+edXcEew3bocmvtRCKdKOnFblyalgJ8sWFMKYfL4Sx1Q8cFv7+JNTTZX6wkG6sBBGOg6mBd5fuZ35EjHuPE1AKxhga5m3OdRMzACusuSr/NHRvDhq2OROqqLUg7irgHglljmToJ1Zky6Lz/xcUgfKGTPZG2akZ/iottmY8HF+nwdvMB5yNqxcyNKlfYNZo+F5cziqZrA1yOJW8MrpvzkEXaExpslnv2RR6BsQl84AqoXomwRA0Jfefy04Hej+FjpD5IKPeMGW08RyyOOba31jE24OO87wUoP0zt1TkulSvEUwvu3Vq2tVYyT2S/JLPWQ0JTNT8Xltk+g==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Tom,

 

I note that I do not see the version that you are using.... So I will assume you are fully patched! ( Ha... You should have said otherwise. :) )

 

 

There are WS calls to " Assign Attributes" https://spaces.at.internet2.edu/display/Grouper/Assign+Attributes or https://spaces.at.internet2.edu/display/Grouper/Assign+Attributes+Batch

 

You could add the " inherit to descendant " rules on folders that way. ( It is harder than you want it to be but it could be done.)

 

To explain more of what I mean... use the New UI patch 44 and you can see the details of the attributes that are the "inherit" rules.

 

To the Demo Server.... https://grouperdemo.internet2.edu/grouper_v2_3/

 

I created a folder and added "Admin privileges" for Groups, Folders, and Attributes for (one folder deep) for a "random user" on the system. J

 

 

Then look at the attributes assigned to the folder.

 

 

Below are the attributes that ONLY do the “Group” inheritance portion. There are three separate sets of these for the other “Folder” and “Attribute” inheritance rules.

 

 

So for each type of inheritance the there is an attribute assignment of “rule” ( part of the rulesTypeDef ).

Then there are a set of attribute assignments to the assignment of the “rule” to the folder ( ruleActAsSubjectId, ruleActAsSubjectSourceId, …. ) with values a needed.

 

I would not relish doing it with the current WS. However, the “Assign+Attributes+Batch” might make it a single call. Not a simple one… but one.

 

Maybe that will help…?

 

--

Carey Matthew

 

 

-----Original Message-----
From: <> On Behalf Of Hyzer, Chris
Sent: Tuesday, August 7, 2018 3:30 PM
To: Vachon, Thomas <>;
Subject: RE: [grouper-users] Grouper REST API for Privilege Inheritance

 

Add a jira please and we will address this...  probably by augmenting the privilege assignment WS and not by worrying about the underlying attribute assignments.

 

Or let me know and I can add a jira for you.

 

Thanks

Chris

 

-----Original Message-----

From: Vachon, Thomas []

Sent: Tuesday, August 07, 2018 3:07 PM

To: Hyzer, Chris <>;

Subject: Re: [grouper-users] Grouper REST API for Privilege Inheritance

 

Yea, we mean via grouper-ws.

 

We can do it in the GUI, any groups or stems made after the inherit privilege is granted automatically gets the parents permissions.

________________________________________

From: Hyzer, Chris <>

Sent: Tuesday, August 7, 2018 15:00

To: Vachon, Thomas;

Subject: RE: [grouper-users] Grouper REST API for Privilege Inheritance

 

When you say "API" you mean WS right?  If you give someone CREATE or ADMIN that doesn't inherit to descendant objects...

 

-----Original Message-----

From: Vachon, Thomas []

Sent: Tuesday, August 07, 2018 2:58 PM

To: Hyzer, Chris <>;

Subject: Re: [grouper-users] Grouper REST API for Privilege Inheritance

 

Thanks Chris,

 

I don't quite grok the inherit problem still.  We want to set this up fully via the API. ll we do is give a known group CREATE on the stems and ADMIN on the groups on the top of the "local" stem

________________________________________

From: Hyzer, Chris <>

Sent: Tuesday, August 7, 2018 14:55

To: Vachon, Thomas;

Subject: RE: [grouper-users] Grouper REST API for Privilege Inheritance

 

You can do composite groups with GroupSave.

 

https://spaces.at.internet2.edu/display/Grouper/Group+Save

 

For the inherited privs, in the UI it calls a method to inherit.  But it will also inherit from a daemon which runs nightly.  If you want it to run when you save a rule over WS, please open a jira and be explicit about the calls that you use to configure the privileges...

 

Thanks

Chris

 

-----Original Message-----

From: [] On Behalf Of

Sent: Tuesday, August 07, 2018 2:47 PM

To:

Subject: [grouper-users] Grouper REST API for Privilege Inheritance

 

Hi everyone,

 

We are trying to move automation more into the REST/grouper-ws land from the

GCLI where possible.  We have hit a wall on setting up inherited Grouper

permissions on a stem.

 

As you all know, but I'm going to say anyways, if you don't set the permission

inheritance up first, any groups and stems created don't get retroactively

applied permissions.  Since we do highly decentralized management, this poses

a large problem for us.

 

We have group, stem, and single-execution permissions setup via the API but I

am unable to decipher what needs to happen to get inherited permissions

applied via the API.  I will be committing this back to the community, so any

help is appreciated.

 

Also, for extra credit, if you can help me get composite groups working, that

would save us a bit more time as well.

 

Thank You,

Tom Vachon




Archive powered by MHonArc 2.6.19.

Top of Page