grouper-users - RE: [grouper-users] Grouper REST API for Privilege Inheritance
Subject: Grouper Users - Open Discussion List
List archive
- From: "Black, Carey M." <>
- To: "Vachon, Thomas" <>
- Cc: "Hyzer, Chris" <>, "" <>
- Subject: RE: [grouper-users] Grouper REST API for Privilege Inheritance
- Date: Tue, 7 Aug 2018 20:15:39 +0000
- Accept-language: en-US
- Authentication-results: spf=pass (sender IP is 128.146.138.9) smtp.mailfrom=osu.edu; harvard.edu; dkim=pass (signature was verified) header.d=osu.edu;harvard.edu; dmarc=pass action=none header.from=osu.edu;
- Authentication-results-original: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:d8Gm8BQm/et1ZdaSW7HzgAsUfdpsv+yvbD5Q0YIujvd0So/mwa67ZBCGt8tkgFKBZ4jH8fUM07OQ7/i+HzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba9zIRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KpwVhTmlDkIOCI48GHPi8x/kqRboA66pxdix4LYeZyZOOZicq/Ye94RWGhPUdtLVyFZAo2ycZYBD/YPM+hboYnypVoOogexCgS3HuPj1iNEi2Xq0aEmzegsFxzN0gw6H9IJtXTZtNv5OboWUe+v0KbIzi3PZO5I1Djn8ojHbBAgquyLU75qf8ba1E4iGBjBjlqKtYPlPCmZ2vkTv2WV9OdgUvmvi3M9pw5vvzev294hh4/UjYwbzVDE8D92wIczJdCgSU57Z8KkH4VKtyGcKYR2Xt0uT3t2tykn170Lv4OwcisSyJk/2RLQceCLf5WN7x7+SeqdPDJ1hHxqdb6jmxq/9EagxfPzW8Wp1VtHqyhInsTQuXwVyRDe69aLRud480u93DuDyhrc5vxYLU0xl6fWKYAtz7E1m5YOvknOECH2lUD5gaKSbUop+e2l5uDpYrr9vJCRMo95hR3kPakhgsC/D/o3PwsSU2We/Omx0LLu8E/kTLhPivA6j7fWvZPfKMkZuKK1Hw1Y34M95xu+EziqztIVlmQdIl1fYhKIlY3pNknOIP/mCfe/hEyhni93yv7BIrHtH4zBI2XbnrrvZLp97FVTxxQpwdBY+pJUFqoOIPXuWk/3qdPUFAc5Mxazw+b7Ftpyyp8eWWOIAq+fKq/StkKI5v4rI+mLY48VuyzxJOQi5/7rlXM5mFkdcre13ZYPdny3BOhqL1icbHbxn9sNDGIHvgQxQeD2lFGPVDBTaGi9Uq4h4zw2DYCrAZrfSYy1hbyOxia7HplYZmBcDVCMFG/leJ6AW/gWdC2SIdVtniEaWbWvUIIh0gqutBLgx7V5M+XU5zUUtYj/29ht++3TiRYy+CR7D8SH1GGNUnl0kX0SRzMvwaB/ulJyyk2Y0aVjh/xYFMdT5+9SUgskL5Lczup6C8zsVQLbeNeGVkqmTsu8DT4vU90x3oxGX0EoUeurhRDE2W7iP78SkrWQTtRg7qLb2nHqENh0wHbB0oEhhkM4S9FDc2Cqm/gs2RLUAtuDuUGQnKXuPY8VxiPcvELFhyLatkVRWw02CP+edXcEew3bocmvtRCKdKOnFblyalgJ8sWFMKYfL4Sx1Q8cFv7+JNTTZX6wkG6sBBGOg6mBd5fuZ35EjHuPE1AKxhga5m3OdRMzACusuSr/NHRvDhq2OROqqLUg7irgHglljmToJ1Zky6Lz/xcUgfKGTPZG2akZ/iottmY8HF+nwdvMB5yNqxcyNKlfYNZo+F5cziqZrA1yOJW8MrpvzkEXaExpslnv2RR6BsQl84AqoXomwRA0Jfefy04Hej+FjpD5IKPeMGW08RyyOOba31jE24OO87wUoP0zt1TkulSvEUwvu3Vq2tVYyT2S/JLPWQ0JTNT8Xltk+g==
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
|
Tom, I note that I do not see the version that you are using.... So I will assume you are fully patched! ( Ha... You should have said otherwise. :) ) There are WS calls to " Assign Attributes"
https://spaces.at.internet2.edu/display/Grouper/Assign+Attributes or
https://spaces.at.internet2.edu/display/Grouper/Assign+Attributes+Batch You could add the " inherit to descendant " rules on folders that way. ( It is harder than you want it to be but it could be done.) To explain more of what I mean... use the New UI patch 44 and you can see the details of the attributes that are the "inherit" rules. To the Demo Server.... https://grouperdemo.internet2.edu/grouper_v2_3/ I created a folder and added "Admin privileges" for Groups, Folders, and Attributes for (one folder deep) for a "random user" on the system.
J
Then look at the attributes assigned to the folder.
Below are the attributes that ONLY do the “Group” inheritance portion. There are three separate sets of these for the other “Folder” and “Attribute” inheritance rules.
So for each type of inheritance the there is an attribute assignment of “rule” ( part of the rulesTypeDef ). Then there are a set of attribute assignments to the assignment of the “rule” to the folder ( ruleActAsSubjectId, ruleActAsSubjectSourceId, …. ) with values a needed. I would not relish doing it with the current WS. However, the “Assign+Attributes+Batch” might make it a single call. Not a simple one… but one. Maybe that will help…? -- Carey Matthew -----Original Message----- Add a jira please and we will address this... probably by augmenting the privilege assignment WS and not by worrying about the underlying attribute assignments. Or let me know and I can add a jira for you. Thanks Chris -----Original Message----- From: Vachon, Thomas []
Sent: Tuesday, August 07, 2018 3:07 PM To: Hyzer, Chris <>;
Subject: Re: [grouper-users] Grouper REST API for Privilege Inheritance Yea, we mean via grouper-ws. We can do it in the GUI, any groups or stems made after the inherit privilege is granted automatically gets the parents permissions. ________________________________________ From: Hyzer, Chris <> Sent: Tuesday, August 7, 2018 15:00 To: Vachon, Thomas; Subject: RE: [grouper-users] Grouper REST API for Privilege Inheritance When you say "API" you mean WS right? If you give someone CREATE or ADMIN that doesn't inherit to descendant objects... -----Original Message----- From: Vachon, Thomas [] Sent: Tuesday, August 07, 2018 2:58 PM To: Hyzer, Chris <>;
Subject: Re: [grouper-users] Grouper REST API for Privilege Inheritance Thanks Chris, I don't quite grok the inherit problem still. We want to set this up fully via the API. ll we do is give a known group CREATE on the stems and ADMIN on the groups on the top of the "local" stem ________________________________________ From: Hyzer, Chris <> Sent: Tuesday, August 7, 2018 14:55 To: Vachon, Thomas; Subject: RE: [grouper-users] Grouper REST API for Privilege Inheritance You can do composite groups with GroupSave. https://spaces.at.internet2.edu/display/Grouper/Group+Save For the inherited privs, in the UI it calls a method to inherit. But it will also inherit from a daemon which runs nightly. If you want it to run when you save a rule over WS, please open a jira and be explicit about the calls that
you use to configure the privileges... Thanks Chris -----Original Message----- From: []
On Behalf Of Sent: Tuesday, August 07, 2018 2:47 PM To: Subject: [grouper-users] Grouper REST API for Privilege Inheritance Hi everyone, We are trying to move automation more into the REST/grouper-ws land from the GCLI where possible. We have hit a wall on setting up inherited Grouper permissions on a stem. As you all know, but I'm going to say anyways, if you don't set the permission inheritance up first, any groups and stems created don't get retroactively applied permissions. Since we do highly decentralized management, this poses a large problem for us. We have group, stem, and single-execution permissions setup via the API but I am unable to decipher what needs to happen to get inherited permissions applied via the API. I will be committing this back to the community, so any help is appreciated. Also, for extra credit, if you can help me get composite groups working, that would save us a bit more time as well. Thank You, Tom Vachon |
- [grouper-users] Grouper REST API for Privilege Inheritance, thomas_vachon, 08/07/2018
- RE: [grouper-users] Grouper REST API for Privilege Inheritance, Hyzer, Chris, 08/07/2018
- Re: [grouper-users] Grouper REST API for Privilege Inheritance, Vachon, Thomas, 08/07/2018
- RE: [grouper-users] Grouper REST API for Privilege Inheritance, Hyzer, Chris, 08/07/2018
- Re: [grouper-users] Grouper REST API for Privilege Inheritance, Vachon, Thomas, 08/07/2018
- RE: [grouper-users] Grouper REST API for Privilege Inheritance, Hyzer, Chris, 08/07/2018
- Re: [grouper-users] Grouper REST API for Privilege Inheritance, Vachon, Thomas, 08/07/2018
- RE: [grouper-users] Grouper REST API for Privilege Inheritance, Black, Carey M., 08/07/2018
- Re: [grouper-users] Grouper REST API for Privilege Inheritance, Vachon, Thomas, 08/07/2018
- RE: [grouper-users] Grouper REST API for Privilege Inheritance, Hyzer, Chris, 08/07/2018
- Re: [grouper-users] Grouper REST API for Privilege Inheritance, Vachon, Thomas, 08/07/2018
- RE: [grouper-users] Grouper REST API for Privilege Inheritance, Hyzer, Chris, 08/07/2018
- Re: [grouper-users] Grouper REST API for Privilege Inheritance, Vachon, Thomas, 08/07/2018
- RE: [grouper-users] Grouper REST API for Privilege Inheritance, Hyzer, Chris, 08/07/2018
Archive powered by MHonArc 2.6.19.