Grouper Users - Open Discussion List

["Coleman, Erik C" <>]

I’m curious if anyone has been challenged and found a solution to automatically “nest” groups into larger groups, based on some pre-defined matching criteria.  The use-case here is that we have some applications that want to use a large quantity of Grouper groups for some pretty specific access controls, organized in multiple folders, and then have larger groups that are an accumulation of all these smaller groups, for example, the members are all the groups in the “app:web:index” folder.  By hand, this is simple, merely add the smaller groups as members of the larger group, but it involves remembering and making sure we add any newly-created smaller groups to that group.  I tried brainstorming and came up with a few approaches:

 

1. Use a Loader job.  It seems to me we could query Grouper itself for a match of groups, then just insert them as members, though I’m curious what such a query and loader config would look like.
2. Set up a rule.  I don’t know much about Grouper rules, but I’ve set them up to establish inheritance of access controls.  Would seem to me, that maybe we could have a rule that if a group is created in a folder, add it as member to another group?
3. Script it externally using GSH or Web Service.  This would give greatest control to the application to just double-insert memberships, but the learning curve for the API is a bit steep. 
4. Use custom attributes.  Would probably still require one of the above methods, but you could assign an attribute, then something queries for that attribute and inserts all groups that have that attribute set.

 

If anyone has accomplished this, would you be willing to share your queries or methods?

 

Thanks!

 

Erik Coleman

University of Illinois at Urbana-Champaign