Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Advice on automating nested groups

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Advice on automating nested groups


Chronological Thread 
  • From: Rory Larson <>
  • To: "" <>
  • Subject: RE: [grouper-users] Advice on automating nested groups
  • Date: Tue, 2 Apr 2019 19:49:59 +0000

Michael,

 

We've started creating provisioning views based on the Grouper database to give us the set of subjects we want, combined with a more general campus database to give us attributes that are not stored in the Grouper database.  We do have the advantage that both databases are Oracle, but it still requires a database link.  Our Oracle database admin favored creating the link from the campus database to the Grouper database.  We were warned that it would be slow, and it is, but not too bad for our purposes.

 

It looks like it is supposed to be possible to connect to non-Oracle databases from Oracle using Oracle Heterogeneous Services, though I don't have any experience with that.  But if it works the same as the Oracle-to-Oracle database link that we use, then it should be simple to join tables from the two databases into a single view, and then query that via SQL for a provisioning view, a loader, or whatever.  Would that be a possible option for you?

 

Rory

 

 

From: <> On Behalf Of Gettes, Michael
Sent: Monday, April 1, 2019 8:02 AM
To: Chris Hyzer <>
Cc:
Subject: Re: [grouper-users] Advice on automating nested groups

 

And that seems to fully address my question.  Thank you so much!

 

/mrg



On Apr 1, 2019, at 8:56 AM, Hyzer, Chris <> wrote:

 

My org structure runs in a few loader jobs… but sounds like you need both connections in one job?

 

Copying data is your best bet.  The loader doesn’t use hibernate (mapping), it uses SQL directly, so if you aren’t doing a dblink (easy if same db vendor), then you need to copy the data.  So you cant use the info in your link…

 

Thanks

Chris

 

 

From:  <> On Behalf Of Gettes, Michael
Sent: Sunday, March 31, 2019 9:26 AM
To: 
Subject: Re: [grouper-users] Advice on automating nested groups

 

I wish… 

 

I have a need to query an OracleDB as subject source and the grouper DB (not OracleDB - currently, mySQL) and to query both of them in a single loader job.  I need to build groups based on info in Oracle and Grouper.  There are hints of this being possible:

 

 

The structure I need to build has, as a component, rollups of our entire University Dept structure but it is a “security” structure which has “holes” in it so I info in the OracleDB provides instruction of how to put one group within another (it’s not based on naming).

 

Yes, I know I can copy data from Oracle over to the Grouper DB… and I may end up doing that… but, I was wondering if something similar to the above link is possible?  I am hoping to be able to write SQL queries and the right magic happens behind the scenes.

 

/mrg




On Mar 30, 2019, at 11:29 PM, Black, Carey M. <> wrote:

 

Erik,

 

Thank you for asking the question. J I may have use for the “simple case” that the loader job could do as well. J  ( I am currently doing this kind of function with some custom/specialized code.  Maybe I can remove some of that code. J or at least not duplicated the design again. J  )

 

 

 

Just some food for thought.

 

However, I personally would lean toward option #4. ( AKA: a Change Log Consumer (CLC) )

 

Simple case:

                Invent an attribute name (“autoNestGroups”) to mark a folder as a “source folder”. The value would be the full path to the “target group” to auto add new group into.

                When a group is added,

                                the CLC would see the group add event ( about every minute),

                                check for the attribute,

                                                if found, get the value for the “target group” and make the new group a member of it.

 

If you want to get more complicated/flexible:

                Invent an attribute *Definition* named (“autoNestGroups”)  and make it multi assignable, and single valued.

                                Also add an attribute Name (“makeMemberOf”). Where you put the full path to the group(s) to make new groups a member of.

                                Also add an attribute Name (“Exclude”). If present, remove the group if it is already a member of the “makeMemberOf”.

 

When a group is added, the CLC would see the group add event, check for the attribute(s), if found and not marked as “Exclude” then get the value(s) for the “makeMemberOf” and make the new group a member of all the values.

 

Also watch for attribute value add/remove ( for when “Exclude” attribute is added/removed ) and add/remove the group marked as needed.

 

You could even get really “crazy” and deal with the idea that some of the child groups (of a tagged folder(s) ) need to go to some makeMemberOf(s) and other child groups go to other makeMemberOf(s) with regex to makeMemberOf maps too. ( add a third Attribute Name “IfRegExMatches” , apply to the full group path being added/updated.)

 

Then tightly control the privileges on the attributeDef to limit who can affect the nesting “config” in grouper. And it becomes “meta data driven” via the Grouper UI. ( Once the CLC is written and running.)

 

 

 

With attributes you can get to “inheritance” and “include/exclude” patterns across multiple source and target locations.

It is more design and work, and brings more flexibility too. ( IHMO )

 

 

However, I guess you could also get “fancy enough” with your SQL contortions to also let you watch attributes too. ( That is just more twisty SQL than I would want to write. J .. Only groups with this attribute and not that attribute where the name matches this regex… Ugh…)

 

 

HTH.

 

Pick the option that meets your needs and requires the least amount of work. J

 

-- 

Carey Matthew 

 

From:  <> On Behalf Of Coleman, Erik C
Sent: Friday, March 29, 2019 4:20 PM
To: 
Subject: RE: [grouper-users] Advice on automating nested groups

 

Ah thanks!  There’s even an example on the wiki! I was searching around and didn’t come up with anything. I think the potential delay is not a major issue as long as the interval is known.

 

Thanks!

 

-Erik

 

 

From: Hyzer, Chris <> 
Sent: Friday, March 29, 2019 2:58 PM
To: Coleman, Erik C <>; 
Subject: RE: Advice on automating nested groups

 

I do that with the loader.  Might mean some delay on how soon the groups get added to the larger group, I run mine every 30 minutes…  I could picture a rule doing that, but ive never done it.   If you want to go down that path I could investigate.  But with a rule someone could unassign the group.  Maybe we need a rule and a loader?  Or a way to hook up real time loader to the loader job?

 

Heres an example:

 

 

Thanks

Chris

 

From:  <> On Behalf Of Coleman, Erik C
Sent: Friday, March 29, 2019 3:53 PM
To: 
Subject: [grouper-users] Advice on automating nested groups

 

I’m curious if anyone has been challenged and found a solution to automatically “nest” groups into larger groups, based on some pre-defined matching criteria.  The use-case here is that we have some applications that want to use a large quantity of Grouper groups for some pretty specific access controls, organized in multiple folders, and then have larger groups that are an accumulation of all these smaller groups, for example, the members are all the groups in the “app:web:index” folder.  By hand, this is simple, merely add the smaller groups as members of the larger group, but it involves remembering and making sure we add any newly-created smaller groups to that group.  I tried brainstorming and came up with a few approaches:

 

(1)    Use a Loader job.  It seems to me we could query Grouper itself for a match of groups, then just insert them as members, though I’m curious what such a query and loader config would look like.

(2)    Set up a rule.  I don’t know much about Grouper rules, but I’ve set them up to establish inheritance of access controls.  Would seem to me, that maybe we could have a rule that if a group is created in a folder, add it as member to another group?

(3)    Script it externally using GSH or Web Service.  This would give greatest control to the application to just double-insert memberships, but the learning curve for the API is a bit steep. 

(4)    Use custom attributes.  Would probably still require one of the above methods, but you could assign an attribute, then something queries for that attribute and inserts all groups that have that attribute set.

 

If anyone has accomplished this, would you be willing to share your queries or methods?

 

Thanks!

 

Erik Coleman

University of Illinois at Urbana-Champaign

 




Archive powered by MHonArc 2.6.19.

Top of Page