This is included in grouper v4.4.0+ and v5.1.1+.
You can veto operations of non system admins from adding EveryEntity to group memberships or privileges.
grouper.properties
# if you do not want non sysadmins to be able to add EveryEntity to a group or privilege # {valueType: "boolean", requiresRestart: "true"} grouper.enable.rule.cannotAddEveryEntity = false
Error message:
# veto message when cannot add every entity hook.veto.cannotAddEveryEntity = Error: you cannot add EveryEntity to a group or privilege. Only a system administrator can do this.