Skip to end of metadata
Go to start of metadata

Role and Permission Management as of v2.0

Grouper has the capability to manage external applications' roles and permissions, and can function as a central permission management system. 

Note that "privilege" is interchangeable with "permission", but Grouper already has documents about internal Grouper privileges on Groups / folders / etc. so the word "permission" is used here.

  • Roles can be stored in Grouper.  Roles can be assigned to subjects or groups.
  • External application permission objects can be stored in Grouper.
  • Permissions can be assigned to roles or to subjects since they are modeled as types of attributes on role memberships or roles.
  • Roles can be configured to imply other roles.  For example a Senior Loan Administrator is a Loan Administrator, plus a few more security grants.  Roles can be connected like a directed graph of role inheritance
  • Permissions can grouped into permissionSets.  E.g. if an organization hierarchy was represented as permissions, then the higher level organizations can imply the lower level ones.  Note this does not have to be a hierarchy
  • Permission assignments have an optional "action" qualifier.  This is a free form string which is configured per permission definition.  E.g. a user can READ certain orgs, and WRITE certain other orgs.
  • Permission actions can imply other actions.  e.g. Having ADMIN on a permission resource implies being able to READ or WRITE it.  Note, there are no built in actions (though a default "assign" exists if none specified).  So the actions and action inheritance needs to be defined
  • Permission assignments can be ALLOWED or DISALLOWED.  With all the inheritance (permission resource, role, action, memberships), if a permission is allowed to a wide population, then it can be narrowed with a disallow.  For example, someone could be assigned to READ all orgs in the University in the payroll system, except for the user's own org.
  • Permission limits can be assigned to direct permission assignments.  The limit can have a value or type string, numeric, date, etc.  The limit has logic associated with it to use the optional value and context from the caller to decide if the permission is allowed or not.  There are built-in limits for value (e.g. allowed to approve if value less then 50000), time of day (only allowed during business hours), ip address, etc.
  • All permissions operations are exposed through the Grouper Lite UI
  • Videos:

See also the Overview of Access Management Features page for guidelines of when to use rules, roles, permission limits, and enabled / disabled dates.

GSH commands

Create a role

gsh 30% userSharerRole = rolesStem.addChildRole("userSharer", "userSharer");

Add a member to a role (in this case a group)

gsh 38% userSharerRole.addMember(studentsGroup.toSubject());

Create a permission definition

gsh 51% resourcesDef = resourcesStem.addChildAttributeDef("secureShareWebResources", AttributeDefType.perm);

Add one permissions resource name to another (permissionSet)

gsh 63% receiveSetResource.getAttributeDefNameSetDelegate().addToAttributeDefNameSet(splashResource);

Assign a permission to a role

gsh 70% userSharerRole.getPermissionRoleDelegate().assignRolePermission(sendSetResource);

Assign a permission to a member in a role

gsh 73% adminRole.getPermissionRoleDelegate().assignSubjectRolePermission(adminEmailButtonResource, schleindMember);

Get the permission assignments (not necessarily active or allowed), assigned to a role, immediate, based on role name, print these out

gsh 123% for (PermissionEntry permissionEntry : new PermissionFinder().assignPermissionType(PermissionType.role).assignImmediateOnly(true).addRole("a:b").findPermissions()) {      System.out.println(permissionEntry.getAttributeDefNameName());    }
    for (PermissionEntry permissionEntry : new PermissionFinder().assignPermissionType(PermissionType.role).assignImmediateOnly(true).addRole("a:b").findPermissions()) {      System.out.println(permissionEntry.getAttributeDefNameName());    }

Get the permission assignments (not necessarily active or allowed), assigned to a role, immediate, based on permission name, print these out

for (PermissionEntry permissionEntry : new PermissionFinder().assignPermissionType(PermissionType.role).assignImmediateOnly(true).addPermissionName("a:b").findPermissions()) {      System.out.println(permissionEntry.getRoleName());    }

sdf

SQL interface

The view for permissions is grouper_perms_all_v.  Note, results here need to be processed is allow/disallow is used, also you should take into account if the records are active or not

get all attributes assigned to a role, assuming direct assignment (unassignable)

SELECT GPAV.ATTRIBUTE_DEF_NAME_NAME
  FROM grouper_perms_all_v gpav
 WHERE     GPAV.ROLE_NAME = 'a:b'
       AND gpav.permission_type = 'role'
       AND GPAV.ROLE_SET_DEPTH = 0
       AND GPAV.ATTR_ASSIGN_ACTION_SET_DEPTH = 0
       AND GPAV.ATTR_DEF_NAME_SET_DEPTH = 0
       AND GPAV.MEMBERSHIP_DEPTH = 0

get all roles that are assigned a given attribute, assuming direct assignment (unassignable)

SELECT GPAV.role_name
  FROM grouper_perms_all_v gpav
 WHERE     GPAV.ATTRIBUTE_DEF_NAME_NAME = 'a:b'
       AND gpav.permission_type = 'role'
       AND GPAV.ROLE_SET_DEPTH = 0
       AND GPAV.ATTR_ASSIGN_ACTION_SET_DEPTH = 0
       AND GPAV.ATTR_DEF_NAME_SET_DEPTH = 0
       AND GPAV.MEMBERSHIP_DEPTH = 0

See also

 Access Management Features Overview

Training Slides, pages 31-38