If a group is created under folder a:b, then apply privileges to the group of READ,UPDATE to group a:security:admins
You should use the inherited privileges screen to control this. This rule is on the folder where groups are created (or ancestor folder).
Configure rule for v5+
Configure rule for v4 and previous
Penn example
Penn has Atlassian groups in Grouper. Any group created in Grouper in the jira/confluence folder will be available in jira/confluence. However, the proper privileges need to be assigned to the groups. The Atlassian admins need admin, updaters need update, and readers need read. These assignments are done by 3 people, and it is error prone (assign the wrong thing), sometimes forgotten, and time consuming.
We assigned rules on the atlassian folder (in test and prod) to automatically make these assignments. Here is the GSH script to install these 6 rules (admin/update/read for test/prod)
grouperSession = GrouperSession.startRootSession(); atlassian = StemFinder.findByName(grouperSession, "penn:isc:ait:apps:atlassian") atlassianReaders = GroupFinder.findByName(grouperSession, "penn:isc:ait:apps:atlassian:admin:readers"); RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), atlassian, Stem.Scope.SUB, atlassianReaders.toSubject(), Privilege.getInstances("read")); atlassianAdmins = GroupFinder.findByName(grouperSession, "penn:isc:ait:apps:atlassian:admin:admins"); RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), atlassian, Stem.Scope.SUB, atlassianAdmins.toSubject(), Privilege.getInstances("admin")); atlassianUpdaters = GroupFinder.findByName(grouperSession, "penn:isc:ait:apps:atlassian:admin:updaters"); RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), atlassian, Stem.Scope.SUB, atlassianUpdaters.toSubject(), Privilege.getInstances("update")); RuleApi.runRulesForOwner(atlassian); atlassian = StemFinder.findByName(grouperSession, "test:isc:ait:apps:atlassian") atlassianReaders = GroupFinder.findByName(grouperSession, "test:isc:ait:apps:atlassian:admin:readers"); RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), atlassian, Stem.Scope.SUB, atlassianReaders.toSubject(), Privilege.getInstances("read")); atlassianAdmins = GroupFinder.findByName(grouperSession, "test:isc:ait:apps:atlassian:admin:admins"); RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), atlassian, Stem.Scope.SUB, atlassianAdmins.toSubject(), Privilege.getInstances("admin")); atlassianUpdaters = GroupFinder.findByName(grouperSession, "test:isc:ait:apps:atlassian:admin:updaters"); RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), atlassian, Stem.Scope.SUB, atlassianUpdaters.toSubject(), Privilege.getInstances("update")); RuleApi.runRulesForOwner(atlassian);
Another Penn example
If you want groups and folders in a folder to have admin assigned to a group, and to run the rule initially, do this
grouperSession = GrouperSession.startRootSession(); stemToAssign = StemFinder.findByName(grouperSession, "penn:someFolder") admins = GroupFinder.findByName(grouperSession, "penn:someFolder:security:someFolderAdmins"); RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), stemToAssign, Stem.Scope.SUB, admins.toSubject(), Privilege.getInstances("admin")); RuleApi.inheritFolderPrivileges(SubjectFinder.findRootSubject(), stemToAssign, Stem.Scope.SUB, admins.toSubject(), Privilege.getInstances("stem, create")); RuleApi.runRulesForOwner(stemToAssign);
Java example
//add a rule on stem2 saying if you create a group underneath, then assign a reader and updater group AttributeAssign attributeAssign = stem2 .getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign(); AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate(); attributeValueDelegate.assignValue( RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa"); attributeValueDelegate.assignValue( RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem"); attributeValueDelegate.assignValue( RuleUtils.ruleCheckTypeName(), RuleCheckType.groupCreate.name()); //can be SUB or ONE for if in this folder, or in this and all subfolders attributeValueDelegate.assignValue( RuleUtils.ruleCheckStemScopeName(), Stem.Scope.SUB.name()); attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumName(), RuleThenEnum.assignGroupPrivilegeToGroupId.name()); //this is the subject string for the subject to assign to //e.g. sourceId :::::: subjectIdentifier //or sourceId :::: subjectId //or :::: subjectId //or sourceId ::::::: subjectIdOrIdentifier //etc attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumArg0Name(), "g:gsa :::::: stem1:admins"); //privileges to assign: read, admin, update, view, optin, optout attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumArg1Name(), "read, update"); //should be valid String isValidString = attributeValueDelegate.retrieveValueString( RuleUtils.ruleValidName()); if (!StringUtils.equals("T", isValidString)) { throw new RuntimeException(isValidString); }
GSH shorthand method
grouperSession = GrouperSession.startRootSession(); stem = StemFinder.findByName(grouperSession, "some:stem:name"); group = GroupFinder.findByName(grouperSession, "some:group:name"); RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), stem, Stem.Scope.SUB, group.toSubject(), Privilege.getInstances("read, update"));
GSH test case
gsh 0% grouperSession = GrouperSession.startRootSession(); edu.internet2.middleware.grouper.GrouperSession: 847e80d5c2d94803b02da4ed3c131475,'GrouperSystem','application' gsh 1% stem2 = new edu.internet2.middleware.grouper.StemSave(grouperSession).assignName("stem2").assignCreateParentStemsIfNotExist(true).save(); stem: name='stem2' displayName='stem2' uuid='7a6ce531c0654141abdebba87d4f7461' gsh 2% groupA = new GroupSave(grouperSession).assignName("stem1:admins").assignCreateParentStemsIfNotExist(true).save(); group: name='stem1:admins' displayName='stem1:admins' uuid='2d1aee72df264626831cd4bf166f7342' gsh 4% addMember("stem1:admins", "test.subject.0"); true gsh 5% subjectActAs = SubjectFinder.findByIdAndSource("GrouperSystem", "g:isa", true); subject: id='GrouperSystem' type='application' source='g:isa' name='GrouperSysAdmin' gsh 6% RuleApi.inheritGroupPrivileges(subjectActAs, stem2, Stem.Scope.SUB, groupA.toSubject(), Privilege.getInstances("read, update")); gsh 7% groupB = new GroupSave(grouperSession).assignName("stem2:b").assignCreateParentStemsIfNotExist(true).save(); group: name='stem2:b' displayName='stem2:b' uuid='ab4d6d959e51439d8b5a583659c18760' gsh 10% hasPriv("stem2:b", "test.subject.0", Privilege.getInstance("update")) true gsh 11% hasPriv("stem2:b", "test.subject.0", Privilege.getInstance("read")) true gsh 12% groupD = new GroupSave(grouperSession).assignName("stem3:d").assignCreateParentStemsIfNotExist(true).save(); group: name='stem3:d' displayName='stem3:d' uuid='d309509da52e4ed2bbca8383246fe3c4' gsh 13% hasPriv("stem3:d", "test.subject.0", Privilege.getInstance("update")) false gsh 14% hasPriv("stem3:d", "test.subject.0", Privilege.getInstance("read")) true gsh 15% groupC = new GroupSave(grouperSession).assignName("stem2:sub:c").assignCreateParentStemsIfNotExist(true).save(); group: name='stem2:sub:c' displayName='stem2:sub:c' uuid='d52f784d88284b4b90e0931ad8581ebc' gsh 16% hasPriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("update")) true gsh 17% hasPriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("read")) true
GSH daemon test case
Run the above GSH commands, and continue below
gsh 18% revokePriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("update")) false gsh 19% status = GrouperLoader.runOnceByJobName(grouperSession, GrouperLoaderType.GROUPER_RULES); loader ran successfully: Ran rules daemon, changed 0 records gsh 20% hasPriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("update")) true
Apply rule to certain groups
If you want the rule to only apply to groups with certain names, an admin can apply this condition
attributeValueDelegate.assignValue( RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.nameMatchesSqlLikeString.name()); attributeValueDelegate.assignValue( RuleUtils.ruleIfConditionEnumArg0Name(), "a:b:%someGroup");