...
You should use the inherited privileges screen to control this. This rule is on the folder where groups are created (or ancestor folder).
...
Configure rule for v5+
Configure rule for v4 and previous
Penn example
Penn has Atlassian groups in Grouper. Any group created in Grouper in the jira/confluence folder will be available in jira/confluence. However, the proper privileges need to be assigned to the groups. The Atlassian admins need admin, updaters need update, and readers need read. These assignments are done by 3 people, and it is error prone (assign the wrong thing), sometimes forgotten, and time consuming.
...
Code Block |
---|
gsh 18% revokePriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("update")) false gsh 19% status = GrouperLoader.runOnceByJobName(grouperSession, GrouperLoaderType.GROUPER_RULES); loader ran successfully: Ran rules daemon, changed 0 records gsh 20% hasPriv("stem2:sub:c", "test.subject.0", Privilege.getInstance("update")) true |
Apply rule to certain groups
If you want the rule to only apply to groups with certain names, an admin can apply this condition
Code Block |
---|
attributeValueDelegate.assignValue(
RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.nameMatchesSqlLikeString.name());
attributeValueDelegate.assignValue(
RuleUtils.ruleIfConditionEnumArg0Name(), "a:b:%someGroup"); |