...
- Get all enabled memberships in folder which are not in group, and see if there are exceptions (e.g. allow group if should allow), remove things not allowed
- Get all enabled privileges in folder which are not in group, see if there are exceptions (e.g. allow group if should allow), remove things not allowed
- Get all enabled permissions in folder which are not in group, see if there are exceptions (e.g. allow group if should allow), remove things not allowed
- Make sure there is a clear log of what happens
Add this rule to the folder that has the groups where the membership is added.
Configure rule for v5+
Configure rule for v4 and previous
Java example
Code Block |
---|
//add a rule on stem:a saying if not in stem:b, then dont allow add to stem:a AttributeAssign attributeAssign = restrictedStem .getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign(); AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate(); attributeValueDelegate.assignValue( RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa"); attributeValueDelegate.assignValue( RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem"); //subject use means membership add, privilege assign, permission assign, etc. attributeValueDelegate.assignValue( RuleUtils.ruleCheckTypeName(), RuleCheckType.subjectAssignInStem.name()); attributeValueDelegate.assignValue( RuleUtils.ruleCheckStemScopeName(), "SUB"); //this is optional to restrict to source. I think you will want to do that, or you //would need to have all the usable groups in the allowed group... attributeValueDelegate.assignValue( RuleUtils.ruleCheckArg0Name(), "jdbc"); attributeValueDelegate.assignValue( RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.groupHasNoEnabledMembership.name()); attributeValueDelegate.assignValue( RuleUtils.ruleIfOwnerNameName(), employeeGroup.getName()); attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumName(), RuleThenEnum.veto.name()); //key which would be used in UI messages file if applicable attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumArg0Name(), "rule.entity.must.be.a.member.of.etc.employee"); //error message (if key in UI messages file not there) attributeValueDelegate.assignValue( RuleUtils.ruleThenEnumArg1Name(), "Entity cannot be assigned if not a member of etc:employee"); //should be valid String isValidString = attributeValueDelegate.retrieveValueString( RuleUtils.ruleValidName()); if (!StringUtils.equals("T", isValidString)) { throw new RuntimeException(isValidString); } |
...