Versions Compared

Old Version 19

changes.mady.by.user Vivek Sachdeva (google.com)

Saved on

compared with

New Version Current

changes.mady.by.user Vivek Sachdeva (google.com)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Get all enabled memberships in folder which are not in group, and see if there are exceptions (e.g. allow group if should allow), remove things not allowed
  2. Get all enabled privileges in folder which are not in group, see if there are exceptions (e.g. allow group if should allow), remove things not allowed
  3. Get all enabled permissions in folder which are not in group, see if there are exceptions (e.g. allow group if should allow), remove things not allowed
  4. Make sure there is a clear log of what happens

Add this rule to the folder that has the groups where the membership is added.

Configure rule for v5+

Image Added


Configure rule for v4 and previous

Java example

Code Block
//add a rule on stem:a saying if not in stem:b, then dont allow add to stem:a
    AttributeAssign attributeAssign = restrictedStem
      .getAttributeDelegate().addAttribute(RuleUtils.ruleAttributeDefName()).getAttributeAssign();
    
    AttributeValueDelegate attributeValueDelegate = attributeAssign.getAttributeValueDelegate();
 
    attributeValueDelegate.assignValue(
        RuleUtils.ruleActAsSubjectSourceIdName(), "g:isa");
    attributeValueDelegate.assignValue(
        RuleUtils.ruleActAsSubjectIdName(), "GrouperSystem");

    //subject use means membership add, privilege assign, permission assign, etc.
    attributeValueDelegate.assignValue(
        RuleUtils.ruleCheckTypeName(), RuleCheckType.subjectAssignInStem.name());
    attributeValueDelegate.assignValue(
        RuleUtils.ruleCheckStemScopeName(), "SUB");
    
    //this is optional to restrict to source.  I think you will want to do that, or you
    //would need to have all the usable groups in the allowed group...
    attributeValueDelegate.assignValue(
        RuleUtils.ruleCheckArg0Name(), "jdbc");

    
    attributeValueDelegate.assignValue(
        RuleUtils.ruleIfConditionEnumName(), RuleIfConditionEnum.groupHasNoEnabledMembership.name());
    attributeValueDelegate.assignValue(
        RuleUtils.ruleIfOwnerNameName(), employeeGroup.getName());
    attributeValueDelegate.assignValue(
        RuleUtils.ruleThenEnumName(), RuleThenEnum.veto.name());
    
    //key which would be used in UI messages file if applicable
    attributeValueDelegate.assignValue(
        RuleUtils.ruleThenEnumArg0Name(), "rule.entity.must.be.a.member.of.etc.employee");
    
    //error message (if key in UI messages file not there)
    attributeValueDelegate.assignValue(
        RuleUtils.ruleThenEnumArg1Name(), "Entity cannot be assigned if not a member of etc:employee");
 
    //should be valid
    String isValidString = attributeValueDelegate.retrieveValueString(
        RuleUtils.ruleValidName());
 
    if (!StringUtils.equals("T", isValidString)) {
      throw new RuntimeException(isValidString);
    }

...