Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add properties to support `Require members in the overall policy grou…
…p to also be in this group: "ref:role:All Faculty/Staff"`
  • Loading branch information
credman committed Sep 19, 2021
1 parent 51d7d8a commit d87feed
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 13 deletions.
13 changes: 0 additions & 13 deletions base/container_files/conf/grouper.properties
Expand Up @@ -29,10 +29,6 @@ grouperIncludeExclude.requireGroups.use = true
## if there is no allowed group, then anyone could use it
##################################

# group name of a lockout group
# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.name\\.\\d+$"}
grouper.lockoutGroup.name.0 = ref:iam:global_deny

# allowed to use this lockout group. If not configured, anyone could use
# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.allowedToUse\\.\\d+$"}
# grouper.lockoutGroup.allowedToUse.0 = ref:lockoutCanUse
Expand All @@ -53,12 +49,3 @@ grouper.lockoutGroup.name.0 = ref:iam:global_deny
# grouper reporting file system path where reports will be stored, e.g. /opt/grouper/reports
# {valueType: "string", required: false}
reporting.file.system.path = /tmp


grouper.membership.customComposite.uiKey.0 = customCompositeAllFacStaff
grouper.membership.customComposite.compositeType.0 = intersection
grouper.membership.customComposite.groupName.0 = ref:role:all_facstaff

grouper.membership.customComposite.uiKey.1 = customCompositeMinusFacStaff
grouper.membership.customComposite.compositeType.1 = complement
grouper.membership.customComposite.groupName.1 = ref:role:all_facstaff
24 changes: 24 additions & 0 deletions ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh
Expand Up @@ -44,6 +44,30 @@ assignObjectTypeForGroup(closure, "ref", "IAM", "Accounts in the process of bein
Group globalDeny = new GroupSave(gs).assignName("ref:iam:global_deny").assignCreateParentStemsIfNotExist(true).save()
assignObjectTypeForGroup(globalDeny, "ref", "Identity and Access Management", "Global deny group")


// Set include/exclude properties

GrouperDbConfig config = new GrouperDbConfig().configFileName("grouper.properties")

config.propertyName("provisioner.eduPersonAffiliation.canFullSync").value('''true''').store()

// Autopopulate policy deny group
config.propertyName("grouper.lockoutGroup.name.0").value('''ref:iam:global_deny''').store()

// Used for policy "require users in other group"
config.propertyName("grouper.requireGroup.name.0").value('''ref:role:all_facstaff''').store()

// Used in membership filter
config.propertyName("grouper.membership.customComposite.uiKey.0").value('''customCompositeAllFacStaff''').store()
config.propertyName("grouper.membership.customComposite.compositeType.0").value('''intersection''').store()
config.propertyName("grouper.membership.customComposite.groupName.0").value('''ref:role:all_facstaff''').store()

config.propertyName("grouper.membership.customComposite.uiKey.1").value('''customCompositeMinusFacStaff''').store()
config.propertyName("grouper.membership.customComposite.compositeType.1").value('''complement''').store()
config.propertyName("grouper.membership.customComposite.groupName.1").value('''ref:role:all_facstaff''').store()



/***** Employee by Dept Loader *****/

def group = new GroupSave(gs).assignName("etc:loader:hr:employeeDeptLoader").assignCreateParentStemsIfNotExist(true).assignDisplayName("etc:loader:HR:employeeDeptLoader").save()
Expand Down

0 comments on commit d87feed

Please sign in to comment.