From d87feed14b04b44ad036116b4f9572621b659349 Mon Sep 17 00:00:00 2001 From: Chad Redman Date: Sun, 19 Sep 2021 15:36:29 -0400 Subject: [PATCH] Add properties to support `Require members in the overall policy group to also be in this group: "ref:role:All Faculty/Staff"` --- base/container_files/conf/grouper.properties | 13 ---------- .../container_files/seed-data/bootstrap.gsh | 24 +++++++++++++++++++ 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/base/container_files/conf/grouper.properties b/base/container_files/conf/grouper.properties index af8ceef..ade50c5 100644 --- a/base/container_files/conf/grouper.properties +++ b/base/container_files/conf/grouper.properties @@ -29,10 +29,6 @@ grouperIncludeExclude.requireGroups.use = true ## if there is no allowed group, then anyone could use it ################################## -# group name of a lockout group -# {valueType: "group", regex: "^grouper\\.lockoutGroup\\.name\\.\\d+$"} -grouper.lockoutGroup.name.0 = ref:iam:global_deny - # allowed to use this lockout group. If not configured, anyone could use # {valueType: "group", regex: "^grouper\\.lockoutGroup\\.allowedToUse\\.\\d+$"} # grouper.lockoutGroup.allowedToUse.0 = ref:lockoutCanUse @@ -53,12 +49,3 @@ grouper.lockoutGroup.name.0 = ref:iam:global_deny # grouper reporting file system path where reports will be stored, e.g. /opt/grouper/reports # {valueType: "string", required: false} reporting.file.system.path = /tmp - - -grouper.membership.customComposite.uiKey.0 = customCompositeAllFacStaff -grouper.membership.customComposite.compositeType.0 = intersection -grouper.membership.customComposite.groupName.0 = ref:role:all_facstaff - -grouper.membership.customComposite.uiKey.1 = customCompositeMinusFacStaff -grouper.membership.customComposite.compositeType.1 = complement -grouper.membership.customComposite.groupName.1 = ref:role:all_facstaff diff --git a/ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh b/ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh index 620aa53..6336ec4 100644 --- a/ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh +++ b/ex101/ex101.1.1/container_files/seed-data/bootstrap.gsh @@ -44,6 +44,30 @@ assignObjectTypeForGroup(closure, "ref", "IAM", "Accounts in the process of bein Group globalDeny = new GroupSave(gs).assignName("ref:iam:global_deny").assignCreateParentStemsIfNotExist(true).save() assignObjectTypeForGroup(globalDeny, "ref", "Identity and Access Management", "Global deny group") + +// Set include/exclude properties + +GrouperDbConfig config = new GrouperDbConfig().configFileName("grouper.properties") + +config.propertyName("provisioner.eduPersonAffiliation.canFullSync").value('''true''').store() + +// Autopopulate policy deny group +config.propertyName("grouper.lockoutGroup.name.0").value('''ref:iam:global_deny''').store() + +// Used for policy "require users in other group" +config.propertyName("grouper.requireGroup.name.0").value('''ref:role:all_facstaff''').store() + +// Used in membership filter +config.propertyName("grouper.membership.customComposite.uiKey.0").value('''customCompositeAllFacStaff''').store() +config.propertyName("grouper.membership.customComposite.compositeType.0").value('''intersection''').store() +config.propertyName("grouper.membership.customComposite.groupName.0").value('''ref:role:all_facstaff''').store() + +config.propertyName("grouper.membership.customComposite.uiKey.1").value('''customCompositeMinusFacStaff''').store() +config.propertyName("grouper.membership.customComposite.compositeType.1").value('''complement''').store() +config.propertyName("grouper.membership.customComposite.groupName.1").value('''ref:role:all_facstaff''').store() + + + /***** Employee by Dept Loader *****/ def group = new GroupSave(gs).assignName("etc:loader:hr:employeeDeptLoader").assignCreateParentStemsIfNotExist(true).assignDisplayName("etc:loader:HR:employeeDeptLoader").save()