...
| hawaii.edu: | Top-level folder for all Grouper groups | |||||||
| custom: | All groupings must be inside custom: subfolder | |||||||
| uhm: | Organize grouping by <org> code. We will create it under the uhm folder | |||||||
| manoa-math-club | The grouping itself. It is a composite group defined as: | |||||||
| manoa-math-club: | A folder holding all artifacts that implement the grouping. Every grouping has a folder with the same name as the grouping. | |||||||
| basis | The basis of the grouping. It can be empty, it can have one or more groups as members, or it can implement a complex group expression. A basis is typically built from the UH Group Store. Examples: Simple basis: This basis group has zero or more groups as members, e.g. it has this one member group: hawaii.edu:auto:sis:registration:MAN:MATH:140:86212:201430:enrolled Complex basis: This basis group has one member, hawaii.edu:custom:uhm:manoa-math-club:basis:100, which is a composite group that implements a complex group expression. See below. | |||||||
| basis: | If the basis is a complex group expression, we will need to create intermediate groups that represent each group operation. Such groups go into this folder. | |||||||
| 100 | A composite group that represents a complex basis that is implemented by operations on the 101, 102, etc. groups below. For example, this group is a composite group defined as | |||||||
| 101 | This could be a composite defined as hawaii.edu:auto:sis:registration:MAN:MATH:111:85029:201430:enrolled union hawaii.edu:auto:sis:registration:MAN:MATH:112:82784:201430:enrolled | |||||||
| 102 | This could be another composite defined as hawaii.edu:menu:any-dataOrigin:aff:any-org:faculty | |||||||
include | The grouping's include group. | |||||||
| exclude | The grouping's exclude group. | |||||||
| owners | A group tracking all owners of the grouping | |||||||
| basis+include | Every grouping has this. It is the composite group that implements the "basis union include" portion of the grouping. |
...
- Special considerations before modifying an include or exclude group:
- Who is performing the addition or deletion from the include and exclude groups? If it as a grouping owner, you may proceed.
- Is your application opting in or out on behalf of a grouping member? If so, you should check whether the owner allowed that.
- Determine the full path to the grouping's include and exclude groups. Simply append :include or :exclude to the grouping path, e.g.
- hawaii.edu:custom:uhm:manoa-math-club:include
- hawaii.edu:custom:uhm:manoa-math-club:exclude
- Use these Grouper web service to add or delete members from the include or exclude groups.
- REQUIRED: set this Grouper attribute to the current date and time, but truncate the seconds portion:
- The attribute name is uh-settings:attributes:for-groups:last-modified:yyyymmddThhmm
- The attribute name in the web service call is referred to as wsAttributeDefNameName. See example below.
- Set the attribute for the include or exclude group you are modifying, not the grouping path itself.
- Use the YYYYMMDDTHHMM format for the attribute value, e.g.
- 20140315T1915 (March 15, 2014 7:15:59 PM, note how we truncated the seconds, even if this should have been rounded to 7:16 PM)
- Please make sure your clock is synchronized with a time server.
- Use this Grouper web service to assign the attribute:
- https://spaces.internet2.edu/display/Grouper/Assign+Attributes
Example:
No Format POST https://grouper.hawaii.edu/grouper-ws/servicesRest/json/v2_2_002/attributeAssignments { "WsRestAssignAttributesLiteRequest": { "wsAttributeDefNameName":"uh-settings:attributes:for-groups:last-modified:yyyymmddThhmm", "attributeAssignType":"group", "valueSystem":"20201231T1345", "wsOwnerGroupName":"hawaii.edu:custom:your:grouping:path:include-or-exclude", "attributeAssignValueOperation":"replace_values", "attributeAssignOperation":"assign_attr" } }
A future version of Grouper will support RabbitMQ messaging, and we should then do away with this timestamp requirement.
Reading attributes of group members
The following attributes are available when retrieving the members of a group:
- uid, uhuuid, cn, sn, givenName, displayName, uhOrgAffiliation, eduPersonAffiliation, eduPersonOrgDN, uhScopedHomeOrg
Multi-valued attributes will be returned as a single string with all values delimited by three vertical bars "|||". THIS APPLIES ONLY TO THE Grouper API. Do not expect this format to appear in other services such as UH Login or LDAP.
Example:
| No Format |
|---|
POST https://grouper.hawaii.edu/grouper-ws/servicesRest/xml/v2_2_002/groups
<WsRestGetMembersRequest>
<wsGroupLookups>
<WsGroupLookup>
<groupName>path:to:your:grouping</groupName>
</WsGroupLookup>
</wsGroupLookups>
<includeSubjectDetail>T</includeSubjectDetail>
<subjectAttributeNames>
<string>eduPersonAffiliation</string>
<string>eduPersonOrgDN</string>
</subjectAttributeNames>
</WsRestGetMembersRequest> |
returns:
| No Format |
|---|
<WsGetMembersResults> <subjectAttributeNames> <string>eduPersonAffiliation</string> <string>eduPersonOrgDN</string> <string>uid</string> <string>cn</string> <string>sn</string> <string>givenName</string> <string>displayName</string> <string>eduPersonAffiliation</string> <string>eduPersonOrgDN</string> </subjectAttributeNames> ... <results> <WsGetMembersResult> ... <wsSubjects> <WsSubject> <resultCode>SUCCESS</resultCode> <success>T</success> <id>99999999</id> <name>First Last</name> <sourceId>UH core LDAP</sourceId> <attributeValues> <string>staff</string> <string>uhm</string> <string>username</string> <string>First Last</string> <string>Last</string> <string>First</string> <string>First Last</string> <string>staff|||student</string> <string>uhsystem|||uhm</string> </attributeValues> </WsSubject> ... |