Request access to UH Grouper
Please complete the UH Groupings Request Form, even if you are only interested in Grouper. Use the form's description box to provide this information:
- Provide a description of your application, include the URL if applicable.
- Provide a description of the groups you will need read access for. You would normally choose from UH Group Store
- If you will be creating your own groups, request the creation of a folder for your application:
- Your own folder will need to fall under hawaii.edu:custom:<org> where <org> is one of the campus codes, which includes uhsystem for systemwide organizations
- We ask you to create a folder for your department in addition to a folder for your application
- e.g. hawaii.edu:custom:uhm:math:honors:
- Specify Grouper environment (test or production, you should start with the test environment)
You will get back a username and password to access Grouper
Typical Grouper operations
- creating a folder or group
- assigning permissions to folders or groups
- searching for folders or groups
- viewing group information (such as the group's ID Path which is used in requests, see below)
Code your application to talk to Grouper web services
Our Grouper web service currently uses basic HTTP authentication
- Grouper username and password are included in the Authorization header of every HTTP request (your favorite HTTP or web service module should support this behavior, aka basic access authentication)
Use the group ID Path, not "Path"
- Grouper can identify a group using two paths:
- Group's ID Path:
- e.g. hawaii.edu:custom:uhm:example-group
- Note how the ID path uses codes ('uhm' instead of 'UH Manoa').
- Group's path could be different from the group's ID Path in that we could use natural language, e.g. UH:Custom:UH Manoa:Example Group
- In our experience, the added confusion created by this duality is not worth the friendlier names.
- We recommend that everyone use the same value for a group's ID path and a group's path.
- Exceptions to this recommendation may prove beneficial when the path contains words that are not in the ID path, thus allowing people to find your group.
- Group's ID Path:
Examples in this document interact with Grouper web services via REST and XML
- If you want other examples (e.g. using SOAP, using JSON), refer to
- https://github.com/Internet2/grouper/tree/master/grouper-ws/grouper-ws/doc/samples
After navigating to the desired API, click on the most recent download link (or latest version compatible with our Grouper version)
- https://github.com/Internet2/grouper/tree/master/grouper-ws/grouper-ws/doc/samples
- If you want the full documentation about Grouper Web Services:
- https://spaces.internet2.edu/display/Grouper/Grouper+Web+Services
- This is good for a nice functional overview
Avoid getting lost in the REST and SOAP links that take you to Javadoc pages.- Use the Samples link. Click on the most recent download link (or latest version compatible with our Grouper version)
Substitute Grouper version in examples' URLs with the actual version of the UH Grouper services:
Production URLS should begin with
https://grouper.hawaii.edu/grouper-ws/servicesRest/xml/v2_2_002
Test URLS should begin with
https://grouper-test.its.hawaii.edu/grouper-ws/servicesRest/xml/v2_2_002
The group's "ID Path" should be put into the request URL (and escaped):
For example, to get all members of hawaii.edu:custom:uhm:example-group above, your request URL would be
https://grouper.hawaii.edu/grouper-ws/servicesRest/xml/v2_2_002/groups/hawaii.edu%3Acustom%3Auhm%3Aexample-group/members/
Quick Reference to some Grouper Constants
- Subjects
- Everyone: Subject name=EveryEntity, Subject ID = GrouperAll
- Privilege Types
- naming
- access
- Group privileges
- admin (admin for group, can do everything)
- optin (anybody can opt in to group)
- optout (member can opt out of group)
- read (can see a list of all members of group)
- update (can add or delete members)
- view (can see group exists)
- Folder privileges
- stem (create folder)
- create (create group)
- Grouper Attribute Framework
- Attribute assignment types
- group (group attribute)
- imm_mem (Immediate membership attribute)
- Attribute assignment operations
- assign_attr
- add_attr
- remove_attr
- Attribute assignment types
Remember to click on download
For the links provided below, you'll need to click on the (download) link at the top
Checking if UH Number(s) are members of a Grouper group
Listing all members of a Grouper group
- https://github.com/Internet2/grouper/blob/master/grouper-ws/grouper-ws/doc/samples/getMembers/WsSampleGetMembersRest_xml.txt
- There is a lite version (faster, returns less information):
Adding members to a Grouper group
- https://github.com/Internet2/grouper/blob/master/grouper-ws/grouper-ws/doc/samples/addMember/WsSampleAddMemberRest_xml.txt
- Be sure to use <actAsSubjectLookup> to preserve the actual user who performed the addition. This could be the group admin, or the member opting him/herself in (if allowed).
Deleting members from a Grouper group
- https://github.com/Internet2/grouper/blob/master/grouper-ws/grouper-ws/doc/samples/deleteMember/WsSampleDeleteMemberRest_xml.txt
- Be sure to use <actAsSubjectLookup> to preserve the actual user who performed the deletion. This could be the group admin, or the member opting him/herself out (if allowed).
New folders need to be explicitly granted create-group privilege
By default, a new folder only has the create-folder privilege granted to the person who created the folder. You need to explicity set the create-group permission for the folder creator:
- https://github.com/Internet2/grouper/blob/master/grouper-ws/grouper-ws/doc/samples/assignGrouperPrivileges/WsSampleAssignGrouperPrivilegesRest_xml.txt
- The value for the create-folder permission is 'stem'
- The value for the create-group permission is 'create'
Getting groups where user has admin privileges
- https://github.com/Internet2/grouper/blob/master/grouper-ws/grouper-ws/doc/samples/getGrouperPrivileges/WsSampleGetGrouperPrivilegesListRestLite_list_xml.txt
- 'privilegeName' => 'admin',
- 'subjectId' => '<uhUuid>',
- 'privilegeType' => 'access'