Access Group programmatic creation

I want such functionality. Say there are Employees (an Employee entity has it’s department) Then there’s one or many department admins. A admin of department A (say the admin is also an Employee and has department field to him set to A and he has DepAdmin role unlike others who don’t have this role) can edit/remove only Employees whose Employee.department==A. I want a “Department admin registration screen” where Admin can create his department and his profile… So this screen will have to programmatically create group as far as I understand. Could you point me to some sample?

Hello @rulesprog

Could you describe a problem you’ve faced with?

Regards,
Daniil.

I probably can figure out what actually is stored in DB so that group is created and then will execute create query from Java… If group and it’s constraints is only stored in DB…

I have Card entity. Card.user property, Card. ministry property. I need to make a certain user be able to edit only cards with same ministry as he has… I can manually prohibit edition on every part of GUI but I don’t think it’s the good way

This functionality can be implemented with Access Groups mechanism. These groups can be easily created with Metadata as any other entity.

Do you have some problems with it?

Are there any samples available? Could you please provide a link to such?
Oh probably Creating Local Administrators - CUBA Platform. Developer’s Manual is just what I needed. Will look at it
Essencially I need groovy syntax examples to create constraint

Now problem is I can’t set session attributes:

I needed to register it as well Multiple Main Window - CUBA.Platform
So I put

public class App extends DefaultApp {

	@Override
	public void connectionStateChanged(Connection.StateChangeEvent e) {
		super.connectionStateChanged(e);
		if (e.getConnection().getSession() != null) {
			DataManager dataManager = AppBeans.get(DataManager.class);
			Ministry ministry = dataManager.load(LoadContext.create(Ministry.class).setQuery(
					LoadContext.createQuery("select c.ministryId from callbook$Card c where c.userId = :userId")
							.setParameter("userId", connection.getSession().getUser().getId())));
			connection.getSession().setAttribute("ministryId", ministry);

		}
	}
}

in .\modules\web\src\com\dtc\callbook\web\App.java and registered App as bean Now I’m getting:

ERROR com.haulmont.cuba.web.AppUI - Unable to init ui
java.lang.NullPointerException: null
        at com.haulmont.cuba.web.App.getCookieValue(App.java:410) ~[cuba-web-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.web.app.loginwindow.AppLoginWindow.initRememberMe(AppLoginWindow.java:188) ~[cuba-web-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.web.app.loginwindow.AppLoginWindow.init(AppLoginWindow.java:135) ~[cuba-web-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.gui.WindowManager.init(WindowManager.java:1247) ~[cuba-gui-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.gui.WindowManager.initWrapperFrame(WindowManager.java:1236) ~[cuba-gui-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.gui.WindowManager.createWindow(WindowManager.java:581) ~[cuba-gui-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.web.WebWindowManager.createTopLevelWindow(WebWindowManager.java:1642) ~[cuba-web-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.web.App.createTopLevelWindow(App.java:298) ~[cuba-web-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.web.DefaultApp.initializeUi(DefaultApp.java:161) ~[cuba-web-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.web.DefaultApp.connectionStateChanged(DefaultApp.java:85) ~[cuba-web-6.9.4.jar:6.9.4]
        at com.dtc.callbook.web.App.connectionStateChanged(App.java:14) ~[app-web-0.1-SNAPSHOT.jar:na]
        at com.haulmont.bali.events.EventRouter.fireEvent(EventRouter.java:45) ~[cuba-global-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.web.security.ConnectionImpl.fireStateChangeListeners(ConnectionImpl.java:226) ~[cuba-web-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.web.security.ConnectionImpl.login(ConnectionImpl.java:104) ~[cuba-web-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.web.DefaultApp.loginOnStart(DefaultApp.java:216) ~[cuba-web-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.web.AppUI.setupUI(AppUI.java:297) ~[cuba-web-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.web.AppUI.init(AppUI.java:221) ~[cuba-web-6.9.4.jar:6.9.4]
        at com.vaadin.ui.UI.doInit(UI.java:693) [vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
        at com.vaadin.server.communication.UIInitHandler.getBrowserDetailsUI(UIInitHandler.java:222) [vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
        at com.vaadin.server.communication.UIInitHandler.synchronizedHandleRequest(UIInitHandler.java:74) [vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
        at com.vaadin.server.SynchronizedRequestHandler.handleRequest(SynchronizedRequestHandler.java:41) [vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
        at com.vaadin.server.VaadinService.handleRequest(VaadinService.java:1435) [vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
        at com.vaadin.server.VaadinServlet.service(VaadinServlet.java:361) [vaadin-server-7.7.13.cuba.9.jar:7.7.13.cuba.9]
        at com.haulmont.cuba.web.sys.CubaApplicationServlet.serviceAppRequest(CubaApplicationServlet.java:312) [cuba-web-6.9.4.jar:6.9.4]
        at com.haulmont.cuba.web.sys.CubaApplicationServlet.service(CubaApplicationServlet.java:203) [cuba-web-6.9.4.jar:6.9.4]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [servlet-api.jar:na]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [catalina.jar:8.5.23]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.23]
        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.5.23]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.23]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.23]
        at org.springframework.web.filter.CompositeFilter$VirtualFilterChain.doFilter(CompositeFilter.java:107) [spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
        at org.springframework.web.filter.CompositeFilter.doFilter(CompositeFilter.java:73) [spring-web-4.3.14.RELEASE.jar:4.3.14.RELEASE]
        at com.haulmont.cuba.web.sys.CubaHttpFilter.doFilter(CubaHttpFilter.java:107) [cuba-web-6.9.4.jar:6.9.4]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.23]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.23]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) [catalina.jar:8.5.23]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.23]
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [catalina.jar:8.5.23]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [catalina.jar:8.5.23]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.23]
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) [catalina.jar:8.5.23]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.23]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [catalina.jar:8.5.23]
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) [tomcat-coyote.jar:8.5.23]
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote.jar:8.5.23]
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-coyote.jar:8.5.23]
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) [tomcat-coyote.jar:8.5.23]
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.23]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_181]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_181]
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.23]
        at java.lang.Thread.run(Thread.java:748) [na:1.8.0_181]

Why? It happens when execution gets into super.connectionStateChanged(e);
How do I set session attributes to use them in groovy creating constraint for group?

Fixed by changing
to

Now I’ll try writing groovy script. But I was told that I should have better used ext-user -extend user entity - than session-attributes…

And anyway I had to set Session Attributes at app login event (see sample login restrictions) and then use them in JPQL of groups. Problems solved!