Grouper Developers Forum

[Tom Barton <>]

GW Brown, Information Systems and Computing wrote:
> > > 2)Similarly, a GrouperList.firstInChain method would allow me to
> > > indicate  in the UI which immediate membership of the current group
> > > caused an  effective membership.
> >
> >
> > _GrouperList.via()_ provides the first group in the via chain.
>
> Confusion over direction! I was working from the 'working' group to the 
> immediate membership ultimately responsible for the effective membership 
> i.e. if groupA has groupB as a member has groupC as a member has subject 
> Z as a member I was interested in groupB->groupC

Algorithmically, it is more efficient to start with a subject and 
determine all of its effective memberships than to start with a group 
and recursively determine its effective members. The API manages 
effective membership using the former approach. To best leverage what's 
already there, perhaps what is needed is a method that takes the set of 
all "upward" membership chains starting from a subject and prunes that 
set to retain only those chains that terminate on a specified group. 
That depicts the set of "reasons" why the subject has the effective 
membership (or priv).

Should such a method be in the UI or API?

> > > e.g. can you revoke a privilege for an individual when it was granted to
> > > a group?
> >
> >
> > You should not be able to.  If you can it is a bug.  You need to remove
> > the individual from the group that they are an immediate member of to
> > revoke the privilege.
>
> I wasn't suggesting that this happened - just that anyone using the UI 
> would in effect try to do this. I think we need to make it clear, in the 
> UI, how a subject came to have a privilege/membership - atleast as a 
> prerequisite to modifying privileges/memberships. It is impossible to 
> know what to expect otherwise.

See above.

Tom