Skip to Content.
Sympa Menu

grouper-dev - Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem

Subject: Grouper Developers Forum

List archive

Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem


Chronological Thread 
  • From: Graham Seaman <>
  • To: Tom Barton <>
  • Cc: Grouper Dev <>,
  • Subject: Re: [grouper-dev] Re: [signet-dev] New ldappc snapshot fixes runner script problem
  • Date: Tue, 12 Aug 2008 14:08:19 +0100

Tom Barton wrote:
Graham Seaman wrote:
My final requirement is to to be able to take some groups created in grouper and other groups already existing in the LDAP directory and assign them permissions using signet, feeding the permissions back into eduPermission attributes of individual person objects. Once set up these permissions will then be fed through to applications via Shibboleth on individual login.

So it seems likely that I will need to have grouper know about all my groups, including the externally created ones, and not only in order to stop existing isMemberOf values being deleted.
I had the impression before that my final requirement was quite achievable with current versions of signet/grouper/ldappc, but reading the conversation in the 'Proposal for ldappc provision scoping behavior' I'm no longer quite so sure. What do you think? Is this goal achievable with the current versions of grouper/signet/ldappc?

I don't think so. The show-stopper is the lack of ability to assign privileges to members of groups in the current release of signet. It can assign privs to a group, but not to each member of a group.

OK. Well, say I have a script which periodically queries the permissions on groups and uses the group membership lists to provision the individual person objects with the same permissions. It will no longer be real-time (I can live with that) and there may be major issues when permissions are revoked on a group basis (I think I can get round that), but I think the script should be relatively simple.

What is the simplest way to achieve the other parts of the setup? Am I right to think I'll need to dump my directory groups as xml to get them into grouper?
And although you might finesse it, I suspect that having two substantial and independent group management and group provisioning activities will prove difficult over the long term.

Isn't this likely to be a common situation though? In my case I have large but only occasionally changing groups ultimately derived from Active Directory (students in year cohorts, studying subjects, attending classes), and small and often changing groups managed by people running particular applications. The people running those applications need to be able to say 'give permission to use this application to the group of people attending this class ' (coming from Active Directory) 'plus a little group I've created consisting of the teaching assistant and a couple of postgraduates who want to sit in, plus my colleague in another uni..' etc.

Graham







Archive powered by MHonArc 2.6.16.

Top of Page