Grouper Developers Forum

[Graham Seaman <>]

Tom Barton wrote:
> Graham Seaman wrote:
> > My final requirement is to to be able to take some groups created in 
> > grouper and other groups already existing in the LDAP directory and 
> > assign them permissions using signet, feeding the permissions back 
> > into eduPermission attributes of individual person objects. Once set 
> > up these permissions will then be fed through to applications via 
> > Shibboleth on individual login.
> >
> > So it seems likely that I will need to have grouper know about all my 
> > groups, including the externally created ones, and not only  in order 
> > to  stop  existing  isMemberOf values being  deleted.
> > I had the impression before that my final requirement was quite 
> > achievable with current versions of signet/grouper/ldappc, but 
> > reading the conversation in the 'Proposal for ldappc provision 
> > scoping behavior' I'm no longer quite so sure.  What do you think? Is 
> > this goal achievable with the current versions of grouper/signet/ldappc?
>
> I don't think so. The show-stopper is the lack of ability to assign 
> privileges to members of groups in the current release of signet. It 
> can assign privs to a group, but not to each member of a group.
OK. Well, say I have a script which periodically queries the permissions 
on groups and uses the group membership lists to provision the 
individual person objects with the same permissions. It will no longer 
be real-time (I can live with that) and there may be major issues when 
permissions are revoked on a group basis (I think I can get round that), 
but I think the script should be relatively simple.

What is the simplest way to achieve the other parts of the setup?  Am I 
right to think I'll need to dump my directory groups as xml to get them 
into grouper?
> And although you might finesse it, I suspect that having two 
> substantial and independent group management and group provisioning 
> activities will prove difficult over the long term.
Isn't this likely to be a common situation though? In my case I have 
large but only occasionally changing groups ultimately derived from 
Active Directory (students in year cohorts, studying subjects, attending 
classes), and small and often changing groups managed by people running 
particular applications. The people running those applications need to 
be able to say 'give permission to use this application to  the group 
of  people  attending this class ' (coming from Active Directory)  'plus 
a little group I've created consisting of the teaching assistant and  a  
couple of  postgraduates who want to sit in, plus my colleague in  
another uni..'  etc.

Graham