Subject: Grouper Developers Forum
RE: add ability to manage privileges of loader managed group_list groups
- From: Chris Hyzer <>
- To: "" <>
- Subject: RE: add ability to manage privileges of loader managed group_list groups
- Date: Tue, 19 May 2009 15:39:15 -0400
- Accept-language: en-US
- Acceptlanguage: en-US
This is more complicated than I originally thought...
If the group is include/exclude or requireGroups or both, then there are 2-5+
groups to manage privileges of, not just 1.
So I added in functionality such that if the group is an include/exclude
and/or requireGroups then all the groups will get the specified permissions.
This is sort of a simplification... in the real world you might want only
certain groups to get the privilege (e.g. you would want the include and
exclude list to get the update privilege from the subject, not the system of
record)... but maybe we can get more complicated later...
I think most of the time you will be granting read/view, where if you can see
all, that is ok. You might grant admin or update to people who know what
they are doing... not sure when you would grant optin/optout, but it is
there for when we need it.
> -----Original Message-----
> From: Chris Hyzer
> Sent: Monday, May 18, 2009 11:37 AM
> Subject: add ability to manage privileges of loader managed group_list
> I added this to grouper:
> This is done.
> In the grouperLoaderGroupQuery, you can now put columns for readers,
> viewers, admins, updaters, optins, optouts.
> The data in the column should be comma separated subjectIds or
> subjectIdentifiers. If it is a group name, the group will be created
> (though the parent stem must exist).
> Generally you will use this to put a list of readers/viewers/etc on a
> group_list so that you can manage access to all of the managed groups
> for that loader job in one place. Though you could also have different
> lists for different groups.
> Here is an example (GSH set attribute):
> setGroupAttr("poc:orgs:orgsConfig", "grouperLoaderGroupQuery", "select
> gh.org_hierarchical_sor_name as group_name,
> gh.org_hierarchical_sor_disp_name as group_display_name,
> org_description as group_description, 'poc:orgs:orgReaders' as readers,
> 'poc:orgs:orgAdmins' as admins, 'poc:orgs:orgUpdaters' as updaters,
> 'poc:orgs:orgViewers' as viewers from grouperorgs_hierarchical gh,
> grouperorgs_poc_orgs gpo where gh.org_id = gpo.id");
> I updated the documentation here:
- add ability to manage privileges of loader managed group_list groups, Chris Hyzer, 05/18/2009
- <Possible follow-up(s)>
- RE: add ability to manage privileges of loader managed group_list groups, Chris Hyzer, 05/19/2009
Archive powered by MHonArc 2.6.16.