Grouper Developers Forum

[Chris Hyzer <>]

Hey,

Sorry I missed the beginning of the call, with part of your description of 
quotas I think.  When you send your use case it will probably be more clear.  
However, in the meantime, let me explain the initial direction:

Roles are a linking of permissions and subjects (users/groups).  So you would 
assign permissions to either a role (i.e. everyone inside), or to a 
membership of a role (immediate or effective, and though we discussed on 
call, I wasn't really thinking assigning to a group-subject membership would 
imply assigning to all members).  Roles are special in that you can have a 
role hierarchy for inherited permissions (e.g. a senior loan administrator is 
a loan administrator with a few more grants). 

Also, if you drop out of the role, you lose your permissions.  This loose 
coupling improves the security by removing access when someone's status 
changes (if groups setup appropriately), and make it convenient since you 
might want to change who has file system quota later on, without changing who 
a student is (e.g. distance learning students don't get the quota anymore).

Here is the Kuali Rice glossary which is similar to what I am suggesting:

https://test.kuali.org/confluence/display/KRDOC/Glossary+1.0.0+-+R

"Group: A Group has members that can be either Principals or other Groups 
(nested). Groups essentially become a way to organize Entities (via Principal 
relationships) and other Groups within logical categories.
Groups can be given authorization to perform actions within applications by 
giving them Roles and Qualified Roles."

"Role: Aggregate Permissions. Roles are not scoped to Namespace; therefore, 
Roles can provide authorization privileges across Namespaces. When Roles are 
given to Entities (via their relationship with Principals) or Groups, an 
authorization for all associated Permissions is granted.
Roles can also have arbitrary data associated with them (e.g., Role 
Attributes) for scoping or classification purposes that can help qualify 
authorization checks in a very limited fashion."

So... if you want to control file system usage (is there one central 
filesystem quota, or are there a bunch of servers?)

The current plan would be to identify your:

1. Groups: gatech:community:students, gatech:community:faculty
2. Roles:  gatech:apps:filesystem:roles:studentUser, 
gatech:apps:filesystem:roles:facultyUser
3. Permission: gatech:apps:filesystem:permissions:fileSystemAccess
4. Limit: gatech:apps:filesystem:limits:fileSystemQuotaBytes (integer)

Link everything up:

Put the student group in the student role, the faculty group in the faculty 
role, the permission in both roles, and assign the quota to both assignments 
of permission-to-role.

Now, what decision or data do you want out of the system.  Is an external 
system going to ask grouper for the overall quota for a user?  I think to get 
this answer without creating a custom service, maybe we need to tunnel 
through existing data structures and use hooks.  So create another permission 
(e.g. gatech:apps:filesystem:permissions:fileSystemOverallAccess) which is 
not assignable to anything in grouper, and allow the same 
fileSystemQuotaBytes limit to be assigned to it.  Then ask Grouper (e.g. 
through web service), give me the permission fileSystemOverallAccess for the 
user 123456.  A hook would intercept that call (if it didn't, it would not 
find an assignment), find all fileSystemAccess permissions/quotas for that 
user, add up the quotas, and return fileSystemOverallAccess permission and 
limit (sum).  Something like that.

I know there are redundant objects here (i.e. just assign the permission to 
the group), but I am trying to go for an RBAC type system, where the Group is 
just collections of subjects.  The Role represents "job functions" or 
something app specific.  Note the namespace difference.  I think it is a 
little cleaner to not have all apps assigning all their permissions directly 
to the student group.  They would make their own role that they have access 
to, and assign to that.  If there were an app specific group, used only for 
the app, then just make it a role.  If there is a group that is shared among 
apps, then make a role for each app, and add the group to each role.

Can this work?
Thanks!
Chris