Skip to Content.
Sympa Menu

grouper-dev - RE: [grouper-dev] permissions allow/deny

Subject: Grouper Developers Forum

List archive

RE: [grouper-dev] permissions allow/deny

Chronological Thread 
  • From: Chris Hyzer <>
  • To: Tom Barton <>, "" <>
  • Subject: RE: [grouper-dev] permissions allow/deny
  • Date: Thu, 12 May 2011 22:48:37 -0400
  • Accept-language: en-US
  • Acceptlanguage: en-US

The approach is there is a heuristic to figure out which rule to honor. It's
an easier problem for firewalls where you have a list of ordered rules which
are evaluated in that way and there are short circuits (i.e. find the first
allow or deny and use it). But for Grouper, the assignments are not ordered,
there are peppered throughout the directed graphs of objects. So there is an

1. Assignments directly to a member trump assignments to a role the user is in
2. If the permissions are flattened across all roles, then any role with an
allow, means overall there is an allow. If there is an actAs a certain role,
then look only in that role
3. Find which direct assignment in the resource directed graph has the
smallest depth (number of hops on the directed graph). If there is one, use
that assignment
4. If there are multiple assignments on the same node of the resource graph,
then go to the actions. Find the assignment with the smallest depth. If
there is one use that
5. If there are multiple assignments with the same depth on resource and
action, then default or allow or deny... this is an open question, I assumed
if there was any that was allow, then allow. But maybe we want if there is
any which is a deny, then deny. I don't really care about this case...

The bottom line is that this can be powerful for people who want to use these
features, but for people who want to keep it simple, they can use assignments
to do that...

As for the UI question, we can display on a UI why the end result is allow or
deny to help the user...


-----Original Message-----

On Behalf Of Tom Barton
Sent: Thursday, May 12, 2011 3:30 PM

Subject: Re: [grouper-dev] permissions allow/deny

This seems similar to long-standing approaches to resolve conflicting
ACL permits and denies (for firewall & router rules, LDAP ACLs,
permissions in various file systems, globus, etc). These usually have a
declaration of "first Permit permits" or "first Deny denies",
simplifying the matter at the expense of ability to express very nuanced
conditions. Is there a simple approach here, even if it should preclude
some expressiveness?


On 5/11/2011 11:56 PM, Chris Hyzer wrote:
> Hey,
> I will be adding an allow/deny flag to permissions in 2.0, and there are
> inheritance issues with how the end result of the permission calculation
> will work. Here is an explanation with some scenarios and a proposed
> algorithm. If you think of other scenarios which aren't covered please
> let me know or add them. I will be getting feedback from the
> mace-paccman group on this as well.
> <>
> Thanks,
> Chris

Archive powered by MHonArc 2.6.16.

Top of Page