Grouper Developers Forum

[Gagné Sébastien <>]

Hi,

We were testing attribute permission and ran in some oddities.

 

Our setup : we added an attribute to multiple groups in different departments. Each department has a set of admins that can only modify their own groups. Admin right were given on this attribute to All the admins of all the departments so they can edit them.

 

The problem : when filtering by attribute in the lite UI you can see all the groups from the other department in the list. This might be OK since we do have read/view right. But one big problem is that an admin from one department CAN DELETE the attribute assignment of ANOTHER department as well as change the value associated the attribute of another department. If I try to modify the assignment or to add a value to another department I get a proper error message saying that I don’t have admin right on the group.

 

Is there missing check for group security or is it built like that ? I would believe you would need admin rights on the Group in order to modify its attributes and attributes value (or maybe only Update to modify attribute values). Actually what would be nice is that Update right on a group would allow the user to change attribute value without needing admin rights on the attribute

 

 

Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11