Grouper Developers Forum

[Chris Hyzer <>]

Ok, here is a rule in the 2.1 branch.  Can you try it?

 

https://bugs.internet2.edu/jira/browse/GRP-881

 

This is done for groups:

 

https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Reassign+group+privileges+if+from+group

 

folders:

 

https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Reassign+folder+privileges+if+from+group

 

attribute definitions:

 

https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Reassign+attribute+definition+privileges+if+from+group

 

If a group is created, and the parent stem CREATE privilege is inherited from a group(s), then remove the individual ADMIN privilege from the created group, and assign that ADMIN privilege to the stem CREATE group(s).  Note, if the user is a wheel or root, then just remove the individual assignment.

 

Feedback?

 

Thanks,

Chris

 

 

From: Chris Hyzer
Sent: Tuesday, February 12, 2013 11:28 AM
To: 'Gagné Sébastien'
Subject: RE: Leftover privileges

 

I will have to look into it and do a proof of concept.  Do you think you want a hook or a rule, or not sure?  I can try both if it is useful…

 

Thanks,

Chris

 

From: Gagné Sébastien []
Sent: Tuesday, February 12, 2013 11:25 AM
To: Chris Hyzer
Subject: RE: Leftover privileges

 

I’m not sure how it can be done with a rule, so if you point me in the right direction that would be nice. I did one to add the admin group, can I define it so that it removes everything else ?

 

How would you do it with a hook ? After insert, remove every privilege that isn’t the group I would expect ?

 

The user is actually creating the group, but his privileges comes from one of his group. Is it possible to have that information ?

 

We have many folders like that (about 80, since we have 80 depts), it’s something like

acad:deptA:Other

acad:deptA:Courses

acad:deptA:Programs

acad:deptB:Other

acad:deptB:Courses

acad:deptB:Programs

...

Where the create group is only for the “Other” stems. In the hook I would be able to filter using baseStem=”acad” && endWith(“Other”)

 

 

De : Chris Hyzer []
Envoyé : 12 février 2013 11:15
À : Gagné Sébastien;
Objet : RE: Leftover privileges

 

If you want the entity who created the group to not get admin on group create, might be able to do that with a rule, I can check if you like.  If not, a hook.  Is it only for groups in a certain folder?

 

If you want the admin privilege to be based on the source of create group, this can be done with the hook.  Let me know if you need help.

 

Thanks,

Chris

 

From: [] On Behalf Of Gagné Sébastien
Sent: Tuesday, February 12, 2013 11:09 AM
To:
Subject: [grouper-dev] Leftover privileges

 

Hi,

I our delegated setup, admins are member of a department admin group. This group gives “create group” privileges on a folder. One problem we run into is that when a user creates a folder he automatically gets admin right with his own user account.

 

This will cause much problems when admins either are removed from the department or move to another one. I both cases the user will keep his admins rights on the groups he created while being an admin even though he isn’t supposed to.

 

I understand that a user must get admin rights on the groups he creates to be able to modify it (i.e. he created the group, surely he can manage it), but would it be possible that these privileges be based on the “source” of this “create group” privilege ?

 

In my case, the group “0340-admins” gives the right to create the group in the folder, not a privileges based on the user, but the admin privilege is given to the group member “lokban” that created the group. (I also create a rule which gives admin right on groups in that folder to that group so other can be admin)

 

 

 

Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11