Grouper Developers Forum

["Hyzer, Chris" <>]

I have committed my final commit on inherited privileges in the UI (controlled with rules which used to be controlled by lite ui [not easy] or GSH)

 

https://spaces.internet2.edu/display/Grouper/Grouper+rules+privileges+inheritance+on+UI

 

Note, there isn’t much time to tweak things before the 2.3.0 release, so the important decision right now is the privileges to use this feature.  Right now it is setup so it can be used by default:

 

1.       If you are admin on a folder, you can assign inherited privileges on it

2.       If you are admin of an object in that folder, you can see that inherited privilege assignment (even if you aren’t an admin on the assigned folder), this is so you can see what affects your objects.  Note, you would be able to see the privilege assignment anyways, but now you can see that it exists because of an inherited privilege assignment and see what folder it is assigned to

 

You can lock this down so only grouper admins can use inherited privileges, or people in a certain group, but by default its available.

 

The risk is that if any owner of a parent folder can assign privileges on subfolders.  I think people who use grouper generally organize folders hierarchically by privilege, so the owners of parent folders should be able to do this.  But if you do not have grouper organized like this, and you do not trust the parent folder owners to be able to do this, then you need to change the configuration.  I made this decision so by default this feature can easily be used without having to go through the central grouper administrators.

 

Ok?  J

 

Thanks

Chris