grouper-users - Re: [grouper-users] Composite group question
Subject: Grouper Users - Open Discussion List
List archive
- From: Tom Barton <>
- To: Kathryn Huxtable <>
- Cc: Grouper Users <>
- Subject: Re: [grouper-users] Composite group question
- Date: Wed, 02 Aug 2006 13:55:46 -0500
Kathryn Huxtable wrote:
I know I can make two groups with view but without read and let an arbitrary
user create a compound group with those two groups. When the user does that,
though, the user is able to see the indirect membership of the resultant
group.
Is there a way I can prevent this? It has to do with privacy issues and
such.
Don't give READ to the composite group. Now, the person who forms the composite, using UPDATE or ADMIN priv for the composite, will necessarily have READ. If you don't want them to see the indirect membership, you'll also need to remove their ADMIN or UPDATE in order to remove their READ after the composite has been formed.
If your wicket is sticky enough, and you can't expose the membership of this private group even during the process of forming a composite in which it's a factor, you can create an empty group as a stand-in for the private group that the composite creator uses to form the composite. After the composite is formed, redefine READ over the composite appropriately, and only then make the real private group a subgroup of the stand-in group. Think "separation of duties".
Tom
- Composite group question, Kathryn Huxtable, 08/02/2006
- Re: [grouper-users] Composite group question, Tom Barton, 08/02/2006
- Re: [grouper-users] Composite group question, Kathryn Huxtable, 08/02/2006
- Re: [grouper-users] Composite group question, Tom Barton, 08/02/2006
Archive powered by MHonArc 2.6.16.