Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Composite group question

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Composite group question

Chronological Thread 
  • From: Kathryn Huxtable <>
  • To: Tom Barton <>
  • Cc: Grouper Users <>
  • Subject: Re: [grouper-users] Composite group question
  • Date: Wed, 02 Aug 2006 14:39:19 -0500

Okay, that's what I was afraid of. It means that central IT will have to
construct public groups. I was hoping I could distribute that, and maybe I
can, but there will need to be a policy statement that the creator signs.


On 8/2/06 1:55 PM, "Tom Barton"

> Kathryn Huxtable wrote:
>> I know I can make two groups with view but without read and let an
>> arbitrary
>> user create a compound group with those two groups. When the user does
>> that,
>> though, the user is able to see the indirect membership of the resultant
>> group.
>> Is there a way I can prevent this? It has to do with privacy issues and
>> such.
> Don't give READ to the composite group. Now, the person who forms the
> composite, using UPDATE or ADMIN priv for the composite, will
> necessarily have READ. If you don't want them to see the indirect
> membership, you'll also need to remove their ADMIN or UPDATE in order to
> remove their READ after the composite has been formed.
> If your wicket is sticky enough, and you can't expose the membership of
> this private group even during the process of forming a composite in
> which it's a factor, you can create an empty group as a stand-in for the
> private group that the composite creator uses to form the composite.
> After the composite is formed, redefine READ over the composite
> appropriately, and only then make the real private group a subgroup of
> the stand-in group. Think "separation of duties".
> Tom

Archive powered by MHonArc 2.6.16.

Top of Page