Grouper Users - Open Discussion List

["GW Brown, Information Systems and Computing" <>]

Hi Steve,

Sorry for the delay in responding - lots of people on vacation!

> After creating a group with no privileges, I ask the group for the
> privileges on arbitrary user, X.   The group returns the user X has the
> privileges VIEW and READ, which I expect since the those are the default
> privileges for the group.   When I try to revoke one of the privileges
> for the user I get a
> edu.internet2.middleware.grouper.MemberDeleteException, is this behavior
> intended?
Default privileges specified in grouper.properties are assigned to a 
'special' internal subject called GrouperAll. They are indirect privileges 
- as would be privileges assigned to a group where X is a member. Indirect 
privileges cannot be revoked individually. The privileges must be revoked 
from the 'owner' - GrouperAll in this case, or a group to which the 
privileges were directly assigned.

> In examining this further I tried adding the privilege VIEW
> to the group for user X.  When I list the privileges on the group for
> user X, I get three results, VIEW, VIEW, READ.  Is it intended that I get
> two VIEW privileges back?
It is. Privileges may be derived from multiple 'owners' - the subject 
(direct assignment), GrouperAll or any number of groups. The API keeps 
track of where privileges are derived from so they can be managed 
appropriately.
> If I try to remove the VIEW privilege I just
> added for User X I get a
> edu.internet2.middleware.grouper.MemberDeleteException. Any thoughts?
Would you post your code so I can see which API calls you are making?

Thanks,

Gary
> --Steve
>
>
>
> Stephen Langella MS
>
> Senior Research Specialist
>
> Ohio State University
>
> Department of Biomedical Informatics
>
> Multiscale Computing Laboratory
>
>
>
> Office: (614) 292-9845



----------------------
GW Brown, Information Systems and Computing