Grouper Users - Open Discussion List

[Tom Barton <>]

Paul Engle wrote:
> My idea is to have a separate top-level stem to contain the
> posixGroup definitions. Only the sysadmins have access rights to this
> stem. The groups in this stem all have a custom attribute for the
> gidNumber just as Tom has described. The membership of the group is
> just a single group out in the 'public' stem areas--one which
> potentially anyone could have edit rights to.
>
> That way, the membership management is kept in one place, maintained
> by those who are best in a position to know who it should be. But
> there's no danger of name or gid collisions on the unix side, because
> that's all maintained in the posix-group stem.

Since grouper has no attribute-level security role, you'd need a model 
like this to keep the gidNumber attribute out of the hands of those that 
can manage membership. It's not strictly necessary to isolate such 
groups in a stem, but that's one way to ensure they are separate groups.

It is also a good fit with a process in which groups must be registered 
or nominated as posix groups and must first be assigned a gid number. 
Grouper would limit the ability to create registered posix groups to 
those with CREATE priv for the stem.

Tom