Grouper Users - Open Discussion List

[Chris Hyzer <>]

I don't really understand what you mean by attribute-level security role, but 
perhaps hooks could help...  if you think so, describe a specific use case 
and I can make sure that what I have for v1.4 will suffice.  Kind regards, 
Chris

> -----Original Message-----
> From: Tom Barton 
> [mailto:]
> Sent: Monday, July 07, 2008 4:50 PM
> To: Paul Engle
> Cc: 
> 
> Subject: Re: [grouper-users] using Grouper and ldappc to manage posix
> groups
>
> Paul Engle wrote:
> > My idea is to have a separate top-level stem to contain the
> > posixGroup definitions. Only the sysadmins have access rights to this
> > stem. The groups in this stem all have a custom attribute for the
> > gidNumber just as Tom has described. The membership of the group is
> > just a single group out in the 'public' stem areas--one which
> > potentially anyone could have edit rights to.
> >
> > That way, the membership management is kept in one place, maintained
> > by those who are best in a position to know who it should be. But
> > there's no danger of name or gid collisions on the unix side, because
> > that's all maintained in the posix-group stem.
>
> Since grouper has no attribute-level security role, you'd need a model
> like this to keep the gidNumber attribute out of the hands of those
> that
> can manage membership. It's not strictly necessary to isolate such
> groups in a stem, but that's one way to ensure they are separate
> groups.
>
> It is also a good fit with a process in which groups must be registered
> or nominated as posix groups and must first be assigned a gid number.
> Grouper would limit the ability to create registered posix groups to
> those with CREATE priv for the stem.
>
> Tom