Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Non-deletable admin?

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Non-deletable admin?


Chronological Thread 
  • From: Loris Bennett <>
  • To: Chris Hyzer <>
  • Cc: Grouper Users Mailing List <>
  • Subject: RE: [grouper-users] Non-deletable admin?
  • Date: Mon, 20 Apr 2009 14:05:01 +0000
  • Organization: Freie Universität Berlin

Hi Chris,

On Mon, 2009-04-20 at 09:01 -0400, Chris Hyzer wrote:
> You have a group called groupA. The admin is JohnSmith, add that person
> to the admin list for groupA. Then you have securityGroupA who can
> admin groupA. Add ScottJohnson and AmyWilliams to securityGroupA
> (member list). Then add securityGroupA to the readers and updaters
> for groupA. Then also add securityGroupA to the readers and updaters
> of securityGroupA.
>
> Now the people who maintain that group (Amy and Scott), can edit the
> list of groupA, and they can edit the list of who can edit the list
> (change the membership of securityGroupA), but they cannot remove the
> superadmin (John), and they cannot do bad things like rename the
> group. If you have a couple of superadmins, then make that a group
> too so you can add another John without editing a bunch of groups...
>
> Sound good?

Ah, so for the normal admins the trick is to have the admin privilege
attached to a group, rather than to the members. Clever.

Should I be worried at all about "(visible) group bloat"? If I am doing
include-exclude, require and superadmin groups, for a single research
team I might have quite a few groups of which only two or three will be
modified on a regular basis. We will be using a restrictive privilege
set with EveryEntity has no privileges, so I might have a number of
privilege sets that I want to switch on, based on membership of certain
groups (blacklist, whitelist, security groups, etc.). I might then want
to do this for a whole bunch of research teams.

Has any thought been given to this? I guess one could do it fairly
easily via a wrapper around gsh or grouperclient.

Cheers

Loris

>
> Thanks,
> Chris
>
> > -----Original Message-----
> > From: Loris Bennett
> > [mailto:]
> > Sent: Monday, April 20, 2009 4:58 AM
> > To: Grouper Users Mailing List
> > Subject: [grouper-users] Non-deletable admin?
> >
> > Hi,
> >
> > As I understand it, anyone with the 'admin' privilege for a group can
> > remove any member or privilege within that groups. Is there any way of
> > creating a 'superadmin' who cannot be removed by people with the
> > 'admin'
> > privilege?
> >
> > A usecase might be a research group in which the leader of the group
> > would be the 'superadmin'. He/She then delegates the actual work of
> > maintaining the group to two people who both have the 'admin'
> > privilege.
> > The admins do all the work, stand in for each other, and get replaced
> > every so often. The superadmin only really needs to step in when both
> > admins leave at the same time.
> >
> > The group leader could just be an admin and delegate via the update
> > privilege, but then still has to manage the updaters, which he or she
> > might prefer also to delegate.
> >
> > Cheers
> >
> > Loris
> >
> > --
> > Dr. Loris Bennett (Mr.)
> > Freie Universität Berlin
> > ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer Center
> > Compute & Media Service
> > Fabeckstr. 32, Room 221
> > D-14195 Berlin
> > Tel ++49 30 838 51024
> > Fax ++49 30 838 56721
> > Email
> >
> > Web www.zedat.fu-berlin.de
>
--
Dr. Loris Bennett (Mr.)
Freie Universität Berlin
ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer Center
Compute & Media Service
Fabeckstr. 32, Room 221
D-14195 Berlin
Tel ++49 30 838 51024
Fax ++49 30 838 56721
Email

Web www.zedat.fu-berlin.de




Archive powered by MHonArc 2.6.16.

Top of Page