Grouper Users - Open Discussion List

[Loris Bennett <>]

Hi Chris,

On Mon, 2009-04-20 at 09:01 -0400, Chris Hyzer wrote:
> You have a group called groupA. The admin is JohnSmith, add that person
>  to the admin list for groupA. Then you have securityGroupA who can
>  admin groupA.  Add ScottJohnson and AmyWilliams to securityGroupA
>  (member list).  Then add securityGroupA to the readers and updaters
>  for groupA.  Then also add securityGroupA to the readers and updaters
>  of securityGroupA.
> 
> Now the people who maintain that group (Amy and Scott), can edit the
>  list of groupA, and they can edit the list of who can edit the list
>  (change the membership of securityGroupA), but they cannot remove the
>  superadmin (John), and they cannot do bad things like rename the
>  group.  If you have a couple of superadmins, then make that a group
>  too so you can add another John without editing a bunch of groups...
> 
> Sound good?

Ah, so for the normal admins the trick is to have the admin privilege
attached to a group, rather than to the members. Clever.

Should I be worried at all about "(visible) group bloat"? If I am doing
include-exclude, require and superadmin groups, for a single research
team I might have quite a few groups of which only two or three will be
modified on a regular basis. We will be using a restrictive privilege
set with EveryEntity has no privileges, so I might have a number of
privilege sets that I want to switch on, based on membership of certain
groups (blacklist, whitelist, security groups, etc.). I might then want
to do this for a whole bunch of research teams.

Has any thought been given to this? I guess one could do it fairly
easily via a wrapper around gsh or grouperclient.

Cheers

Loris  

> 
> Thanks,
> Chris
> 
> > -----Original Message-----
> > From: Loris Bennett 
> > [mailto:]
> > Sent: Monday, April 20, 2009 4:58 AM
> > To: Grouper Users Mailing List
> > Subject: [grouper-users] Non-deletable admin?
> > 
> > Hi,
> > 
> > As I understand it, anyone with the 'admin' privilege for a group can
> > remove any member or privilege within that groups. Is there any way of
> > creating a 'superadmin' who cannot be removed by people with the
> > 'admin'
> > privilege?
> > 
> > A usecase might be a research group in which the leader of the group
> > would be the 'superadmin'. He/She then delegates the actual work of
> > maintaining the group to two people who both have the 'admin'
> > privilege.
> > The admins do all the work, stand in for each other, and get replaced
> > every so often. The superadmin only really needs to step in when both
> > admins leave at the same time.
> > 
> > The group leader could just be an admin and delegate via the update
> > privilege, but then still has to manage the updaters, which he or she
> > might prefer also to delegate.
> > 
> > Cheers
> > 
> > Loris
> > 
> > --
> > Dr. Loris Bennett (Mr.)
> > Freie Universität Berlin
> > ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer Center
> > Compute & Media Service
> > Fabeckstr. 32, Room 221
> > D-14195 Berlin
> > Tel ++49 30 838 51024
> > Fax ++49 30 838 56721
> > Email 
> > 
> > Web www.zedat.fu-berlin.de
> 
-- 
Dr. Loris Bennett (Mr.)
Freie Universität Berlin
ZEDAT - Zentraleinrichtung für Datenverarbeitung / Computer Center
Compute & Media Service
Fabeckstr. 32, Room 221
D-14195 Berlin
Tel ++49 30 838 51024
Fax ++49 30 838 56721
Email 

Web www.zedat.fu-berlin.de