grouper-users - RE: [grouper-users] read permission and effective membership
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: Jim Fox <>, grouper users list <>
- Subject: RE: [grouper-users] read permission and effective membership
- Date: Thu, 13 Jan 2011 11:57:46 -0500
- Accept-language: en-US
- Acceptlanguage: en-US
Yes. We had a lot of discussion on this point. There are pros and cons
either way, but the way it is implemented had a better score :)
Some notes on the topic:
If two people query the same group, and get a response that they have READ,
then they should have consistent results
It is a lot more scalable this way, rather than having to check permission on
all descendent groups. One important aspect of the Grouper code is being
able to do DB operations in one query, not multiple queries.
If someone gets rights to read a group, but not read a member, but they
should have it, then it will be hard to communicate that to the user. They
will just see a partial listing with no warning about it
This is similar to Oracle security with GRANT option... i.e. if you have a
view on a table, and you grant access to the view, then I don't think the
querier needs SELECT on the underlying table...
Thanks,
Chris
-----Original Message-----
From:
[mailto:]
On Behalf Of Jim Fox
Sent: Thursday, January 13, 2011 10:42 AM
To: grouper users list
Subject: [grouper-users] read permission and effective membership
I have a user 'u' and two groups 'a' and 'b'.
1) 'u' has Read permission on 'a'.
2) 'u' does not have Read permission on 'b'
3) 'b' is a member of 'a'.
If 'u' does a getMembers() on group 'a' it sees all the effective
members, including those of 'b'. Is this the expected behavior?
Jim
- [grouper-users] read permission and effective membership, Jim Fox, 01/13/2011
- RE: [grouper-users] read permission and effective membership, Chris Hyzer, 01/13/2011
- RE: [grouper-users] read permission and effective membership, RL 'Bob' Morgan, 01/13/2011
- RE: [grouper-users] read permission and effective membership, Chris Hyzer, 01/13/2011
- RE: [grouper-users] read permission and effective membership, RL 'Bob' Morgan, 01/13/2011
- RE: [grouper-users] read permission and effective membership, Chris Hyzer, 01/13/2011
Archive powered by MHonArc 2.6.16.