Grouper Users - Open Discussion List

[Chris Hyzer <>]

Yes.  We had a lot of discussion on this point.  There are pros and cons 
either way, but the way it is implemented had a better score  :)  

Some notes on the topic:

If two people query the same group, and get a response that they have READ, 
then they should have consistent results

It is a lot more scalable this way, rather than having to check permission on 
all descendent groups.  One important aspect of the Grouper code is being 
able to do DB operations in one query, not multiple queries.

If someone gets rights to read a group, but not read a member, but they 
should have it, then it will be hard to communicate that to the user.  They 
will just see a partial listing with no warning about it

This is similar to Oracle security with GRANT option... i.e. if you have a 
view on a table, and you grant access to the view, then I don't think the 
querier needs SELECT on the underlying table...

Thanks,
Chris

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Jim Fox
Sent: Thursday, January 13, 2011 10:42 AM
To: grouper users list
Subject: [grouper-users] read permission and effective membership


I have a user 'u' and two groups 'a' and 'b'.

1) 'u' has Read permission on 'a'.
2) 'u' does not have Read permission on 'b'
3) 'b' is a member of 'a'.

If 'u' does a getMembers() on group 'a' it sees all the effective
members, including those of 'b'.  Is this the expected behavior?

Jim