Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Representing People Hierarchies in Grouper

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Representing People Hierarchies in Grouper

Chronological Thread 
  • From: Chris Hyzer <>
  • To: Richard James <>
  • Cc: "" <>
  • Subject: [grouper-users] RE: Representing People Hierarchies in Grouper
  • Date: Wed, 23 Feb 2011 08:53:52 -0500
  • Accept-language: en-US
  • Acceptlanguage: en-US

Another thing you could consider is just having a member attribute
(multi-assigned) which holds the memberId of the supervisor. Not sure
exactly how the permissions inherit, but that could at least be a way to
represent this... And I believe you can assign and read this from WS


-----Original Message-----
From: Richard James

Sent: Wednesday, February 23, 2011 6:07 AM
To: Chris Hyzer; grouper users list
Subject: RE: Representing People Hierarchies in Grouper

Thanks for your responses.

We are looking to represent this structure for a few different projects which
are going on, including the restructuring of how delegation of access to our
Shared file store resource is achieved. This involves provisioning grouper
groups into the AD for each department which we have been able to do with the
org structure that we represent in Grouper. As part of this there is a "nice
if possible requirement" to be able to recognise who the manager of each
department is, and who they report to, with inheritance of permissions at
different levels of the people hierarchy. Until our resources allow us to
explore this further we are using grouper to provision the departmental
access groups and having the permission aspect being manually processed at
the AD level.

Apart from the file store use case there are other use cases which are
interested in being able to make use of a people hierarchy. One of our
faculties is looking at ways to manage access in a workload
reporting/management tool they are developing, with a person's position in
the Faculty hierarchy determining which staff reports they will be able to
view, as Steven mentioned this could get quite interesting in working out who
peoples superiors are etc.

It does look like the use of the permission functionality within Grouper will
be a good route for us to explore, it's something that we have looked at
briefly especially after Rob and Shilen's "Delegated Access Control in AD
using Grouper" presentation at the Fall Internet2 members meeting.


>-----Original Message-----
>From: Chris Hyzer
>Sent: 23 February 2011 02:29
>To: Richard James; grouper users list
>Subject: RE: Representing People Hierarchies in Grouper
>We have our org chart represented as folders/groups, and as permissions.
>It is permissions because we have applications where we want to grant
>someone access to READ or WRITE data associated with a particular org.
>The hierarchies in the permissions are relationships in the
>attributeDefNameSet. i.e. one permission will imply all the permissions
>underneath. i.e. if you grant to the department, you get all the orgs
>Both of these approaches are done with the loader linked to our data
>warehouse. With folders/groups, you have a strict hierarchy, a group
>can only be in one folder. But the attributeDefNameSet relationship is
>a directed graph, so you could have multiple parents. How are you going
>to use the data? If you want to query out who someone's supervisor(s)
>or supervisee(s) are, then you cant use the WS right now (to find out
>attributeDefNameSet relationships), you would have to do a SQL call...
>:) Also, not really recommending you do this, just mentioning :)
>-----Original Message-----
> [
> On Behalf Of Richard James
>Sent: Friday, February 18, 2011 9:59 AM
>To: grouper users list
>Subject: [grouper-users] Representing People Hierarchies in Grouper
>I am wondering if anyone can share any experiences/approaches for
>representing a hierarchy of people in Grouper. At Newcastle we have been
>loading in an organisational hierarchy, so the hierarchical relationship
>is people to team and team to department. We now have use cases which
>require representing a people management hierarchy i.e. person to line
>manager to department head and so on. As ever with this being a
>University, you have the exceptions where people report to 2 line
>managers which adds a level of complexity.
>We are currently trying to find the best way to proceed with
>representing these kinds of structure. We were wondering if anybody has
>had an experience of representing this type of structure within Grouper?
>And if so could provide us with any guidance/approaches for proceeding
>with this, or examples of similar structures represented within your
>deployments of Grouper.
>Thanks in advance for any feedback.
>Richard James
>Infrastructure Systems Administrator
>ISS Systems Architecture
>Newcastle University

Archive powered by MHonArc 2.6.16.

Top of Page