Grouper Users - Open Discussion List

[Julio Polo <>]

Thanks!

Setting the global default to all-false makes sense.  Even if we
immediately follow creation of a group with assignGrouperPrivileges,
there is a small window where someone may see or do something they
aren't supposed to.

So if I call assignGrouperPrivileges to assign desired default
privileges to (newly created group, EveryEntity), that shouldn't
affect the global settings right?  Subsequently created groups still
use what was originally defined in grouper.properties?

Julio Polo
University of Hawaii



On Wed, Apr 20, 2011 at 3:03 PM, Chris Hyzer 
<>
 wrote:
> Well, its not the default privilege, it's the global privilege... know what 
> I mean?
>
> So on the UI, all that checkbox does is assign a privilege for that group 
> to the subject EveryEntity, or GrouperAll, or whatever it is configured to 
> be called in grouper.properties.  So if you want to create a group, then 
> create it with a GroupSave.  That will follow the grouper.properties to 
> assign the global privileges.  By default this makes the group globally 
> readable and globally viewable.  I personally think that Universities 
> should change this default to false for all, following the principal of 
> least privilege.  But in any case, after you do your GroupSave, then follow 
> that with a web service call "assignGrouperPrivileges" call which either 
> removes the EveryEntity/GrouperAll for default grouper.properties settings, 
> or adds them if you want to widen things.  Ok?
>
> Thanks!
> Chris
>
> -----Original Message-----
> From: 
> 
>  
> [mailto:]
>  On Behalf Of Julio Polo
> Sent: Wednesday, April 20, 2011 7:37 PM
> To: 
> 
> Subject: [grouper-users] Setting default privileges for a group
>
> How do I set the default privileges for a new or existing group via a
> web service?   I am assuming this can be specified within
> <WsRestGroupSaveRequest> (using REST, XML), but I couldn't find any
> documentation.
>
> Julio Polo
> University of Hawaii
>
> --------------------------------------------
> Excerpt from https://spaces.internet2.edu/display/Grouper/API+Configuration
>
> Grouper Privileges
>
> All configuration of Grouper privileges detailed in this section occur
> in the grouper/conf/grouper.properties file.
>
> Default privileges
>
> Grouper requires that all subjects must be explicitly granted access
> or naming privileges (cf. Glossary), with one caveat. There is a
> special "subject" internal to Grouper called the ALL subject, which is
> a stand-in for any subject. The ALL subject can be granted a privilege
> in lieu of assigning that privilege explicitly to each and every
> subject.
>
> When a new group or naming stem is created, any of its associated
> privileges can be granted by default to the ALL subject. This is
> configured by a series of properties in grouper.properties, one per
> privilege. If a property has the value "true" then ALL is granted that
> privilege by default when a group or naming stem is created. Otherwise
> it is not, and hence no subject has that privilege by default.
>