Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] question about Grouper permissions....

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] question about Grouper permissions....


Chronological Thread 
  • From: Chris Hyzer <>
  • To: Steven Carmody <>, Grouper-Users <>
  • Subject: RE: [grouper-users] question about Grouper permissions....
  • Date: Mon, 22 Aug 2011 14:16:24 +0000
  • Accept-language: en-US

>
> A "permission definition" is created, and then someone assigns that
> permission to a Role (and perhaps to just some entities while operating
> in that role).

Right, well, there are two parts, the definition and the name/resource, and
that is whats assigned.

>
> "permission definition"s, tho, look like strings ?

Right

>
> So, how are these "pushed" into the target application ? Does ldappcng
> do that ? Is it expected that they will be pushed into ldap, and the
> target application looks at attribute values to see if someone has a
> specific permission?
>

I think we aren't really expecting anything but simple permissions to be
pushed into ldap.
Ldappcng can do provisioning of permissions to ldap or other sources, or you
could just use notifications and a nightly sync, or get them when someone
logs in if it is a custom application...

> We have applications that export APIs that allow a provisioning program
> to specify which group/role can do VERB on RESOURCE X -- is there some
> sort of plugin architecture in ldappcng -- where we provide the
> appropriate plugin and something like ldappcng will use our plugin ?

Yeah, you would have to write a plugin, TomZ can give you more info.

There are some complications with permissions though... since there is
allow/deny, and limits, and inheritance, it more complicated than just a
subject is in a group. Notifications need to be tweaked in 2.1 to take into
account allow/deny. And if ldappcng uses notifications then the same is true
there too. Anyways, bottom line is at this point the provisioning part of
permissions is new territory, though the existing components should work or
will work at some time soon, if you have examples to share that would help :)

Thanks,
Chris





Archive powered by MHonArc 2.6.16.

Top of Page