Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] another group privilege for hasMember?

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] another group privilege for hasMember?

Chronological Thread 
  • From: Chris Hyzer <>
  • To: Tom Barton <>, "" <>
  • Subject: RE: [grouper-users] another group privilege for hasMember?
  • Date: Tue, 20 Mar 2012 13:47:05 +0000
  • Accept-language: en-US

Basically instead of granting READ to the service principal for the application on the group, if we had READ_HAS_MEMBER we could assign that and then the service principal would be able to call the hasMember web service but not the getGroups for a user or getMembers for the group or getMemberships or access the members from LDAP (since READ allows that)… I will just make a custom web service for this case and not allow the service principal access to the grouper WS or LDAP so it will be fine.  It would also work if we had a login assertion for this membership as an entitlement, but it is an android mobile application not a web application…





From: [mailto:] On Behalf Of Tom Barton
Sent: Tuesday, March 20, 2012 9:41 AM
Subject: Re: [grouper-users] another group privilege for hasMember?


This is analogous to LDAP's CMP operation (compare) being applied to the "members" attribute of a group object, used to test whether a specified DN is a member. Can the same information can be obtained using getMemberships, filtered to just the group of interest? It would be good to learn about the use case or problem your privacy officer is trying to address.


On 3/16/2012 12:24 PM, Chris Hyzer wrote:

Our privacy officer would like to grant a service access to run a hasMember query (ie. As input pass the netId and groupName) without the service being able to list the netIds of the members of the group.  Currently the group privilege “READ” grants access to both.  Just curious, do other people have a similar need or is it too fine grained?  This would not be a near term thing anyways, but just curious if we should explore adding to the long term roadmap…




Archive powered by MHonArc 2.6.16.

Top of Page