grouper-users - RE: [grouper-users] another group privilege for hasMember?
Subject: Grouper Users - Open Discussion List
List archive
- From: Chris Hyzer <>
- To: Tom Barton <>, "" <>
- Subject: RE: [grouper-users] another group privilege for hasMember?
- Date: Tue, 20 Mar 2012 13:55:05 +0000
- Accept-language: en-US
|
Cource review, and active students should be able to participate (maybe with includes/excludes). This is a vendor where we don’t want them to be able to list all active students… granted if they had all IDs
they could brute force with a bunch of hasMembers… Thanks, Chris From: [mailto:]
On Behalf Of Tom Barton What's the android app for, ie, what's it do? Basically instead of granting READ to the service principal for the application on the group, if we had READ_HAS_MEMBER we could assign that and then the service principal would be able to call the hasMember
web service but not the getGroups for a user or getMembers for the group or getMemberships or access the members from LDAP (since READ allows that)… I will just make a custom web service for this case and not allow the service principal access to the grouper
WS or LDAP so it will be fine. It would also work if we had a login assertion for this membership as an entitlement, but it is an android mobile application not a web application… Thanks, Chris From:
[]
On Behalf Of Tom Barton This is analogous to LDAP's CMP operation (compare) being applied to the "members" attribute of a group object, used to test whether a specified DN is a member. Can the same information can be obtained using getMemberships, filtered to
just the group of interest? It would be good to learn about the use case or problem your privacy officer is trying to address. Our privacy officer would like to grant a service access to run a hasMember query (ie. As input pass the netId and groupName) without the service being able to list the netIds of the members of the group. Currently the group privilege
“READ” grants access to both. Just curious, do other people have a similar need or is it too fine grained? This would not be a near term thing anyways, but just curious if we should explore adding to the long term roadmap… Thanks, Chris |
- [grouper-users] another group privilege for hasMember?, Chris Hyzer, 03/16/2012
- Re: [grouper-users] another group privilege for hasMember?, Tom Barton, 03/20/2012
- RE: [grouper-users] another group privilege for hasMember?, Chris Hyzer, 03/20/2012
- Re: [grouper-users] another group privilege for hasMember?, Tom Barton, 03/20/2012
- RE: [grouper-users] another group privilege for hasMember?, Chris Hyzer, 03/20/2012
- Re: [grouper-users] another group privilege for hasMember?, Tom Barton, 03/20/2012
- RE: [grouper-users] another group privilege for hasMember?, Chris Hyzer, 03/20/2012
- <Possible follow-up(s)>
- Re: [grouper-users] another group privilege for hasMember?, Pål Axelsson, 03/16/2012
- RE: [grouper-users] another group privilege for hasMember?, Chris Hyzer, 03/17/2012
- RE: [grouper-users] another group privilege for hasMember?, Pål Axelsson, 03/17/2012
- RE: [grouper-users] another group privilege for hasMember?, Chris Hyzer, 03/18/2012
- RE: [grouper-users] another group privilege for hasMember?, Pål Axelsson, 03/17/2012
- RE: [grouper-users] another group privilege for hasMember?, Chris Hyzer, 03/17/2012
- Re: [grouper-users] another group privilege for hasMember?, Tom Barton, 03/20/2012
Archive powered by MHonArc 2.6.16.