Grouper Users - Open Discussion List

[Gagné Sébastien <>]

Hello again,

I’ve read these pages and did some coding, but I have another question:

-          What happens if there are more than one rule the could be applied to a group that have opposite results

 

My example, stem with groups :

stemA

-          Admins

-          groupA

-          groupB

 

I want to create a “Inherited privileges on folders” rule on stemA to give admin right on the all the groups contained in stemA, except for the group Admins which I only want update right. It would look something like this for a member of the Admins group :

 

stemA

-          Admins (read, update)

-          groupA (read, admin)

-          groupB (read, admin)

 

I thought of adding another rule based on the Group name “Admins” but I as understand, rules are unordered, so the “give only update right” rule might trigger before the “give admin right” which would overwrite the limited privileges.

 

Thanks

 

 

De : Chris Hyzer [mailto:]
Envoyé : 15 août 2012 13:58
À : Gagné Sébastien;
Objet : RE: Delegation on group administration

 

Look at rules and see if that works…

 

https://spaces.internet2.edu/display/Grouper/Grouper+rules

 

Look at the inherited privileges ones:

 

https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+cases

 

Thanks,

Chris

 

From: On Behalf Of Gagné Sébastien
Sent: Wednesday, August 15, 2012 1:10 PM
To:
Subject: [grouper-users] Delegation on group administration

 

Hi,

We have a use case here where each department have their own admins. These admin should be able to manage everything (i.e. full control) under their department’s stem/folder/OU, including subfolder and Groups. From what I read this should be a trivial task in Grouper but I cannot seem to find the attributes/properties for it.

 

What we already have :

adRoot:deptA

-          deptA-admins

-          Courses

o   2012-PHY101

-          Groups

o   AppA-Users

 

adRoot:deptB

-          deptB-admins

-          Courses
…

-          Groups
…

 

We need “deptA-admin” to be able to create groups and folder in adRoot:deptA and also in every existing and new stems (e.g. Courses and Groups), right now if I assign “create group” and “create folder” it only stays on the same level.  We also need members of “deptA-admins” to have admin rights on all the groups in the stem and sub-stems (e.g. deptA-admins, 2012-PHY101, AppA-Users …). Right now I haven’t found anything that does that except to manually add the admin group to each group.

 

Basically, I need to give each department full control on all objects from their base stem to the whole tree under it.

 

Thanks for your help.

 

 

Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11