Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Delegation on group administration

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Delegation on group administration

Chronological Thread 
  • From: Chris Hyzer <>
  • To: Gagné Sébastien <>, "" <>
  • Subject: [grouper-users] RE: Delegation on group administration
  • Date: Fri, 31 Aug 2012 05:31:40 +0000
  • Accept-language: en-US

I think ideally you would add a rule which looks for groups not named Admin and assign the admin privilege, and another rule for groups named Admin and assign the update privilege.  Those rules would not fire on the same group so they would not conflict.


For the Admin one, you should be able to use the IF enum type: nameMatchesSqlLikeString:  %:Admin


For the non-admin one, it would be nice if there were nameNotMatchesSqlLikeString, but its not there, so you will have to use EL, something like:




Or if you wanted to do EL for the Admin one, it would be:




Does it work?  J  You should test subfolders as well…  give me more info and the test cases and I can try to set it up also if it is more complicated than this…





From: Gagné Sébastien [mailto:]
Sent: Wednesday, August 29, 2012 1:28 PM
To: Chris Hyzer;
Subject: RE: Delegation on group administration


Hello again,

I’ve read these pages and did some coding, but I have another question:

-          What happens if there are more than one rule the could be applied to a group that have opposite results


My example, stem with groups :


-          Admins

-          groupA

-          groupB


I want to create a “Inherited privileges on folders” rule on stemA to give admin right on the all the groups contained in stemA, except for the group Admins which I only want update right. It would look something like this for a member of the Admins group :



-          Admins (read, update)

-          groupA (read, admin)

-          groupB (read, admin)


I thought of adding another rule based on the Group name “Admins” but I as understand, rules are unordered, so the “give only update right” rule might trigger before the “give admin right” which would overwrite the limited privileges.





De : Chris Hyzer []
Envoyé : 15 août 2012 13:58
À : Gagné Sébastien;
Objet : RE: Delegation on group administration


Look at rules and see if that works…


Look at the inherited privileges ones:





From: On Behalf Of Gagné Sébastien
Sent: Wednesday, August 15, 2012 1:10 PM
Subject: [grouper-users] Delegation on group administration



We have a use case here where each department have their own admins. These admin should be able to manage everything (i.e. full control) under their department’s stem/folder/OU, including subfolder and Groups. From what I read this should be a trivial task in Grouper but I cannot seem to find the attributes/properties for it.


What we already have :


-          deptA-admins

-          Courses

o   2012-PHY101

-          Groups

o   AppA-Users



-          deptB-admins

-          Courses

-          Groups


We need “deptA-admin” to be able to create groups and folder in adRoot:deptA and also in every existing and new stems (e.g. Courses and Groups), right now if I assign “create group” and “create folder” it only stays on the same level.  We also need members of “deptA-admins” to have admin rights on all the groups in the stem and sub-stems (e.g. deptA-admins, 2012-PHY101, AppA-Users …). Right now I haven’t found anything that does that except to manually add the admin group to each group.


Basically, I need to give each department full control on all objects from their base stem to the whole tree under it.


Thanks for your help.



Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11


Archive powered by MHonArc 2.6.16.

Top of Page