Grouper Users - Open Discussion List

[Chris Hyzer <>]

I think ideally you would add a rule which looks for groups not named Admin and assign the admin privilege, and another rule for groups named Admin and assign the update privilege.  Those rules would not fire on the same group so they would not conflict.

 

For the Admin one, you should be able to use the IF enum type: nameMatchesSqlLikeString:  %:Admin

 

For the non-admin one, it would be nice if there were nameNotMatchesSqlLikeString, but its not there, so you will have to use EL, something like:

 

${!groupName.endsWith(':Admins')}

 

Or if you wanted to do EL for the Admin one, it would be:

 

${groupName.endsWith(':Admins')}

 

Does it work?  J  You should test subfolders as well…  give me more info and the test cases and I can try to set it up also if it is more complicated than this…

 

Thanks,

Chris

 

From: Gagné Sébastien [mailto:]
Sent: Wednesday, August 29, 2012 1:28 PM
To: Chris Hyzer;
Subject: RE: Delegation on group administration

 

Hello again,

I’ve read these pages and did some coding, but I have another question:

-          What happens if there are more than one rule the could be applied to a group that have opposite results

 

My example, stem with groups :

stemA

-          Admins

-          groupA

-          groupB

 

I want to create a “Inherited privileges on folders” rule on stemA to give admin right on the all the groups contained in stemA, except for the group Admins which I only want update right. It would look something like this for a member of the Admins group :

 

stemA

-          Admins (read, update)

-          groupA (read, admin)

-          groupB (read, admin)

 

I thought of adding another rule based on the Group name “Admins” but I as understand, rules are unordered, so the “give only update right” rule might trigger before the “give admin right” which would overwrite the limited privileges.

 

Thanks

 

 

De : Chris Hyzer []
Envoyé : 15 août 2012 13:58
À : Gagné Sébastien;
Objet : RE: Delegation on group administration

 

Look at rules and see if that works…

 

https://spaces.internet2.edu/display/Grouper/Grouper+rules

 

Look at the inherited privileges ones:

 

https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+cases

 

Thanks,

Chris

 

From: On Behalf Of Gagné Sébastien
Sent: Wednesday, August 15, 2012 1:10 PM
To:
Subject: [grouper-users] Delegation on group administration

 

Hi,

We have a use case here where each department have their own admins. These admin should be able to manage everything (i.e. full control) under their department’s stem/folder/OU, including subfolder and Groups. From what I read this should be a trivial task in Grouper but I cannot seem to find the attributes/properties for it.

 

What we already have :

adRoot:deptA

-          deptA-admins

-          Courses

o   2012-PHY101

-          Groups

o   AppA-Users

 

adRoot:deptB

-          deptB-admins

-          Courses
…

-          Groups
…

 

We need “deptA-admin” to be able to create groups and folder in adRoot:deptA and also in every existing and new stems (e.g. Courses and Groups), right now if I assign “create group” and “create folder” it only stays on the same level.  We also need members of “deptA-admins” to have admin rights on all the groups in the stem and sub-stems (e.g. deptA-admins, 2012-PHY101, AppA-Users …). Right now I haven’t found anything that does that except to manually add the admin group to each group.

 

Basically, I need to give each department full control on all objects from their base stem to the whole tree under it.

 

Thanks for your help.

 

 

Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11