grouper-users - [grouper-users] RE: Delegation on group administration
Subject: Grouper Users - Open Discussion List
List archive
- From: Gagné Sébastien <>
- To: "Chris Hyzer" <>, <>
- Subject: [grouper-users] RE: Delegation on group administration
- Date: Fri, 31 Aug 2012 12:57:42 -0400
Ok, that’s what I thought but couldn’t find the “not named like” function. Would these rule be triggered by the RuleDaemon to apply it for previously created groups ? Another question : are privileges given by rules additive or definitive ? If two rules (let’s say they are for different Stems, but one is in a subfolder of the other) gives privileges on a group will the second application add the new right (e.g. Admin) to the rights given by the first one (let’s say Read, View) or replace it ? In additive mode you would have Admin, Read and view, while in definitive you would only have Admin OR Read,View (depending on the order) De : Chris Hyzer [mailto:] I think ideally you would add a rule which looks for groups not named Admin and assign the admin privilege, and another rule for groups named Admin and assign the update privilege. Those rules would not fire on the same group so they would not conflict. For the Admin one, you should be able to use the IF enum type: nameMatchesSqlLikeString: %:Admin For the non-admin one, it would be nice if there were nameNotMatchesSqlLikeString, but its not there, so you will have to use EL, something like: ${!groupName.endsWith(':Admins')} Or if you wanted to do EL for the Admin one, it would be: ${groupName.endsWith(':Admins')} Does it work? J You should test subfolders as well… give me more info and the test cases and I can try to set it up also if it is more complicated than this… Thanks, Chris From: Gagné Sébastien Hello again, I’ve read these pages and did some coding, but I have another question: - What happens if there are more than one rule the could be applied to a group that have opposite results My example, stem with groups : stemA - Admins - groupA - groupB I want to create a “Inherited privileges on folders” rule on stemA to give admin right on the all the groups contained in stemA, except for the group Admins which I only want update right. It would look something like this for a member of the Admins group : stemA - Admins (read, update) - groupA (read, admin) - groupB (read, admin) I thought of adding another rule based on the Group name “Admins” but I as understand, rules are unordered, so the “give only update right” rule might trigger before the “give admin right” which would overwrite the limited privileges. Thanks De : Chris Hyzer [] Look at rules and see if that works… https://spaces.internet2.edu/display/Grouper/Grouper+rules Look at the inherited privileges ones: https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+cases Thanks, Chris From: On Behalf Of Gagné Sébastien Hi, We have a use case here where each department have their own admins. These admin should be able to manage everything (i.e. full control) under their department’s stem/folder/OU, including subfolder and Groups. From what I read this should be a trivial task in Grouper but I cannot seem to find the attributes/properties for it. What we already have : adRoot:deptA - deptA-admins - Courses o 2012-PHY101 - Groups o AppA-Users adRoot:deptB - deptB-admins - Courses - Groups We need “deptA-admin” to be able to create groups and folder in adRoot:deptA and also in every existing and new stems (e.g. Courses and Groups), right now if I assign “create group” and “create folder” it only stays on the same level. We also need members of “deptA-admins” to have admin rights on all the groups in the stem and sub-stems (e.g. deptA-admins, 2012-PHY101, AppA-Users …). Right now I haven’t found anything that does that except to manually add the admin group to each group. Basically, I need to give each department full control on all objects from their base stem to the whole tree under it. Thanks for your help. Sébastien Gagné, | Analyste en informatique 514-343-6111 x33844 | Université de Montréal, | Pavillon Roger-Gaudry, local X-100-11 |
- [grouper-users] Delegation on group administration, Gagné Sébastien, 08/15/2012
- [grouper-users] RE: Delegation on group administration, Chris Hyzer, 08/15/2012
- [grouper-users] RE: Delegation on group administration, Gagné Sébastien, 08/29/2012
- [grouper-users] RE: Delegation on group administration, Chris Hyzer, 08/31/2012
- [grouper-users] RE: Delegation on group administration, Gagné Sébastien, 08/31/2012
- [grouper-users] RE: Delegation on group administration, Chris Hyzer, 08/31/2012
- [grouper-users] RE: Delegation on group administration, Gagné Sébastien, 08/29/2012
- [grouper-users] RE: Delegation on group administration, Chris Hyzer, 08/15/2012
Archive powered by MHonArc 2.6.16.