Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Delegation on group administration

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Delegation on group administration

Chronological Thread 
  • From: Gagné Sébastien <>
  • To: "Chris Hyzer" <>, <>
  • Subject: [grouper-users] RE: Delegation on group administration
  • Date: Fri, 31 Aug 2012 12:57:42 -0400

Ok, that’s what I thought but couldn’t find the “not named like” function. Would these rule be triggered by the RuleDaemon to apply it for previously created groups ?


Another question : are privileges given by rules additive or definitive ?

If two rules (let’s say they are for different Stems, but one is in a subfolder of the other) gives privileges on a group will the second application add the new right (e.g. Admin) to the rights given by the first one (let’s say Read, View) or replace it ? In additive mode you would have Admin, Read and view, while in definitive you would only have Admin OR Read,View (depending on the order)


De : Chris Hyzer [mailto:]
Envoyé : 31 août 2012 01:32
À : Gagné Sébastien;
Objet : RE: Delegation on group administration


I think ideally you would add a rule which looks for groups not named Admin and assign the admin privilege, and another rule for groups named Admin and assign the update privilege.  Those rules would not fire on the same group so they would not conflict.


For the Admin one, you should be able to use the IF enum type: nameMatchesSqlLikeString:  %:Admin


For the non-admin one, it would be nice if there were nameNotMatchesSqlLikeString, but its not there, so you will have to use EL, something like:




Or if you wanted to do EL for the Admin one, it would be:




Does it work?  J  You should test subfolders as well…  give me more info and the test cases and I can try to set it up also if it is more complicated than this…





From: Gagné Sébastien
Sent: Wednesday, August 29, 2012 1:28 PM
To: Chris Hyzer;
Subject: RE: Delegation on group administration


Hello again,

I’ve read these pages and did some coding, but I have another question:

-          What happens if there are more than one rule the could be applied to a group that have opposite results


My example, stem with groups :


-          Admins

-          groupA

-          groupB


I want to create a “Inherited privileges on folders” rule on stemA to give admin right on the all the groups contained in stemA, except for the group Admins which I only want update right. It would look something like this for a member of the Admins group :



-          Admins (read, update)

-          groupA (read, admin)

-          groupB (read, admin)


I thought of adding another rule based on the Group name “Admins” but I as understand, rules are unordered, so the “give only update right” rule might trigger before the “give admin right” which would overwrite the limited privileges.





De : Chris Hyzer []
Envoyé : 15 août 2012 13:58
À : Gagné Sébastien;
Objet : RE: Delegation on group administration


Look at rules and see if that works…


Look at the inherited privileges ones:





From: On Behalf Of Gagné Sébastien
Sent: Wednesday, August 15, 2012 1:10 PM
Subject: [grouper-users] Delegation on group administration



We have a use case here where each department have their own admins. These admin should be able to manage everything (i.e. full control) under their department’s stem/folder/OU, including subfolder and Groups. From what I read this should be a trivial task in Grouper but I cannot seem to find the attributes/properties for it.


What we already have :


-          deptA-admins

-          Courses

o   2012-PHY101

-          Groups

o   AppA-Users



-          deptB-admins

-          Courses

-          Groups


We need “deptA-admin” to be able to create groups and folder in adRoot:deptA and also in every existing and new stems (e.g. Courses and Groups), right now if I assign “create group” and “create folder” it only stays on the same level.  We also need members of “deptA-admins” to have admin rights on all the groups in the stem and sub-stems (e.g. deptA-admins, 2012-PHY101, AppA-Users …). Right now I haven’t found anything that does that except to manually add the admin group to each group.


Basically, I need to give each department full control on all objects from their base stem to the whole tree under it.


Thanks for your help.



Sébastien Gagné,     | Analyste en informatique

514-343-6111 x33844  | Université de Montréal,

                     | Pavillon Roger-Gaudry, local X-100-11


Archive powered by MHonArc 2.6.16.

Top of Page