Grouper Users - Open Discussion List

[Chris Hyzer <>]

Dynamic group privileges have the same problem as ldap groups... we do 
queries and join to security views which must be established in the database. 
 If we have to do something external, then we cant browse the database in a 
performant way... You 

> We've encountered performance problems when assigning the members of a 
> group 
> privileges to thousands of groups, 

I think that was on an old version of Grouper, this is not a problem anymore, 
right?

> and we'd also like to be able add and change 
> rules-based privileges after the groups have been created.

As Sebastien says there is a cron which allows you to add privileges to 
existing groups.

The rule right now is coded to add to privileges in the groups so that groups 
could have individual privileges above and beyond the "ruled" ones.  If you 
want a rule that replaces privileges, that could be written.  If you want one 
that remembers which privileges were assigned due to the rule, so only those 
can be changed later, that is more complex, but I could imagine such a thing 
I guess...

Thanks,
Chris

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Gagné Sébastien
Sent: Wednesday, January 30, 2013 1:24 PM
To: Peter DiCamillo; 

Subject: RE: [grouper-users] Defining rule-based group privileges?

I don't think dynamic privileges are supported yet, but we would also like 
something like that. One major problem is that if you remove a rule, all 
previously assigned privileges will still be applied to all previous group. 
You would need to modify each group to undo what the rule did.

As for rules application, they are indeed applied at group creation, but 
there's also a process in the grouper daemon/loader that will check if all 
the rules are properly applied. This will execute the rules to all existing 
groups. See grouper-loader.properties :

# when the rules validations and daemons run.  Leave blank to not run
rules.quartz.cron = 0 20 9 * * ?

-----Message d'origine-----
De : 

 
[mailto:]
 De la part de Peter DiCamillo
Envoyé : 28 janvier 2013 16:33
À : 

Objet : [grouper-users] Defining rule-based group privileges?

We have some situations where we'd like to be able to assign privileges to 
groups by the evaluation of a rule. For example, rather than assigning 
privileges for instructional support staff to thousands of course groups, 
we'd like to set up a rule that gives them staff privileges because a course 
group is at some level under the COURSE stem. Is there a way to do that in 
Grouper?

I looked at the Grouper rules documentation, but as far as I can tell, 
Grouper rules only set privileges when a group is created, and the end result 
is still individual privileges set on each group rather than applying a rule 
to determine privileges. We've encountered performance problems when 
assigning the members of a group privileges to thousands of groups, and we'd 
also like to be able add and change rules-based privileges after the groups 
have been created.

Peter