Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Using one group for different purposes

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Using one group for different purposes


Chronological Thread 
  • From: David Langenberg <>
  • To: David Millar <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] Using one group for different purposes
  • Date: Mon, 26 Aug 2013 10:13:00 -0600

We try to be descriptive about this when we name groups and fill out their description fields.  User education though plays an even bigger part.   With that said, we do occasionally find ourselves assisting with untangling mis-applied understanding of groups & their memberships.

Dave


On Mon, Aug 26, 2013 at 9:28 AM, David Millar <> wrote:
Greetings all,

When one group serves multiple purposes, are there best practices to
minimize the likelihood that a group administrator makes bad
assumptions about the policy for group membership?

Say that TA #1 creates a group to manage a class mailing list, and the
class policy is that both registered students as well as those auditing
the class may be subscribed to the mailing list.

Then, say that another TA for that class, TA #2 sees that group, and
decides to use it for access control in Active Directory for class
resources.

Let's say that class policy  is that only registered students may access
domain resources, and TA #2 does not realize that the group TA #1
created is too inclusive for her purposes.

What is the best way to maximize the odds that TA #2 will understand
that TA #1 includes auditors, and takes appropriate steps to exclude
them from  her group?

Is it primarily a matter of user education?  Or is this best achieved
through group naming or group description standards?  Is there any more
systematic way to try to make this happen (like a field in a group called
"membership policy"?)

[To be clear: I'm not asking how to create two different groups.  I can see
how we could simply use an attribute like 'IsRegistered' for this purpose.
Rather, I'm asking how to minimize the likelihood that  someone makes bad
assumptions about how group membership is determined.]

Thanks in advance,
Dave Millar
Principal Security Analyst
Boston College
www.linkedin.com/in/millardavid/










--
David Langenberg
Identity & Access Management
The University of Chicago



Archive powered by MHonArc 2.6.16.

Top of Page