Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] RE: addIncludeExclude groups

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] RE: addIncludeExclude groups


Chronological Thread 
  • From: David Langenberg <>
  • To: "Bryan E. Wooten" <>
  • Cc: Chris Hyzer <>, "" <>
  • Subject: Re: [grouper-users] RE: addIncludeExclude groups
  • Date: Tue, 7 Jan 2014 11:12:58 -0700

I'd play it by ear.  Start out with SoR only groups and hand-adding the exception groups as solid business cases arise.  If you do get to the point that exceptions processing is the new rule, then consider auto-creating them.  As you mentioned, the only group you REALLY care about is the one reflected into LDAP, so you can quite easily change-out the logic behind the membership of that group as your needs change.

Dave


On Tue, Jan 7, 2014 at 11:06 AM, Bryan E. Wooten <> wrote:

Dave,

 

Thanks for the sanity check. I may be over thinking this. I am still very much in the testing phase with Grouper but it is on the radar of a couple of major projects.

 

One is our hospital’s Sharepoint upgrade, I’ve just been trying anticipate their needs, but we’ve only had one meeting.

 

The other project is run by technology assisted curriculum center where they have a copyright compliance issue with course materials. (Only enrollees should be allowed view the material). Thus the course group configuration. I had just assumed instructors would to be able to ad-hoc and enrollees to accommodate guest lecturers and the like. Maybe this use case is not as prevalent as I believe.

 

Cheers,

 

Bryan

 

From: David Langenberg [mailto:]
Sent: Tuesday, January 07, 2014 10:48 AM
To: Bryan E. Wooten
Cc: Chris Hyzer;
Subject: Re: [grouper-users] RE: addIncludeExclude groups

 

Your design is sound, but I do wonder if you're taking things a bit too far with it.  For instance, you mention course groups. Do your use-cases demand that an instructor can add/remove students to/from the course/section outside of the student registration systems?  In general what we have found here is that when an instructor is trying to do that sort of thing, it's usually to try to get around some policy that the registrar is quite explicit about needing to be followed.  

 

The same deal for the Departmental groups.  What we do here is rely on the SoR to create them and then if a department comes to us with some additional needs, we'll setup the incl/excl (or grant them the rights to).  Not every department needs the incl/excl, most of the time that's only needed at the School/Divisional level.

 

Dave

 

On Tue, Jan 7, 2014 at 10:26 AM, Bryan E. Wooten <> wrote:

I guess I am really thick skulled, I still can’t figure out what the group query really does.

 

Anyway, what I really would to do is create automatically create a group for each include and exclude group whose members would have rights to add / remove members from the include or exclude groups. In my current use case this would allow dept managers to add people to their overall group.

 

In the future I want to create include/exclude groups for each course:section and then have a corresponding instructor group that would have rights to add/remove from the include and exclude groups. This would allow instructors to add un-enrolled guests to the overall class group. The goal is to empower end users to maintain their own groups without having to depend on the IT dept.

 

Finally I want to provision the overall group to LDAP. The overall group is only of use if it get provisioned to LDAP. Virtually every application wants to perform authorization base on group membership.

 

Of course my design might be fundamentally flawed so I open to other solutions / designs that meet my goal.

 

Thanks,

 

Bryan

 

From: Chris Hyzer [mailto:]
Sent: Monday, January 06, 2014 1:58 PM


To: Bryan E. Wooten;
Subject: RE: addIncludeExclude groups

 

The group query is a query that returns each group managed by a list of groups, and metadata for them.

 

However, I don’t know how the privileges would work if include/exclude is used.  i.e. normally if you use privs, it will apply to each loader group.  But if you are applying privs to certain of the 5 include/exclude groups, then I don’t think it works like that right now.  Do you want me to take a look and see?

 

Would the managers also need READ access to the overall group, and possibly the system of record group?

 

Thanks,

Chris

 

 

 

From: Bryan E. Wooten []
Sent: Monday, January 06, 2014 1:42 PM
To: Chris Hyzer;
Subject: RE: addIncludeExclude groups

 

Yes those are the pages I’ve been trying to get my head around.

 

Ah Ha! Don’t use the addIncludeExclude check box when creating the loader job! Just put that string in the grouperLoaderGroupTypes attribute!

 

I am still having trouble fully understanding the grouperLoaderGroupQuery and how to use it.

 

What I have now is an IncludeExclude group for each Dept. What I would like to do is automatically create a group for each dept that contains just managers. (ie DeptMgr group).  I would like to assign these groups read/update privs to the respective dept’s include and exclude groups only. Or am I thinking about the use case incorrectly?

 

Thanks for all your patience,

 

Bryan

 

From: Chris Hyzer []
Sent: Monday, January 06, 2014 10:35 AM
To: Bryan E. Wooten;
Subject: RE: addIncludeExclude groups

 

The loader job itself shouldn’t be include/exclude, the generated/managed groups should be.

 

https://spaces.internet2.edu/display/Grouper/Grouper+-+Loader

 

Did you see this?

 

https://spaces.internet2.edu/display/Grouper/Grouper+Loader+classlist+example+from+Penn

 

I think the group name from the loader query should end in _systemOfRecord

 

Make the grouperLoaderGroupTypes by addIncludeExclude

 

You can have a query for the users as normal, then a group query.  This has a row for each group, and has the privs associated with it in columns.  In the admins col, put the name of the group which should be an admin.

 

If you cant get it working, give me the detailed design for exactly what you want, which group names, etc. and I can make you an example.

 

Thanks,

Chris

 

 

 

 

 

 

From: Bryan E. Wooten []
Sent: Monday, January 06, 2014 12:03 PM
To: Chris Hyzer;
Subject: RE: addIncludeExclude groups

 

Thanks Chris,

 

Well I think I get it, but now I have confused myself even more. So I created an addIncludeExclude group called foo,  it is a SQL_GROUP_LIST with a grouperLoaderQuery: select group_name, subject_id, 'ldap' from UUIDM.UU_IDM_DEPT (this is a view).

 

When I created the foo group  the UI also created “foo exludes”, “foo_includes”, “foo system of record” and “foo system of record and includes”.  All as expected.

 

However when I run the job I get a group called “deptX_systemOfRecord as expected. But I don’t see any include or exclude groups (or other groups) created.

 

Am I missing something?

 

Also I am unclear on the purpose of the  “grouperLoaderGroupQuery”. I couldn’t find anything in the wiki.

 

Thanks,

 

Bryan

From: Chris Hyzer []
Sent: Monday, January 06, 2014 8:52 AM
To: Bryan E. Wooten;
Subject: RE: addIncludeExclude groups

 

You are talking about a list of groups right?  Do they all have the same admin privs?

 

You need a col in the group query called “admins”, and list the group name there that should be an admin of each loader group.  Then in that group, mark it include/exclude in the UI, or if it is a loader group itself, then do the same thing you did on the other one.

 

Know what I mean?

 

Or if all your loaded groups are in a folder, you could apply a rule in that folder (and subfolders) to have a certain include/exclude group be admin of all groups.

 

Ok?

 

Thanks,

Chris

 

From: [] On Behalf Of Bryan E. Wooten
Sent: Monday, January 06, 2014 10:20 AM
To:
Subject: [grouper-users] addIncludeExclude groups

 

So I can successfully create a grouper loader group with andIncludesExcludes, but now I need to create a grouper loader group with admin privileges to the include and exclude groups. I can’t figure out how to do this.

 

Any hints?

 

Thanks,

 

Bryan



 

--
David Langenberg

Identity & Access Management

The University of Chicago




--
David Langenberg
Identity & Access Management
The University of Chicago



Archive powered by MHonArc 2.6.16.

Top of Page