Subject: Grouper Users - Open Discussion List
- From: Tim Darby <>
- To: Chris Hyzer <>
- Cc: "" <>
- Subject: Re: [grouper-users] Grouper rules question
- Date: Wed, 5 Feb 2014 15:37:25 -0700
The University of Arizona
Mosaic, Systems Integration and Architecture
UITS, Rm 335, 520-626-3799
Nothing exists right now that could do that, we would need to add it… just curious, do you envision a daemon that would assign those privileges if someone unassigns them?
Thanks Chris, that's what I thought, but I was also wondering if it's possible to create a single rule that covers all such requests. So, let's say we always named the security group "DeptAdmins". Then, we'd have:
Is it possible to have a rule to assign ADMIN and STEM rights to any group named DeptAdmins for its parent folder, no matter what folder DeptAdmins is in?
On Wed, Feb 5, 2014 at 11:16 AM, Chris Hyzer <> wrote:
Definitely do a group. I would create a security group in their folder when you create their folder.
arizona:users:jsmith is their folder
arizona:users:security:jsmith_admins is a group which contains them
put two rules on arizona:users:jsmith, one for groups, one for folders, and assign ADMIN for groups to arizona:users:security:jsmith_admins, and STEM for folders to arizona:users:security:jsmith_admins. You could also assign ATTR_ADMIN to attribute definitions if you want
We've created a self-service web app to allow departments on campus to request their own folder in one of our stems. After we approve it, the app creates the folder via Grouper WS. Ideally, we'd like not just the requester but any person they choose to have full control over any subfolders or groups they create.
It looks like rules might be a good way to implement this, but would we have to create a separate rule for each request, along the lines of "this specific admin group gets admin rights on everything in the requested folder and below? Or is it possible to create a more generic rule, like this:
"Any group named DeptAdmins has admin rights to its parent folder (the folder created for the requesting dept) and any group or folder below that folder"
- [grouper-users] Grouper rules question, Tim Darby, 02/05/2014
Archive powered by MHonArc 2.6.16.