Grouper Users - Open Discussion List

[Steven Carmody <>]

Hi,

We've been looking at this (not at the internal ACL support for 
permissions directly against groups, but rather the framework for 
managing Permissions).

My understanding is that you can define a "Permission" within Grouper. A 
role is represented as a group. Permissions are created as child 
attributes on a resources stem. To assign a permission to a role, the 
group's permission role delegate has the permission assigned to it. Is 
that correct ?

What I don't understand is the relationship between a Permission being 
granted within Grouper for some action in an system eternal to Grouper, 
and that Permission being implemented (checked) in the external system. 
Obviously, you'd like these two things to be linked.

The external system could query Grouper at run time (thus using Grouper 
as a PDP). But, very few systems do that.

We see that Grouper can also generate an event when a permission is 
assigned to a role. We're already using events to synch group 
memberships to ldap, google, and elsewhere, and are already familiar 
with that model.

Are there any examples where sites are using permission related events 
to actually "set" Permission Rules within external systems ?

Or... are there other ways to use Grouper's Permissions framework to 
control permissions in external systems ?

Thanks !