Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] using Grouper's Permissions framework

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] using Grouper's Permissions framework


Chronological Thread 
  • From: Chris Hyzer <>
  • To: Steven Carmody <>, Grouper-Users <>
  • Subject: RE: [grouper-users] using Grouper's Permissions framework
  • Date: Tue, 27 May 2014 20:05:03 +0000
  • Accept-language: en-US

Others can reply too, but here are my thoughts:


> My understanding is that you can define a "Permission" within Grouper.

Right

> A role is represented as a group.

It's a special group of type "role"

> Permissions are created as child attributes on a resources stem.

They are a permission resource on any stem. Anyone with CREATE on a stem can
create a permission in that stem/folder.

> To assign a permission to a role, the group's permission role delegate has
> the
> permission assigned to it. Is that correct ?

That describes how to do it in the API, but yes, permissions can be assigned
to roles or to users which have roles.

> What I don't understand is the relationship between a Permission being
> granted within Grouper for some action in an system eternal to Grouper,
> and that Permission being implemented (checked) in the external system.
> Obviously, you'd like these two things to be linked.

Well, the external system can call a WS to grouper to see if a user has a
permission, or it can get all permissions associated with an application and
export them and check itself.

> The external system could query Grouper at run time (thus using Grouper
> as a PDP). But, very few systems do that.

Yes, it could, or it could cache them locally and check locally. You could
have a change log consumer send it a message when to refresh (that is what we
do here)

> We see that Grouper can also generate an event when a permission is
> assigned to a role. We're already using events to synch group
> memberships to ldap, google, and elsewhere, and are already familiar
> with that model.

Yes

> Are there any examples where sites are using permission related events
> to actually "set" Permission Rules within external systems ?

We currently do this with XMPP messages from change log consumer, though we
plan to move to AWS SNS/SQS. It could easily be activeMQ or whatever else.

Here are some options:

1. Export permissions to the system as a whole. Use messaging to refresh.
System checks permissions itself.
2. Export permissions for a user on login, then check locally. Expect the
user to logout/login to refresh? Or use messages.
3. Use Grouper as a PDP

Would be nice to be able to easily use a SaaS caching service for PDP like
AWS CloudSearch (and use messaging to keep it up to date). Or maybe the
grouper WS could use some caching to make it very fast.

Thanks,
Chris




Archive powered by MHonArc 2.6.16.

Top of Page