Grouper Users - Open Discussion List

[Steven Carmody <>]

Hi,

we're making a major push giving Depts the authority to create and 
manage groups within Grouper. Each Dept has an Admins group with 
privileges within the Dept STEM.

The default permissions assigned when a group is created, tho, is that 
the person who created the group gets rights. We want the members of the 
Admins group to get those rights. They work as a group, and they all 
need to be able to see and manage the new group.

We can think of two ways to obtain the outcome we want. But, we're sure 
we're not the only campus encountering this issue, and we're keenly 
interested in hearing how other campuses are approaching this problem. 
The two approaches we can think of are:

1) use Grouper's Rules functionality. There's a nice example in the 
Grouper doc:

https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Reassign+group+privileges+if+from+group

This is really clever. Our concern about this approach, tho, is its lack 
of transparency. You can't see or set these Rules via any known GUI. Its 
there... but no one in the Depts would ever see the Rules. Also, we 
don't know on what cycle the Rules would be implemented.

2) Use a process outside of Grouper to reset the permissions when a 
group is created. We're thinking that the Change Log Consumer, when it 
saw a Create Group Msg, could reach back into Grouper and change the 
permissions, if appropriate. The Depts wouldn't see this either, but 
we'd be able to easily see the logic.

How are other sites dealing with this issue ? Do you have a different 
approach ? Thoughts on these two ideas -- which would you prefer ?

Thanks very much !