Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Default Permission Inheritence Behavior?

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Default Permission Inheritence Behavior?


Chronological Thread 
  • From: "Waldbieser, Carl" <>
  • To: "Michael R. Gettes" <>
  • Cc: Chris Hyzer <>, Andrew Morgan <>,
  • Subject: Re: [grouper-users] Default Permission Inheritence Behavior?
  • Date: Wed, 4 Feb 2015 16:06:32 -0500 (EST)


Thanks, Michael.

I tweaked your script by adding the following statements to the end, and that
gives me the behavior I want to see:

RuleApi.reassignGroupPrivilegesIfFromGroup(
SubjectFinder.findRootSubject(),
baseStem,
Stem.Scope.SUB)
RuleApi.reassignStemPrivilegesIfFromGroup(
SubjectFinder.findRootSubject(),
baseStem,
Stem.Scope.SUB)

Without those 2 statements, newley created descendant groups and folders also
conferred permissions to the folder/group creater.

Thanks,
Carl

----- Original Message -----
From: "Michael R. Gettes"
<>
To: "Chris Hyzer"
<>
Cc: "Andrew Morgan"
<>,
"Carl Waldbieser"
<>,


Sent: Tuesday, February 3, 2015 6:17:20 PM
Subject: Re: [grouper-users] Default Permission Inheritence Behavior?

here is a recipe for what we use to establish inherited group access.

grouperSession = GrouperSession.startRootSession();
baseStem = StemFinder.findByName(grouperSession, "Apps:ServiceNow");
adminGroup = GroupFinder.findByName(grouperSession, "Apps:ServiceNow:Admins");
// grant rights on subfolders
RuleApi.inheritFolderPrivileges(SubjectFinder.findRootSubject(), baseStem,
Stem.Scope.SUB, adminGroup.toSubject(), Privilege.getInstances("stem,
create"));
// grant rights on subgroups
RuleApi.inheritGroupPrivileges(SubjectFinder.findRootSubject(), baseStem,
Stem.Scope.SUB, adminGroup.toSubject(), Privilege.getInstances("admin"));

of course, adjust the stem names to your liking. The Admins group may or may
not be updated by its members depending upon the rules for that part of the
grouper tree. The above allows the Admins group to do whatever they like
with folders and groups within Apps:ServiceNow (as an example).

i hope this helps.

/mrg

> On Feb 3, 2015, at 6:11 PM, Chris Hyzer
> <>
> wrote:
>
> Right, you need a rule to make that happen, same as previous release of
> Grouper. New ui is no different in that regard.
>
> Thanks,
> Chris
>
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Andrew Morgan
> Sent: Tuesday, February 03, 2015 5:07 PM
> To: Waldbieser, Carl
> Cc:
>
> Subject: Re: [grouper-users] Default Permission Inheritence Behavior?
>
> On Tue, 3 Feb 2015, Waldbieser, Carl wrote:
>
>>
>> I've just started experimenting with the permission behavior in the New UI.
>> I thought I had read somewhere that if I create a stem and assign
>> permissions, any sub-folders I create in that stem would inherit those
>> permissions.
>>
>> However, if I set up a structure like this:
>>
>> + test
>> + stem1
>> - admins (group)
>> + stem2
>>
>> I assigned "admins" CREATE_FOLDER and CREATE_GROUP permissions on "stem1".
>> Then, as a member of admins, I create "stem2". When I view the
>> permissions on "stem2", I see that only the account that created it has
>> permissions on that folder, *not* any other members of "admins".
>>
>> Am I missing something? Do sub-stems not inherit permissions?
>
> Carl,
>
> See the thread with subject "rights inheritance ..." on this list just last
> week. :)
>
> Andy




Archive powered by MHonArc 2.6.16.

Top of Page