Grouper Users - Open Discussion List

[Chris Hyzer <>]

You are right, you need READ to add a group as a member to another group (or 
privilege).  I tried it on the admin, lite, and new UI and couldn’t add a 
group I only had VIEW on.  Can you make sure that GrouperAll doesn’t have 
READ, and send me some screenshots of the privs and the user doing the add of 
a group they only have VIEW on?  If User X grants a user who has READ on a 
group access to update group B, and that user adds group B as a member of the 
group, then yes, anyone who has read on group B but not the group added will 
be able to read the members of the group added.  This is a feature :)  When 
you add a group to another group, you are essentially delegating READ access 
sort of (mostly)

Thanks,
Chris


-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Jeff McCullough
Sent: Monday, July 20, 2015 8:12 PM
To: Grouper-Users
Subject: [grouper-users] read privileges


I’ve noticed that read privileges are not carried if a group is added to 
another group. For example, if I create a group A, and assign view 
privileges, another user X can see the group name but not the membership. 
That makes sense. If I add a couple people to the group, and then have user X 
create a group B, then add group A to it. User X can now see the members of 
group A as indirect members in group B. If user X clicks on the group A 
within the membership of group B though, they are told they can’t see the 
membership because they don’t have the correct privileges. So on the one hand 
they can actually see the membership of group A (as indirect members in group 
B), but not if they try to open the group directly. Shouldn’t it be 
consistent? 

Jeff