Grouper Users - Open Discussion List

[Chris Hyzer <>]

The Grouper UI will only allow users to do what they are allowed to do.  You can delegate privileges to users and they can delegate to others on objects they have rights to.  You might want to try installing the grouper installer and play around with it.  Or use the Grouper demo server (google it).  Then you can have several accounts and see what each one can see.

 

Sorry, I still don’t really understand what you need exactly.  But I have a feeling what you are asking is doable with Grouper.  If you can give me a list of requirements or even gaps I can help you out.  If you want to attend the noon ET dev call on wed maybe talking through it would help (let me know I can give you the dial in information if you aren’t on the grouper-dev list).  In the meantime I can try to answer your questions below.

 

“What do you mean by "home" folder? By the way, apart from privileges, is there any difference between folders and groups?”

 

If you provision a user jsmith in grouper, maybe you create a folder in grouper called “users:jsmith” (like unix) and that user can use that folder to create folders or groups.  Um, folders and groups are different by way of privileges and other things, but they have some similarities.

 

“Yes, we want to be able to move privileges from one user to another.”

 

You mean when a user leaves you move privileges or in other situations too?

 

“It depends on the meaning of folder in Grouper's authorization model. In principle, yes.”

“No, users are not generally trusted, but will be granted privileges on subfolders. We will be the root administrators so a user will never be able to delete a folder that he has no grant upon.”

 

Users in grouper can have privileges to create objects in certain folders.  Or you could open it up and give everyone privileges everywhere, but then they would be able to rename folders which might not be good if they are not trusted.  So I wouldn’t do that.  Think of folders like a unix file system using ACLs.

 

Thanks,

Chris

 

From: Francesco Cepparo [mailto:]
Sent: Monday, August 24, 2015 9:07 AM
To: Chris Hyzer
Cc:
Subject: Re: [grouper-users] How to let Subjects manage groups themselves?

 

In any folder or in their own “home” folder?

 

What do you mean by "home" folder? By the way, apart from privileges, is there any difference between folders and groups?

 

If someone creates a group, can someone else edit it or manage it?

 

Yes, we want to be able to move privileges from one user to another.

 

Can anyone create a folder anywhere?

 

It depends on the meaning of folder in Grouper's authorization model. In principle, yes.

 

Are your users generally trusted, i.e. do you trust that a user wont delete a folder that someone else is using?

 

No, users are not generally trusted, but will be granted privileges on subfolders. We will be the root administrators so a user will never be able to delete a folder that he has no grant upon.

 

 

Thanks,

Chris

 

From: Francesco Cepparo [mailto:]
Sent: Friday, August 21, 2015 10:50 AM
To: Chris Hyzer
Cc:
Subject: Re: [grouper-users] How to let Subjects manage groups themselves?

 

We need Grouper subjects to be able to manage and define groups and their members.

 

 

2015-08-21 15:56 GMT+02:00 Chris Hyzer <>:

Can you explain in more detail what you are looking for?  Do you want each user to have their own folder to manage?

 

Thanks,

Chris

From: [mailto:] On Behalf Of Francesco Cepparo
Sent: Friday, August 21, 2015 6:53 AM
To:
Subject: [grouper-users] How to let Subjects manage groups themselves?

 

Hello everyone,

at our institution we have the following use case and we were wondering whether Grouper can fit our needs.

 

Basically, we need Grouper subjects to somehow be able to manage groups and permissions themselves, but we don't want to give them full permissions on the grouper administration interface. Is this something that we can accomplish with Grouper? Are we forced to create a custom web interface for users that makes use of the Grouper API?

 

Thank you in advance.