Grouper Users - Open Discussion List

["Waldbieser, Carl" <>]

Yes, access to the Grouper UI can be controlled via Grouper access groups.
I would say that kind of delegated access control is the raison d’être for 
Grouper!

To *authenticate* a subject, you need to set up some kind of authentication 
source.  A local password database is one way, but you can also use LDAP or a 
system like Apereo-CAS.
Once a subject authenticates, Grouper itself can be used to control 
*authorization* to the system.

Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College

----- Original Message -----
From: "Francesco Cepparo" 
<>
To: "Chris Hyzer" 
<>
Cc: 

Sent: Wednesday, August 26, 2015 4:42:35 AM
Subject: Re: [grouper-users] How to let Subjects manage groups themselves?

Probably our main problem is whether Grouper subjects can have credentials
to access the user interface with limited privileges. From what we have
seen the user interface accounts are created as tomcat users under the
grouper_user role. Put in another way, can the UI authenticate users based
upon the Grouper database? (Grouper DB schema subject table contains a
unique user identifier but there seems to be no authentication token
associated with it)

2015-08-24 15:22 GMT+02:00 Chris Hyzer 
<>:

> The Grouper UI will only allow users to do what they are allowed to do.
> You can delegate privileges to users and they can delegate to others on
> objects they have rights to.  You might want to try installing the grouper
> installer and play around with it.  Or use the Grouper demo server (google
> it).  Then you can have several accounts and see what each one can see.
>
>
>
> Sorry, I still don’t really understand what you need exactly.  But I have
> a feeling what you are asking is doable with Grouper.  If you can give me a
> list of requirements or even gaps I can help you out.  If you want to
> attend the noon ET dev call on wed maybe talking through it would help (let
> me know I can give you the dial in information if you aren’t on the
> grouper-dev list).  In the meantime I can try to answer your questions
> below.
>
>
>
> “What do you mean by "home" folder? By the way, apart from privileges, is
> there any difference between folders and groups?”
>
>
>
> If you provision a user jsmith in grouper, maybe you create a folder in
> grouper called “users:jsmith” (like unix) and that user can use that folder
> to create folders or groups.  Um, folders and groups are different by way
> of privileges and other things, but they have some similarities.
>
>
>
> “Yes, we want to be able to move privileges from one user to another.”
>
>
>
> You mean when a user leaves you move privileges or in other situations too?
>
>
>
> “It depends on the meaning of folder in Grouper's authorization model. In
> principle, yes.”
>
> “No, users are not generally trusted, but will be granted privileges on
> subfolders. We will be the root administrators so a user will never be able
> to delete a folder that he has no grant upon.”
>
>
>
> Users in grouper can have privileges to create objects in certain
> folders.  Or you could open it up and give everyone privileges everywhere,
> but then they would be able to rename folders which might not be good if
> they are not trusted.  So I wouldn’t do that.  Think of folders like a unix
> file system using ACLs.
>
>
>
> Thanks,
>
> Chris
>
>
>
> *From:* Francesco Cepparo 
> [mailto:]
> *Sent:* Monday, August 24, 2015 9:07 AM
>
> *To:* Chris Hyzer
> *Cc:* 
> 
> *Subject:* Re: [grouper-users] How to let Subjects manage groups
> themselves?
>
>
>
> In any folder or in their own “home” folder?
>
>
>
> What do you mean by "home" folder? By the way, apart from privileges, is
> there any difference between folders and groups?
>
>
>
> If someone creates a group, can someone else edit it or manage it?
>
>
>
> Yes, we want to be able to move privileges from one user to another.
>
>
>
> Can anyone create a folder anywhere?
>
>
>
> It depends on the meaning of folder in Grouper's authorization model. In
> principle, yes.
>
>
>
> Are your users generally trusted, i.e. do you trust that a user wont
> delete a folder that someone else is using?
>
>
>
> No, users are not generally trusted, but will be granted privileges on
> subfolders. We will be the root administrators so a user will never be able
> to delete a folder that he has no grant upon.
>
>
>
>
>
> Thanks,
>
> Chris
>
>
>
> *From:* Francesco Cepparo 
> [mailto:]
> *Sent:* Friday, August 21, 2015 10:50 AM
> *To:* Chris Hyzer
> *Cc:* 
> 
> *Subject:* Re: [grouper-users] How to let Subjects manage groups
> themselves?
>
>
>
> We need Grouper subjects to be able to manage and define groups and their
> members.
>
>
>
>
>
> 2015-08-21 15:56 GMT+02:00 Chris Hyzer 
> <>:
>
> Can you explain in more detail what you are looking for?  Do you want each
> user to have their own folder to manage?
>
>
>
> Thanks,
>
> Chris
>
> *From:* 
> 
>  [mailto:
> ]
>  *On Behalf Of *Francesco Cepparo
> *Sent:* Friday, August 21, 2015 6:53 AM
> *To:* 
> 
> *Subject:* [grouper-users] How to let Subjects manage groups themselves?
>
>
>
> Hello everyone,
>
> at our institution we have the following use case and we were wondering
> whether Grouper can fit our needs.
>
>
>
> Basically, we need Grouper subjects to somehow be able to manage groups
> and permissions themselves, but we don't want to give them full permissions
> on the grouper administration interface. Is this something that we can
> accomplish with Grouper? Are we forced to create a custom web interface for
> users that makes use of the Grouper API?
>
>
>
> Thank you in advance.
>
>
>
>
>