Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] RE: Priv Hook?

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] RE: Priv Hook?


Chronological Thread 
  • From: John Gasper <>
  • To: grouper-users <>
  • Subject: Re: [grouper-users] RE: Priv Hook?
  • Date: Wed, 02 Sep 2015 09:04:18 -0700

Hi Chris,

This seems to work exactly as expected. Thanks much!

John

-- 
John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef


From: John Gasper <>
Date: Tuesday, August 18, 2015 at 8:26 AM
To: Chris Hyzer <>, grouper-users <>
Subject: Re: [grouper-users] RE: Priv Hook?

Thanks Chris. I’ll pass the info along to the teammate and client working directly on this.

-- 
John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef


From: <> on behalf of Chris Hyzer <>
Date: Sunday, August 16, 2015 at 4:04 PM
To: John Gasper <>, grouper-users <>
Subject: RE: [grouper-users] RE: Priv Hook?

This is done, give it a try and let me know how it goes.

 

https://bugs.internet2.edu/jira/browse/GRP-1089

 

Note, in the admin UI where you pick if you are acting like admin or not, will not work with this enhancement, users will always be int he readonly or viewonly admin group

 

two patches:

 

grouper_v2_2_1_api_patch_22

 

grouper_v2_2_1_ui_patch_21

 

These settings were added to the grouper.base.properties and can be overridden in the grouper.properties

 

 

# A viewonly wheel group allows you to enable non-GrouperSystem subjects to act

# like a root user when viewing the registry.

groups.wheel.viewonly.use = false

 

# Set to the name of the group you want to treat as the viewonly wheel group.

# The members of this group will be treated as root-like users when viewing objects.

groups.wheel.viewonly.group = etc:sysadminViewersGroup

 

# A readonly wheel group allows you to enable non-GrouperSystem subjects to act

# like a root user when reading the registry.

groups.wheel.readonly.use = false

 

# Set to the name of the group you want to treat as the readonly wheel group.

# The members of this group will be treated as root-like users when reading objects.

groups.wheel.readonly.group = etc:sysadminReadersGroup

 

 

there are two groups on the demo server to test this:

 

etc:sysadminReadersGroup

etc:sysadminViewersGroup

 

EveryEntity can view/read/optin/optout of these groups, so anyone can test this by self serve joining / leaving the group. Go to the group in the new UI, click More Actions, and join/leave

 

From: John Gasper []
Sent: Monday, August 03, 2015 11:04 AM
To: Chris Hyzer; grouper-users
Subject: Re: [grouper-users] RE: Priv Hook?

 

Yes, I think we can commit to doing testing with this.

 

Thanks,

John

 

-- 

John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

 

 

From: <> on behalf of Chris Hyzer <>
Date: Friday, July 31, 2015 at 3:23 PM
To: John Gasper <>, grouper-users <>
Subject: RE: [grouper-users] RE: Priv Hook?

 

If you have READ then you automatically have VIEW, so you don’t have to assign both.

Also, I think you might have performance problems with this on large registries… I looked in the code and to add the ability to have a READONLY and VIEWONLY wheel group would not be a lot of changes.  I can do some testing, but if you can also test that would be great.  Is that something you are interested in?

 

Thanks,

Chris

 

From: John Gasper []
Sent: Friday, July 31, 2015 3:02 PM
To: Chris Hyzer; grouper-users
Subject: Re: [grouper-users] RE: Priv Hook?

 

At the end of the day, we want a read-only “wheel” group… In other words a group whose members can view, but not change all groups and their memberships. The proposed method of implementation is to use a post hook at give “view" and “read" to a newly created group… and prevent “view" and “read" from being removed from a group (except perhaps by someone in the Wheel group).

 

-- 

John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

 

 

From: <> on behalf of Chris Hyzer <>
Date: Friday, July 31, 2015 at 11:53 AM
To: John Gasper <>, grouper-users <>
Subject: RE: [grouper-users] RE: Priv Hook?

 

You should be able to use a membership hook, since privileges are implemented at memberships.  The list type is “access”, and you can see which priv it is, and who is removing it, and veto it.  If you write up exactly what you are doing I can look into making the grouper “rules” more full featured since these types of things should be easily accomplished with rules.

 

Thanks,

Chris

 

 

 

From: John Gasper []
Sent: Friday, July 31, 2015 2:26 PM
To: Chris Hyzer; grouper-users
Subject: Re: [grouper-users] RE: Priv Hook?

 

There specific case I’m working on is this… We are assigning privs (allow specific group to read and view) to new created groups via a hook. That part is great. We don’t want Group Admins to be able to remove that priv.

 

-- 

John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

 

 

From: <> on behalf of Chris Hyzer <>
Date: Friday, July 31, 2015 at 11:05 AM
To: John Gasper <>, grouper-users <>
Subject: [grouper-users] RE: Priv Hook?

 

Yes, can you tell me more info about what you want to do?  J

 

Thanks,

Chris

 

From: [] On Behalf Of John Gasper
Sent: Friday, July 31, 2015 1:07 PM
To: grouper-users
Subject: [grouper-users] Priv Hook?

 

Is there a hook to veto the assignment/deletion of a privilege?

 

-- 

John Gasper
IAM Consultant
Unicon, Inc.
PGP/GPG Key: 0xbafee3ef

 




Archive powered by MHonArc 2.6.16.

Top of Page