Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] composite groups - adhoc combined with official groups

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] composite groups - adhoc combined with official groups

Chronological Thread 
  • From: Chris Hyzer <>
  • To: Jeff McCullough <>, Grouper-Users <>
  • Subject: RE: [grouper-users] composite groups - adhoc combined with official groups
  • Date: Thu, 10 Sep 2015 14:07:18 +0000
  • Accept-language: en-US

If you can reverse engineer the membership of the group, then essentially the
user has READ right? This is why we require READ for creating composites.
Yes for intersect it is not trivial to reverse engineer the group (as it
would be for complement). Btw, the disadvantage to composites for this as
opposed to "grouper rules" is that the user will still be in the adhoc group.
The rule will just remove them from the adhoc group when removed from the
employee or student group (or set an end date in the future).

Anyways, we might be able to add an enhancement to make this work, if it is
intersect, and use the user has VIEW, allow the composite. This would be
based on a setting in the of course since some people
might not like this behavior. Also, it might only be for certain groups
(employee or student) so that users can reverse engineer any group.

If you are interested please create a JIRA.


-----Original Message-----

On Behalf Of Jeff McCullough
Sent: Wednesday, September 09, 2015 6:37 PM
To: Grouper-Users
Subject: [grouper-users] composite groups - adhoc combined with official

We are planning to utilize composite groups as a way of de-provisioning
access when a person leaves a role, ex. employee, student. That means that an
adhoc group will be intersected with an official group of employees. The
adhoc group will be known to whomever is creating the composite group, but
they may not need to have access to the membership of employees or students.
Thus all they really need to have for access to the official group is view.
The composite group UI currently requires read/view access to both groups
used. I can imagine the UI could be tweaked such that only view access was
needed for the official group. And yes, one could reverse engineer whether
someone is part of an official group by creating a composite group. That
said, it would be best to keep the access to official groups to a minimum.
How are other schools handling composite groups? Is there any desire to
create a modified UI to allow for view only access to one of the groups?


Archive powered by MHonArc 2.6.16.

Top of Page