Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] composite groups - adhoc combined with official groups

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] composite groups - adhoc combined with official groups


Chronological Thread 
  • From: Jeff McCullough <>
  • To: Grouper-Users <>
  • Subject: Re: [grouper-users] composite groups - adhoc combined with official groups
  • Date: Wed, 16 Sep 2015 19:37:47 -0700

Chris,

Can you describe the rule based idea of removing them from the adhoc group
when removed from employee or student group? Is there an easy way for a user
to apply a rule to a group?

I see also there is a group type “grouperIncludeExclude.requireGroup”. Is
that a good alternative for my use case? It could be, but this group type and
the include/exclude group types aren’t showing in the edit groups section
like they did in the older admin ui. Is the "group type” selection something
that will be changed in the future?

Jeff


> On Sep 10, 2015, at 7:07 AM, Chris Hyzer
> <>
> wrote:
>
> If you can reverse engineer the membership of the group, then essentially
> the user has READ right? This is why we require READ for creating
> composites. Yes for intersect it is not trivial to reverse engineer the
> group (as it would be for complement). Btw, the disadvantage to composites
> for this as opposed to "grouper rules" is that the user will still be in
> the adhoc group. The rule will just remove them from the adhoc group when
> removed from the employee or student group (or set an end date in the
> future).
>
> Anyways, we might be able to add an enhancement to make this work, if it is
> intersect, and use the user has VIEW, allow the composite. This would be
> based on a setting in the grouper.properties of course since some people
> might not like this behavior. Also, it might only be for certain groups
> (employee or student) so that users can reverse engineer any group.
>
> If you are interested please create a JIRA.
>
> Thanks,
> Chris
>
>
>
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Jeff McCullough
> Sent: Wednesday, September 09, 2015 6:37 PM
> To: Grouper-Users
> Subject: [grouper-users] composite groups - adhoc combined with official
> groups
>
>
> We are planning to utilize composite groups as a way of de-provisioning
> access when a person leaves a role, ex. employee, student. That means that
> an adhoc group will be intersected with an official group of employees. The
> adhoc group will be known to whomever is creating the composite group, but
> they may not need to have access to the membership of employees or
> students. Thus all they really need to have for access to the official
> group is view. The composite group UI currently requires read/view access
> to both groups used. I can imagine the UI could be tweaked such that only
> view access was needed for the official group. And yes, one could reverse
> engineer whether someone is part of an official group by creating a
> composite group. That said, it would be best to keep the access to official
> groups to a minimum. How are other schools handling composite groups? Is
> there any desire to create a modified UI to allow for view only access to
> one of the groups?
>
> Thanks,
> Jeff
>




Archive powered by MHonArc 2.6.16.

Top of Page