Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] composite groups - adhoc combined with official groups

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] composite groups - adhoc combined with official groups


Chronological Thread 
  • From: Chris Hyzer <>
  • To: Jeff McCullough <>
  • Cc: Grouper-Users <>
  • Subject: RE: [grouper-users] composite groups - adhoc combined with official groups
  • Date: Wed, 23 Sep 2015 05:10:48 +0000
  • Accept-language: en-US

I think we want 2.3 released in the spring, and we can try to get rules UI
support in there...

Thanks,
Chris

-----Original Message-----
From: Jeff McCullough
[mailto:]

Sent: Tuesday, September 22, 2015 4:28 PM
To: Chris Hyzer
Cc: Grouper-Users
Subject: Re: [grouper-users] composite groups - adhoc combined with official
groups

Hi Chris,

Below you mention

> The new UI should have better attribute/rule support.

I’m assuming that is probably version 2.3. Do you have a sense when that
come. I need to decide if we need to create another way to get at this
functionality.

Thank you for all that you guys are doing.

Jeff

> On Sep 16, 2015, at 9:10 PM, Chris Hyzer
> <>
> wrote:
>
> https://spaces.internet2.edu/display/Grouper/Grouper+rules+use+case+-+Composite-ng+intersection
>
> The rules looks removals from a group (e.g. employee), and then sees if the
> entity is a member of the app group, and if so, removes them or adds an end
> date. In this case if you become an employee at a later date, you would
> need to go through the intake process for the application to get added
> again. In the composite case, you would be in the app again. For one app
> at Penn which uses a composite, we made a group which is the app system of
> record group minus the employee group, so admins can see which users are
> not in the overall group and need to be reviewed to see if they need to be
> removed.
>
> If users have READ/UPDATE on the rule attributes, and
> READ/UPDATE/ATTR_READ/ATTR_UPDATE on the group(s), I think they can add the
> rules via the lite UI (which is not trivial). Admins can add the rules
> with a couple lines of GSH though. The new UI should have better
> attribute/rule support.
>
> Thanks,
> Chris
>
> -----Original Message-----
> From:
>
>
> [mailto:]
> On Behalf Of Jeff McCullough
> Sent: Wednesday, September 16, 2015 10:38 PM
> To: Grouper-Users
> Subject: Re: [grouper-users] composite groups - adhoc combined with
> official groups
>
> Chris,
>
> Can you describe the rule based idea of removing them from the adhoc group
> when removed from employee or student group? Is there an easy way for a
> user to apply a rule to a group?
>
> I see also there is a group type “grouperIncludeExclude.requireGroup”. Is
> that a good alternative for my use case? It could be, but this group type
> and the include/exclude group types aren’t showing in the edit groups
> section like they did in the older admin ui. Is the "group type” selection
> something that will be changed in the future?
>
> Jeff
>
>
>> On Sep 10, 2015, at 7:07 AM, Chris Hyzer
>> <>
>> wrote:
>>
>> If you can reverse engineer the membership of the group, then essentially
>> the user has READ right? This is why we require READ for creating
>> composites. Yes for intersect it is not trivial to reverse engineer the
>> group (as it would be for complement). Btw, the disadvantage to
>> composites for this as opposed to "grouper rules" is that the user will
>> still be in the adhoc group. The rule will just remove them from the
>> adhoc group when removed from the employee or student group (or set an end
>> date in the future).
>>
>> Anyways, we might be able to add an enhancement to make this work, if it
>> is intersect, and use the user has VIEW, allow the composite. This would
>> be based on a setting in the grouper.properties of course since some
>> people might not like this behavior. Also, it might only be for certain
>> groups (employee or student) so that users can reverse engineer any group.
>>
>> If you are interested please create a JIRA.
>>
>> Thanks,
>> Chris
>>
>>
>>
>> -----Original Message-----
>> From:
>>
>>
>> [mailto:]
>> On Behalf Of Jeff McCullough
>> Sent: Wednesday, September 09, 2015 6:37 PM
>> To: Grouper-Users
>> Subject: [grouper-users] composite groups - adhoc combined with official
>> groups
>>
>>
>> We are planning to utilize composite groups as a way of de-provisioning
>> access when a person leaves a role, ex. employee, student. That means that
>> an adhoc group will be intersected with an official group of employees.
>> The adhoc group will be known to whomever is creating the composite group,
>> but they may not need to have access to the membership of employees or
>> students. Thus all they really need to have for access to the official
>> group is view. The composite group UI currently requires read/view access
>> to both groups used. I can imagine the UI could be tweaked such that only
>> view access was needed for the official group. And yes, one could reverse
>> engineer whether someone is part of an official group by creating a
>> composite group. That said, it would be best to keep the access to
>> official groups to a minimum. How are other schools handling composite
>> groups? Is there any desire to create a modified UI to allow for view only
>> access to one of the groups?
>>
>> Thanks,
>> Jeff
>>
>




Archive powered by MHonArc 2.6.16.

Top of Page