Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Need composite groups with more than 2 factors

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Need composite groups with more than 2 factors

Chronological Thread 
  • From: "William G. Thompson, Jr." <>
  • To: "Bellina, Brendan" <>
  • Cc: "" <>
  • Subject: Re: [grouper-users] Need composite groups with more than 2 factors
  • Date: Wed, 9 Mar 2016 15:53:00 -0500

The general approach we've taken at Lafayette is to have the final "authorization group" (i.e. the composite group) be composed of two groups; service_allow - service_deny, where each of those groups have sub groups that create effective membership and adhere to the desired access policy.

composite group: service_authorize = service_allow - service_deny

service_allow might have subgroups of reference groups for faculty, staff, student, etc or other ad-hoc groups and together make up the default access policy (generally we don't add direct membership assignments for people to the "allow" group, this way people come in and out of the service_authorize as reference groups change based on SoR feeds)

service_deny has our "big red button deny group" as a sub group. If you show up in that for whatever reason it turns down access across the board.

Make sense?


On Wed, Mar 9, 2016 at 3:36 PM, Bellina, Brendan <> wrote:
Sorry if this question has an obvious answer somewhere.  A link to the answer would be fine.

I have a need to use the Grouper UI to create groups with more than 2 composite factors.  Specifically group A + group B – group C.  I can see how this could easily grow to a much larger number of factors as well.  I don’t see a way in the UI to create anything more complicated than 2 factors.  I am hoping there is a better solution than creating otherwise unnecessary intermediate groups.  Is there a way to do this?


Brendan Bellina
Identity Mgmt. Architect, IT Services, UCLA
✉     +1 310 206 3131

Archive powered by MHonArc 2.6.16.

Top of Page