Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Need composite groups with more than 2 factors

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Need composite groups with more than 2 factors


Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: "Bellina, Brendan" <>, "" <>
  • Subject: RE: [grouper-users] Need composite groups with more than 2 factors
  • Date: Wed, 9 Mar 2016 21:28:15 +0000
  • Accept-language: en-US
  • Authentication-results: ucla.edu; dkim=none (message not signed) header.d=none;ucla.edu; dmarc=none action=none header.from=isc.upenn.edu;
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:23

This issue might be closed, but just wanted to mention.

 

You don’t need composites for +, just add a group as a member group.

 

There is an include/exclude type which creates an include and exclude list for you so you don’t have do manual work.

 

Thanks

Chris

 

 

From: [mailto:] On Behalf Of Bellina, Brendan
Sent: Wednesday, March 09, 2016 4:23 PM
To:
Subject: Re: [grouper-users] Need composite groups with more than 2 factors

 

Bill,

 

That sounds like a workable naming convention.  Thanks for the description.

 

Regards,

 

Brendan Bellina

Identity Mgmt. Architect, IT Services, UCLA

     +1 310 206 3131

 

 

 

From: "William G. Thompson, Jr." <>
Date: Wednesday, March 9, 2016 at 12:53 PM
To: Brendan Bellina <>
Cc: "" <>
Subject: Re: [grouper-users] Need composite groups with more than 2 factors

 

The general approach we've taken at Lafayette is to have the final "authorization group" (i.e. the composite group) be composed of two groups; service_allow - service_deny, where each of those groups have sub groups that create effective membership and adhere to the desired access policy.

composite group: service_authorize = service_allow - service_deny

 

service_allow might have subgroups of reference groups for faculty, staff, student, etc or other ad-hoc groups and together make up the default access policy (generally we don't add direct membership assignments for people to the "allow" group, this way people come in and out of the service_authorize as reference groups change based on SoR feeds)

service_deny has our "big red button deny group" as a sub group. If you show up in that for whatever reason it turns down access across the board.

Make sense?

Best,

Bill

 

 

On Wed, Mar 9, 2016 at 3:36 PM, Bellina, Brendan <> wrote:

Sorry if this question has an obvious answer somewhere.  A link to the answer would be fine.

 

I have a need to use the Grouper UI to create groups with more than 2 composite factors.  Specifically group A + group B – group C.  I can see how this could easily grow to a much larger number of factors as well.  I don’t see a way in the UI to create anything more complicated than 2 factors.  I am hoping there is a better solution than creating otherwise unnecessary intermediate groups.  Is there a way to do this?

 

Regards,

 

Brendan Bellina

Identity Mgmt. Architect, IT Services, UCLA

   +1 310 206 3131

 

 

 




Archive powered by MHonArc 2.6.16.

Top of Page