Grouper Users - Open Discussion List

["Hyzer, Chris" <>]

Unfortunately you cannot do that with rules right now.  I added a jira for it.

 

https://bugs.internet2.edu/jira/browse/GRP-1344

 

You could make a hook for that if it is a generic policy for the registry.  Let me know if you need help.

 

However, you can also set this up with groups if you don’t have too many groups to set it up for.

 

i.e. have a group of admins.  Only let certain people or admins manage memberships of that group.  Assign that as ADMIN to where you want it.  And put a rule on the group that says if no longer an employee or whatever remove them.

 

Thanks

Chris

 

From: [mailto:] On Behalf Of Shaun Koh
Sent: Monday, July 18, 2016 7:51 PM
To:
Subject: [grouper-users] RE: Assistance required determining privilege event from rule trigger. -- attribute assignment

 

Hi there,

 

I understand this question was listed for the July 14 Grouper Call though I was not able to attend it – my apologies

 

However, I am still inclined to know how this can be achieved hence this follow-up email.

 

Cheers,

Shaun K.

 

From: [] On Behalf Of Shaun Koh
Sent: Friday, 8 July 2016 4:54 p.m.
To:
Subject: [FORGED] [grouper-users] Assistance required determining privilege event from rule trigger. -- attribute assignment

 

Hi there,

 

I was wondering if there is a way to determine when a rule is triggered by a privilege event (e.g. add,delete,etc) ?

 

Specifically, I’m attempting to veto/reject `Admin` privilege assignments to groups within a folder (inc. sub-folders) if the object being assigned the privilege (group or user) is not a member of a certain group (e.g. an admin group).

 

The closest assignment value I could find is `subjectAssignInStem` for the `ruleCheckType` attribute which checks if there is a membership add, privilege add, permission add, etc.

 

Please let me know if I am not being clear enough.

 

Cheers,

Shaun K.