Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Assistance required determining privilege event from rule trigger. -- attribute assignment

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Assistance required determining privilege event from rule trigger. -- attribute assignment


Chronological Thread 
  • From: Shaun Koh <>
  • To: "Hyzer, Chris" <>, "" <>
  • Subject: [grouper-users] RE: Assistance required determining privilege event from rule trigger. -- attribute assignment
  • Date: Tue, 19 Jul 2016 05:15:26 +0000
  • Accept-language: en-US, en-NZ

Hi Chris,

 

Thanks for the ticket, much appreciated.

 

This is more of a generic policy that mimics the current set-up of our existing group management system where we’ve got a predefined list of admin groups that group creators/admins can pick from to view and/or modify group members, memberships, and properties.

 

By default, the system enforces this on every group so it may not be appropriate for the second option you’ve suggested.

 

Will certainly give hooks a try and come back to you if I have any queries.

 

Cheers,

Shaun K.

 

From: Hyzer, Chris [mailto:]
Sent: Tuesday, 19 July 2016 1:40 p.m.
To: Shaun Koh;
Subject: RE: Assistance required determining privilege event from rule trigger. -- attribute assignment

 

Unfortunately you cannot do that with rules right now.  I added a jira for it.

 

https://bugs.internet2.edu/jira/browse/GRP-1344

 

You could make a hook for that if it is a generic policy for the registry.  Let me know if you need help.

 

However, you can also set this up with groups if you don’t have too many groups to set it up for.

 

i.e. have a group of admins.  Only let certain people or admins manage memberships of that group.  Assign that as ADMIN to where you want it.  And put a rule on the group that says if no longer an employee or whatever remove them.

 

Thanks

Chris

 

From: [] On Behalf Of Shaun Koh
Sent: Monday, July 18, 2016 7:51 PM
To:
Subject: [grouper-users] RE: Assistance required determining privilege event from rule trigger. -- attribute assignment

 

Hi there,

 

I understand this question was listed for the July 14 Grouper Call though I was not able to attend it – my apologies

 

However, I am still inclined to know how this can be achieved hence this follow-up email.

 

Cheers,

Shaun K.

 

From: [] On Behalf Of Shaun Koh
Sent: Friday, 8 July 2016 4:54 p.m.
To:
Subject: [FORGED] [grouper-users] Assistance required determining privilege event from rule trigger. -- attribute assignment

 

Hi there,

 

I was wondering if there is a way to determine when a rule is triggered by a privilege event (e.g. add,delete,etc) ?

 

Specifically, I’m attempting to veto/reject `Admin` privilege assignments to groups within a folder (inc. sub-folders) if the object being assigned the privilege (group or user) is not a member of a certain group (e.g. an admin group).

 

The closest assignment value I could find is `subjectAssignInStem` for the `ruleCheckType` attribute which checks if there is a membership add, privilege add, permission add, etc.

 

Please let me know if I am not being clear enough.

 

Cheers,

Shaun K.




Archive powered by MHonArc 2.6.19.

Top of Page