This is fixed in patch: grouper_v2_3_0_api_patch_15
Note, this defaults to on. Shilen did performance analysis. It is fast for admins. It is fast for users with not a lot of privs. If a power user
is not an admin and has a ton of privs (e.g. courses or something), and you have a huge registry, then it can be slow. You can determine if you want to turn it off altogether, or put people in a group (or groups in a group) which it is not enabled for. There
is also a timer so that you can see who is having issues with it via errors logged. Note, this is only for the UI at this point and not for WS or API. Try it out and let me know how it goes
edit in grouper.properties:
# if folders should be shown only if there is an object inside that the user can see
security.show.folders.where.user.can.see.subobjects = true
# put in a group name to exclude non admins who have a lot of privileges who have bad performance
# log error if performance is above this number of seconds. tells you to exclude some users or disable feature
# leave blank or -1 to disable
security.show.all.folders.log.above.seconds = 30
From: Hyzer, Chris
Sent: Tuesday, June 07, 2016 12:45 PM
To: ' <>
Subject: RE: [grouper-users] VIEW permission on STEMs ?
If you have CREATE on a stem, or ADMIN (2.3+), then you should see the parent stems while browsing right?
Sent: Tuesday, June 07, 2016 11:21 AM
To: Hyzer, Chris <>
Subject: Re: [grouper-users] VIEW permission on STEMs ?
Yes, your suggestion would solve our problem.
When you say "stems that you have privileges on" -- I'm not sure what you mean ?
Sent from my iPhone
On Jun 7, 2016, at 10:24 AM, Hyzer, Chris <> wrote:
We have tried to only show stems that you have privileges on, or have an object (stem, group, attribute) underneath somewhere that you have privileges on, but we had performance problems implementing it. We can take another look at it. If that existed
i would hope you wouldn't need view on folders
On Tue, Jun 7, 2016 at 10:06 AM -0400, "Steven Carmody" <> wrote:
We have a growing number of situations where we are delegating the
management of various Service Management Groups. In some of these cases,
Services support "projects", and each Project has a different set of
managers/admins. IN any case, we now have a longish set of STEMs under
the "Service management" STEM.
We'd prefer that when one of these admins is using a Grouper GUI that
they only see the STEMs for the Projects (or Services) that they're
authorized to VIEW and manage.
I know Grouper doesn't currently support a VIEW privilege on STEMs --
I'm wondering if this has been requested by others ? Or whether others
see any value in this added functionality ?