Grouper Users - Open Discussion List

["Curry, Warren" <>]

Having  a view for audit controlled by access mgmt or CISO team is common to allow independent reviews.  +1

Sent from my Verizon Wireless 4G LTE DROID

On Aug 5, 2016 10:10 PM, Tom Barton <> wrote:

I agree that it would be good to have a group, maybe called "auditors", maybe in the etc: folder, whose members can look at any audit report regardless of any other privs they have. Then a grouper admin can stick the security-team group in there and let the CISO maintain that one.

Tom

On 8/5/2016 3:54 PM, Hyzer, Chris wrote:

We can probably do that, though they would need View on the group or be in the adminsViewOnly group.

 

I feel like if you have UPDATE on a group you should be able to see audits for that group.  Why not.

 

There is no audit web service at this point.  I added a jira.

 

Anyone else have opinions on these topics?  J

 

Thanks

Chris

 

 

From: Michael R Gettes []
Sent: Friday, August 05, 2016 3:56 PM
To: Hyzer, Chris
Cc: Jeffrey Crawford ; Gouper Users List
Subject: Re: [grouper-users] View only access to audit log

 

Okay, I just had a chat with my InfoSec folks and I think I am narrowing down to what we want.

 

If you could provide a property grouper.GroupCanSeeAnyAudit and have this apply to the UI and to WebServices and if InfoSecPersonA is in that group then key can view the audit in the UI for any group, that would solve one problem.  The other is to have WebService calls allowing for the read of Audit as well which would be applied to this same group. No, I haven’t checked to see if there are any WS calls in support of checking Audit for a group.  I hope this exists.  If this could be done then I will withdraw my request for new privs.  Does this make sense?

 

On the positive, at least I am trying to provide reasonable requirements.  If you want me to get more specific, I can try to do so.

 

/mrg

 

On Aug 5, 2016, at 1:57 PM, Hyzer, Chris <> wrote:

 

Let me just explore some other options…  J

 

How about:

 

1.       If a user has UPDATE then they can see audits?

2.       If a user can READ ATTRIBUTES then they can see audits?

3.       If a user can UPDATE ATTRIBUTES then they can see audits?

 

I know ideally it would be separate, but is one of those close enough?   J  Just trying to find a reasonable alternative…

 

Thanks

Chris

 

From: Michael R Gettes [] 
Sent: Friday, August 05, 2016 1:50 PM
To: Hyzer, Chris <>
Cc: Jeffrey Crawford <>; Gouper Users List <>
Subject: Re: [grouper-users] View only access to audit log

 

There are plenty of cases where all the users of the group can READ the group - we don’t want them to see Audit.

 

/mrg

 

On Aug 5, 2016, at 1:48 PM, Hyzer, Chris <> wrote:

 

Can it be the same as READ?  There is overhead to adding new privileges would be nice to reuse is possible…

 

From: Michael R Gettes [] 
Sent: Friday, August 05, 2016 12:37 PM
To: Hyzer, Chris <>
Cc: Jeffrey Crawford <>; Gouper Users List <>
Subject: RE: [grouper-users] View only access to audit log

 

+1.  I'd like to see a separate audit view priv and admin implies audit view.

/mrg

 

On Aug 5, 2016 12:35 PM, "Hyzer, Chris" <> wrote:

We don’t have a privilege for that.  What do you want?  All readers to be able to see all audits for all groups?  Something different?

 

From:  [] On Behalf Of Jeffrey Crawford
Sent: Friday, August 05, 2016 12:31 PM
To: Gouper Users List <>
Subject: [grouper-users] View only access to audit log

 

Is there a way to allow view only access to the audit log, so far I've only found that a user must be admin to view it. Is there another way?

Jeffrey E. Crawford
Enterprise Service Team

 

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------