Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Unexpected behavior with inheritance rules

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Unexpected behavior with inheritance rules


Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: "Waldbieser, Carl" <>, Gouper Users List <>
  • Subject: [grouper-users] RE: Unexpected behavior with inheritance rules
  • Date: Fri, 23 Sep 2016 21:08:04 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:i4owDBY5haHyhxo0m6Upnmr/LSx+4OfEezUN459isYplN5qZpcmzbnLW6fgltlLVR4KTs6sC0LWG9f27EjVdqb+681k8M7V0HycfjssXmwFySOWkMmbcaMDQUiohAc5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aMlzFOAF0PuX4HJLJx4Tyjrjqus6bXwIdzgW0Zb94LRitoB+V/uIfm48oYvIuwx/FqHpFcMxSzG1hNF+Pgxu668utqtor3CNNo/87v/NbXL/hN4A5VqAQWDs8NH0t6deuqALOVxCn530AX38QnwYSRQXJ8UepcI32t36wlvtv1TPedeb2V7EvE3z26qxrWQ3lkg8GLDV/7XnajMo2ga5G9kHy7ydjypLZNdnGfMF1ebnQKJZDHTJM
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Can you please open a jira... thanks, Chris

-----Original Message-----
From:


[mailto:]
On Behalf Of Waldbieser, Carl
Sent: Friday, September 23, 2016 4:56 PM
To: Gouper Users List
<>
Subject: [grouper-users] Unexpected behavior with inheritance rules


My goal is to have a folder, "app", that contains a subfolder, "etc" with 2
groups "admins" and "viewers". Members of "admins should be able to create
groups and folders under "app", add/remove members, etc. Members of
"viewers" should only be able to view memberships and privs on groups under
"app".

I am using the `inheritGroupPrivileges` rules for both of the groups on the
"app" stem, as well as the "normalizeInheritedPermissions" rule on the "app"
stem. It seems to work like expect in simple scenarios.

Instead of adding members directly to the "admins" and "viewers" groups, I
added groups to them. For example, my account is in group "foo" and I add
"foo" to "admins".
When I create a new group in "app", "admins" and "viewers" have the proper
permissions, but "foo" is also a *direct* member, which I did not expect.

I'm not sure why it appears, but I suspect it has something to do with how
the "normalizeInheritedPermissions" rule works.

Does anyone have any ideas?

Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College



Archive powered by MHonArc 2.6.19.

Top of Page