Grouper Users - Open Discussion List

["Hyzer, Chris" <>]

Can you please open a jira... thanks, Chris

-----Original Message-----
From: 

 
[mailto:]
 On Behalf Of Waldbieser, Carl
Sent: Friday, September 23, 2016 4:56 PM
To: Gouper Users List 
<>
Subject: [grouper-users] Unexpected behavior with inheritance rules


My goal is to have a folder, "app", that contains a subfolder, "etc" with 2 
groups "admins" and "viewers".  Members of "admins should be able to create 
groups and folders under "app", add/remove members, etc.  Members of 
"viewers" should only be able to view memberships and privs on groups under 
"app".

I am using the `inheritGroupPrivileges` rules for both of the groups on the 
"app" stem, as well as the "normalizeInheritedPermissions" rule on the "app" 
stem.  It seems to work like expect in simple scenarios.

Instead of adding members directly to the "admins" and "viewers" groups, I 
added groups to them.  For example, my account is in group "foo" and I add 
"foo" to "admins".
When I create a new group in "app", "admins" and "viewers" have the proper 
permissions, but "foo" is also a *direct* member, which I did not expect.

I'm not sure why it appears, but I suspect it has something to do with how 
the "normalizeInheritedPermissions" rule works.

Does anyone have any ideas?

Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College