Grouper Users - Open Discussion List

[Dave Churchley <>]

Yes, this is the method we use. We only have one of our base stems provisioned to AD. Groups under that stem are (supposed to be) names uniquely according to their purpose. Department groups and the like can be included as members of these application groups. I think this works quite well. It is, in fact, one of my seven principles of Grouper group administration (https://blogs.ncl.ac.uk/integration/2016/02/19/make-applications-groups-specific/)!

 

Dave

 

From: [mailto:] On Behalf Of Julio Polo
Sent: 01 March 2017 21:09
To: Steven Carmody <>
Cc: Grouper-Users <>
Subject: Re: [grouper-users] what is a group authorized to do ?

 

I would advocate creating a group for each application/service (for each authz need).  Each of those application groups can include the same officially-sanctioned group for the desired department, but each group can have its own exceptions (inclusions and exclusions). To help track all such groups, you can create a special attribute to identify them or you could just put them all under one folder.

-julio

 

On Wed, Mar 1, 2017 at 9:41 AM, Steven Carmody <> wrote:

Hi,

We've got a growing community of dept-based people taking advantage of delegated management of group membership. And we've got a growing community of service owners managing the membership of their service eligibility groups. They sometimes include dept-based-groups in their eligibility groups.

We now have some dept-based group managers asking "before I add a person to group X, how can I find out the set of permissions and services are granted to that group?". A perfectly reasonable question.

I can see that using service management groups might help to develop an answer -- I'm wondering if other sites have yet encountered this question, and what tools they are providing to users who want an answer ?

thanks !