Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Differencing tool with healing capabilities...

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Differencing tool with healing capabilities...


Chronological Thread 
  • From: Jim Fox <>
  • To: "Gettes, Michael" <>
  • Cc: Bill Thompson <>, "" <>
  • Subject: Re: [grouper-users] Differencing tool with healing capabilities...
  • Date: Mon, 10 Jul 2017 12:28:01 -0700 (PDT)
  • Ironport-phdr: 9a23:t2/otx8H+yEos/9uRHKM819IXTAuvvDOBiVQ1KB+2+IcTK2v8tzYMVDF4r011RmSAtWdtqoMotGVmp6jcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47WLmffqXyq7DMUBg63dU8sfry0ScbuiJH9+O2u55DIJ01thTG9aL52Zl3iogjNqsQNqZZsLuA8xgaf8VVSfOED52JtbXyUj16o6MCg1IFq6CRRvf098MgGXKnnKfdrBYdEBSgrZjhmrPbgsgPOGE7WviMR


We have a tool like this. It's written to the UW group service API though. We protect the operations by requiring the user to have member manager permission on any affected groups. That also keeps automatic groups unaffected.

Jim



On Mon, 10 Jul 2017, Gettes, Michael wrote:


Right.  You are absolutely correct.  If grouper can figure all this out and
“do the right thing”, that would be outstanding.  I guess this would
mean the “healing” capability shouldn’t attempt to fix indirect memberships.  
Would that do it?

/mrg

On Jul 10, 2017, at 3:17 PM, William G. Thompson, Jr.
<>
wrote:

Just wondering about the scope of the feature and the use case.  If one is following
the deployment guide then "fixing/healing" a user who
needs access like another user may not necessarily involve manually updating
direct members assignments. It could be an issue with upstream
data for a reference group, could be an exception/addition to authZ policy,
etc.

Best,
Bill


On Mon, Jul 10, 2017 at 3:07 PM, Gettes, Michael
<>
wrote:
Well, there is no real indication of how a group is being used in
grouper - so I’m looking for a tool to do so independent of
use.  Now, of course, it would be awesome if grouper could determine
the use of a group and show differences and either
automatically exclude certain differences (due to policy) or other
constraints - but I think this is a wee bit further in the
future.  Do I understand you correctly?

/mrg

On Jul 10, 2017, at 2:54 PM, William G. Thompson, Jr.
<>
wrote:

Mike,
This would work for ACL-like membership groups, but not for policy driven
ones, right?  

Best,
Bill



On Mon, Jul 10, 2017 at 2:37 PM, Gettes, Michael
<>
wrote:
I was thinking (I know, always dangerous)…
If there was a grouper tool to show the differences of group memberships
between 2 users and then 2 magic options (make
user1 like user2, or make user2 like user1) - this would be a nice way of
healing users who should have all the abilities
of another.

Also, with the above UI tool, give me the option of selecting which groups to
“heal” for the 2 users involved with
checkboxes on each group.

I hope this makes sense and would be useful to others.  Maybe this has
already been thunk up and in the hopper for some
future development?

Thanks for your consideration.

/mrg









Archive powered by MHonArc 2.6.19.

Top of Page