Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Non-wheel privileges for attestation access

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Non-wheel privileges for attestation access

Chronological Thread 
  • From: "Redman, Chad" <>
  • To: "" <>
  • Subject: [grouper-users] RE: Non-wheel privileges for attestation access
  • Date: Wed, 2 Aug 2017 11:58:16 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:DUc2GBxRsSO9knLXCy+O+j09IxM/srCxBDY+r6Qd2uoSIJqq85mqBkHD//Il1AaPBtSLraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze6/9pnQbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDwULs6Wymt771zRRHolikJKiI5/m/UhMx+jq1boQ6uqBNkzoHOfI2ZKOBzcr/Bcd8EQ2dKQ8ZfVzZGAoO5d4YDAfYPMvhFoIn4vVQOqwOyDhSyCePv0DBHm3H61rA93us9EQHJxhEvEMoUsHvKsdr1Mb0dUeauwanVyzXMc+la1ing54jVax0sp+yHU7x3ccrU00YvFgXFg02KpozmJTyZzOENs3Od4uF9Vuyvk3Yqpx9rrTSz28shj5TFip8Ixl3B+yV0z5o5KcG9RU51f9GpH5pduiSfOoZ3TM4uXnlktDs6x7EYo5K3YjIGxIk7yxLBcfCLboeF7xHlWe2MOzl3nmhld6i6hxuq8Uiv1On8Vs6s3VhSsidLlcXAum4U2xHO7MaLVOJx/kC61jmRzQzT7fxEIVwvmqrcNp4hxKM/moALsUTZGS/2hFv5g7OKdkUl/eio7f7rYrL7pp+AM490jQb+Mqc0lsOjBuQ4NxACX2md+euiyL3u5VP1T69WgvErl6TVrY3WKdkeq663DAJZzpov5hOxDzi439kVnHwKIVdEdR+JkoTlI1TOL+r5Dfe7jVSsijBrx/XeM7L9ApXCNGXMn6/7fblj9kFczRA8zdZE6pJJDLEOPOj/VVHsu9zFFhM5KRC7w/77CNVh0YMTQW2PArWeMKPPqV+H+PgvL/CRZI8Opjn9MeMl6uXqjX84gl8dYbKp0YUNZHC5GPRmP1uWYWDqgtgfDWcGoBAyQ/L3h12fAnZvYCP4ULg7+yk2Ese7ForZXaishqCMxiG2AscQa2xbQBjYHm3vap2JQbIRcy+IOedglCAJT76sV9Vn2B2z4lzU0b1ie6Du9yEdvJSnnPN17uGZ3UU59TV4ON6Q32SESUlpmGhOSjMrivMs6Xdhw0uOhPAry8dTEsZesqtE
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

The users were waiting on a fix for this, so I debugged the source code to figure out exactly what was needed for a regular user to view the attestation or mark it as Reviewed.


To view the attestation page:


1)      User needs to have Read on etc:attribute:attestation:attestationDef

2)      User needs to have Read on etc:attribute:attestation:attestationValueDef

3)      User needs both Read and Attribute Read on the group in question


Note that the button to mark it as reviewed shows up for these users, even though they don't have the update privilege that would make it work. They just get a user-unfriendly message about no access to the attribute definition. Checking for the correct permissions before showing the button would be helpful here.



To be able to mark the group as Reviewed:


1)      User needs to have Read and Update on etc:attribute:attestation:attestationDef

2)      User needs to have Read and Update on etc:attribute:attestation:attestationValueDef

3)      User needs Read on the group in question (Update isn't necessary unless you want them to edit the membership)

4)      User needs both Attribute Read and Attribute Update on the group in question



To simplify configuration slightly, we created a Readers group and an Updaters group, instead of granting individual permissions to the attribute definitions in etc:attribute. Any users who would be doing any kind of attestation work would be put into one of these groups. It's possible that it's safe to make access to the attribute definitions public, as you can only read or edit groups where you have attribute read/update anyway. We were just playing it safe there for now.







From: [mailto:] On Behalf Of Redman, Chad
Sent: Wednesday, June 28, 2017 11:44 AM
Subject: [grouper-users] Non-wheel privileges for attestation access


This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing


We just had our first user get an attestation recertification email, and when they tried to certify, they reported back an error: "etc:attribute:attestation:attestation attribute doesn't exist".


The user actually wasn't an admin for the group, but got the email because the address was explicitly set in the Email addresses field. However, in my testing using a non-wheel account, being an admin for the group is not enough. When I gave my non-wheel user admin privileges, I could reproduce the same error. The only way I could get attestation to work was to grant the user read/update on etc:attribute:attestation:attestationDef and etc:attribute:attestation:attestationValueDef. But this is not desirable, as it now allows the user to edit attestation for any group.


Am I looking at this the wrong way?









Archive powered by MHonArc 2.6.19.

Top of Page