grouper-users - [grouper-users] RE: Non-wheel privileges for attestation access
Subject: Grouper Users - Open Discussion List
List archive
- From: "Redman, Chad" <>
- To: "" <>
- Subject: [grouper-users] RE: Non-wheel privileges for attestation access
- Date: Wed, 2 Aug 2017 11:58:16 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:DUc2GBxRsSO9knLXCy+O+j09IxM/srCxBDY+r6Qd2uoSIJqq85mqBkHD//Il1AaPBtSLraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze6/9pnQbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDwULs6Wymt771zRRHolikJKiI5/m/UhMx+jq1boQ6uqBNkzoHOfI2ZKOBzcr/Bcd8EQ2dKQ8ZfVzZGAoO5d4YDAfYPMvhFoIn4vVQOqwOyDhSyCePv0DBHm3H61rA93us9EQHJxhEvEMoUsHvKsdr1Mb0dUeauwanVyzXMc+la1ing54jVax0sp+yHU7x3ccrU00YvFgXFg02KpozmJTyZzOENs3Od4uF9Vuyvk3Yqpx9rrTSz28shj5TFip8Ixl3B+yV0z5o5KcG9RU51f9GpH5pduiSfOoZ3TM4uXnlktDs6x7EYo5K3YjIGxIk7yxLBcfCLboeF7xHlWe2MOzl3nmhld6i6hxuq8Uiv1On8Vs6s3VhSsidLlcXAum4U2xHO7MaLVOJx/kC61jmRzQzT7fxEIVwvmqrcNp4hxKM/moALsUTZGS/2hFv5g7OKdkUl/eio7f7rYrL7pp+AM490jQb+Mqc0lsOjBuQ4NxACX2md+euiyL3u5VP1T69WgvErl6TVrY3WKdkeq663DAJZzpov5hOxDzi439kVnHwKIVdEdR+JkoTlI1TOL+r5Dfe7jVSsijBrx/XeM7L9ApXCNGXMn6/7fblj9kFczRA8zdZE6pJJDLEOPOj/VVHsu9zFFhM5KRC7w/77CNVh0YMTQW2PArWeMKPPqV+H+PgvL/CRZI8Opjn9MeMl6uXqjX84gl8dYbKp0YUNZHC5GPRmP1uWYWDqgtgfDWcGoBAyQ/L3h12fAnZvYCP4ULg7+yk2Ese7ForZXaishqCMxiG2AscQa2xbQBjYHm3vap2JQbIRcy+IOedglCAJT76sV9Vn2B2z4lzU0b1ie6Du9yEdvJSnnPN17uGZ3UU59TV4ON6Q32SESUlpmGhOSjMrivMs6Xdhw0uOhPAry8dTEsZesqtE
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
|
The users were waiting on a fix for this, so I debugged the source code to figure out exactly what was needed for a regular user to view the attestation or mark it as Reviewed. To view the attestation page: 1)
User needs to have Read on etc:attribute:attestation:attestationDef 2)
User needs to have Read on etc:attribute:attestation:attestationValueDef 3)
User needs both Read and Attribute Read on the group in question Note that the button to mark it as reviewed shows up for these users, even though they don't have the update privilege that would make it work. They just get a user-unfriendly message about no access to the attribute
definition. Checking for the correct permissions before showing the button would be helpful here. To be able to mark the group as Reviewed: 1)
User needs to have Read and Update on etc:attribute:attestation:attestationDef 2)
User needs to have Read and Update on etc:attribute:attestation:attestationValueDef 3)
User needs Read on the group in question (Update isn't necessary unless you want them to edit the membership) 4)
User needs both Attribute Read and Attribute Update on the group in question To simplify configuration slightly, we created a Readers group and an Updaters group, instead of granting individual permissions to the attribute definitions in etc:attribute. Any users who would be doing any
kind of attestation work would be put into one of these groups. It's possible that it's safe to make access to the attribute definitions public, as you can only read or edit groups where you have attribute read/update anyway. We were just playing it safe there
for now. -Chad From: [mailto:]
On Behalf Of Redman, Chad
We just had our first user get an attestation recertification email, and when they tried to certify, they reported back an error: "etc:attribute:attestation:attestation attribute doesn't exist". The user actually wasn't an admin for the group, but got the email because the address was explicitly set in the Email addresses field. However, in my testing using a non-wheel account, being an admin for the group is not enough. When I
gave my non-wheel user admin privileges, I could reproduce the same error. The only way I could get attestation to work was to grant the user read/update on etc:attribute:attestation:attestationDef and etc:attribute:attestation:attestationValueDef. But this
is not desirable, as it now allows the user to edit attestation for any group. Am I looking at this the wrong way? Thanks! -Chad |
- [grouper-users] RE: Non-wheel privileges for attestation access, Redman, Chad, 08/02/2017
- [grouper-users] RE: Non-wheel privileges for attestation access, Hyzer, Chris, 08/09/2017
- [grouper-users] RE: Non-wheel privileges for attestation access, Redman, Chad, 08/10/2017
- [grouper-users] RE: Non-wheel privileges for attestation access, Hyzer, Chris, 08/10/2017
- [grouper-users] RE: Non-wheel privileges for attestation access, Redman, Chad, 08/10/2017
- [grouper-users] RE: Non-wheel privileges for attestation access, Hyzer, Chris, 08/09/2017
Archive powered by MHonArc 2.6.19.