grouper-users - [grouper-users] RE: Non-wheel privileges for attestation access
Subject: Grouper Users - Open Discussion List
List archive
- From: "Redman, Chad" <>
- To: "Hyzer, Chris" <>, "" <>
- Subject: [grouper-users] RE: Non-wheel privileges for attestation access
- Date: Thu, 10 Aug 2017 13:57:18 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:opupPRYZbsmdAxU4O5TrLAr/LSx+4OfEezUN459isYplN5qZrsi+bnLW6fgltlLVR4KTs6sC0LuG9fi4EUU7or+5+EgYd5JNUxJXwe43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6arXK99yMdFQviPgRpOOv1BpTSj8Oq3Oyu5pHfeQtFiT6+bL9oMBm6sRjau9ULj4dlNqs/0AbCrGFSe+RRy2NoJFaTkAj568yt4pNt8Dletuw4+cJYXqr0Y6o3TbpDDDQ7KG81/9HktQPCTQSU+HQRVHgdnwdSDAjE6BH6WYrxsjf/u+Fg1iSWIdH6QLYpUjmk8qxlSgLniD0fOjA57m/Zl9BwgqxYrhKvpRN/wpLbb46OOfVkYq/RYckXSXZdUspMUSFKH4Oyb5EID+oEJetUoZXzqEUTohu7HwasAvvjwSJWi3/2x6I1zuotGhzB0QM8H9IBqmnbo83vNKgMTO+1ybPHzTPYYvNL3zfy9JLEfQ48rvGRRL99d9fax0coFwPAlFqQqIrlMiuP2eQOqWeX9e9gVfmphmU6qA9xuiCiytk2hYXVm44Yz03I+ThkzIswK921R1J3bcKhHZteqS6XOJZ6T8YnTmxppSo11qUKtYO7cSQU0pgr2QTTZ+Gbf4SW+B7vSemcLDR+iXl4YrywnQyy/lKlyuDkVsm7zlJKri1dn9fUqn0D0ADf5tWeRvZg5kms1y+D1wfI5e5aO0w0krfbK4I6zb43i5oTt1nMEjXumEXsi6+Walsr9fS06+TmZbXmoIWQN4hpigHiNqQuncu/AeciPgcSWGib/Pyw1Lzl/ULnXLVHluM6nbPFvJzHIMkXu7O1DxJQ34Yt5BuzEyuq3dEWnXYZI19JZReKgo3oNl3TPP/0FfK/jE6tkDdvyfDGJLrhApDVI3ffkLfuZ6ty5FZGyAUt0N9f4ohbCrcaLfLuXE/+qMbUAQEkPAyp2+rnEsly1psCWWKTBa+UKKzSsUWP5uIyO+mDepUVtC/gK/g++fHul2Q5lEQZfamoxpsXdGu4Eup8L0WYZ3rsnskOEX0MvgUgUOzmlkeOXiBOaHavDOoA4WRxKJO0AJ2HDqutmr2alm/vG5ZWd3JLEHiNCnyuap2JXfFKZS6PdIsp2DMeUqW5RpVkyAqjrhTSyrx7I/DS9zFC85/vyZI9s+LJkgwq+CYxEt+QyXqlTmdok3kOSiNsmq1zvBou5E2E1P0yufFUENVVo7tiUg42f9aIxOxzB+foVw7Ed9GhVVCtBNiqHGdiHZoK39YSbhMlSJ2ZhRfZ0n/yDg==
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Read access on the group would mean Read on the attestation, and only Admin or Update would be allowed to edit the Attestation or mark reviewed, correct? We wouldn't want people with just Read access to be able
to edit the attestation or even mark it reviewed. That would work fine for our needs. In theory, someone may want to delegate the Mark Reviewed function to someone that can't edit the membership, but that would be uncommon. Maybe if the attribute security were
left in as a secondary check, that would still allow someone with Attribute Update to mark as reviewed without being able to edit the membership. The button to Mark Reviewed should also be changed to only show for users that can actually update, to avoid errors. Thanks, -Chad From: Hyzer, Chris [mailto:] Im working on a patch for this that will be available shortly. The thought is that any user can use attestation regardless of the attribute security, if the user can READ/UPDATE or ADMIN a group. The UI will
be a façade around the attribute security and just make that happen. Does that sound reasonable / acceptable or do you want the attribute security too? My thought is that it is burdensome in this case and not a requirement. Thanks Chris From: []
On Behalf Of Redman, Chad The users were waiting on a fix for this, so I debugged the source code to figure out exactly what was needed for a regular user to view the attestation or mark it as Reviewed. To view the attestation page: 1)
User needs to have Read on etc:attribute:attestation:attestationDef 2)
User needs to have Read on etc:attribute:attestation:attestationValueDef 3)
User needs both Read and Attribute Read on the group in question Note that the button to mark it as reviewed shows up for these users, even though they don't have the update privilege that would make it work. They just get a user-unfriendly message about no access to the attribute
definition. Checking for the correct permissions before showing the button would be helpful here. To be able to mark the group as Reviewed: 1)
User needs to have Read and Update on etc:attribute:attestation:attestationDef 2)
User needs to have Read and Update on etc:attribute:attestation:attestationValueDef 3)
User needs Read on the group in question (Update isn't necessary unless you want them to edit the membership) 4)
User needs both Attribute Read and Attribute Update on the group in question To simplify configuration slightly, we created a Readers group and an Updaters group, instead of granting individual permissions to the attribute definitions in etc:attribute. Any users who would be doing any
kind of attestation work would be put into one of these groups. It's possible that it's safe to make access to the attribute definitions public, as you can only read or edit groups where you have attribute read/update anyway. We were just playing it safe there
for now. -Chad From: []
On Behalf Of Redman, Chad
We just had our first user get an attestation recertification email, and when they tried to certify, they reported back an error: "etc:attribute:attestation:attestation attribute doesn't exist". The user actually wasn't an admin for the group, but got the email because the address was explicitly set in the Email addresses field. However, in my testing using a non-wheel account, being an admin for the group is not enough. When I
gave my non-wheel user admin privileges, I could reproduce the same error. The only way I could get attestation to work was to grant the user read/update on etc:attribute:attestation:attestationDef and etc:attribute:attestation:attestationValueDef. But this
is not desirable, as it now allows the user to edit attestation for any group. Am I looking at this the wrong way? Thanks! -Chad |
- [grouper-users] RE: Non-wheel privileges for attestation access, Redman, Chad, 08/02/2017
- [grouper-users] RE: Non-wheel privileges for attestation access, Hyzer, Chris, 08/09/2017
- [grouper-users] RE: Non-wheel privileges for attestation access, Redman, Chad, 08/10/2017
- [grouper-users] RE: Non-wheel privileges for attestation access, Hyzer, Chris, 08/10/2017
- [grouper-users] RE: Non-wheel privileges for attestation access, Redman, Chad, 08/10/2017
- [grouper-users] RE: Non-wheel privileges for attestation access, Hyzer, Chris, 08/09/2017
Archive powered by MHonArc 2.6.19.