Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Non-wheel privileges for attestation access

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Non-wheel privileges for attestation access


Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: "Redman, Chad" <>, "" <>
  • Subject: [grouper-users] RE: Non-wheel privileges for attestation access
  • Date: Thu, 10 Aug 2017 14:30:38 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:NFJ0XxOKyMcoIGnQ/mkl6mtUPXoX/o7sNwtQ0KIMzox0I/X+rarrMEGX3/hxlliBBdydsKMUzbKO+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2aFLduGC94iAPERvjKwV1Ov71GonPhMiryuy+4ZPebgFLiTanfb9+MAi9oBnMuMURnYZsMLs6xAHTontPdeRWxGdoKkyWkh3h+Mq+/4Nt/jpJtf45+MFOTav1f6IjTbxFFzsmKHw65NfqtRbYUwSC4GYXX3gMnRpJBwjF6wz6Xov0vyDnuOdxxDWWMMvrRr0vRz+s87lkRwPpiCcfNj427mfXitBrjKlGpB6tvgFzz5LIbI2QMvd1Y6HTcs4ARWdZXshfSTFPAp+yYYUMAeoOP+dYoJXyqFYVtxSyGRWgCfnzxjNUm3P727Ax3eQ7EQHB2QwtB9wCvnbUrdT0KqgSS/i5x7TWwDXDdfNW2Cz95IbVeR0mpPGDQbJwcMrQyEYxDQPIlVSQqZf5MD+Py+QNq3aU7+xmVe61lWEothxxryGpy8wxhIfJgYcVxUrF9SV/2Is6P964R1Rhbd6hC5tdsTyROYhuQs46XW1nojo2xqADtJKmYSQG1ZEqxxDQZvCbb4SF5xDuW/ieLDp3gX9ofayziwqv/US41+HxWNW43ExOoyZYiNXAqG0B2hjJ5sSaSPZw/0Gs0iuV2Q/J8OFLO0U0mLLbK5E/xr4wkYIev1zfEyHxhEn6kraaeFg89OS18ujnZa7pqYGGO49zlwH+Lr8hmsuiAeQ+LwcCRXCb+f671L3/40L2XKlKjvwxkqnfqpzaItkbprK9Aw9S1YYj6AyzACuh0NQdhXUHLVRFdwybj4XxJV3BOuz0Aeq6jlixjTtn2vXLPrPuD5nRMnTOlbXscqhy5kNTzQc+yM5T645JBr0ZJfL8QE7xtNjWDh8jNAy0xv7qCNBh2YMeWWOOA7GWMLnJvF+J/eIgP/OAZJINuDnjLfgl4eTigmEkll8AZaWpx4cYaGikHvR6JEWUeXXsgs0GEWcXpgoxUvbqhESfUT5IeXmyRbk86yo/CIKnFofDWputjKKb0Ce6GJ1Wen5JCkqKEXj2a4WIRe0AZzyPLc98wXQ4Uu3rcYIt0Bio8EfRy7NrZKKA8S0RuaX52dRw7uv7iBc5szF4EpLZmyuCVWZphm4SAiIt0bpkiU171lqZ16Vk2bpVGcEZr6dGSAAnLZPGivFhBsrpcgPHYtqTTlu6GJOrDSxnHfwrxNpbKWZsCdi4yljo3zCrGPVdw7mABI0m/7j03mP6YdtlxnDAkqQtkg91EYN0KWS6i/snpEDoDInTnhDczv7yeA==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

> Read access on the group would mean Read on the attestation, and only Admin or Update would be allowed to edit the Attestation or mark reviewed, correct?

 

Yes

 

> In theory, someone may want to delegate the Mark Reviewed function to someone that can't edit the membership, but that would be uncommon.

 

I would prefer not to support that one if thats ok J

 

Thanks

Chris

 

From: Redman, Chad [mailto:]
Sent: Thursday, August 10, 2017 9:57 AM
To: Hyzer, Chris <>;
Subject: RE: Non-wheel privileges for attestation access

 

Read access on the group would mean Read on the attestation, and only Admin or Update would be allowed to edit the Attestation or mark reviewed, correct? We wouldn't want people with just Read access to be able to edit the attestation or even mark it reviewed.

 

That would work fine for our needs. In theory, someone may want to delegate the Mark Reviewed function to someone that can't edit the membership, but that would be uncommon. Maybe if the attribute security were left in as a secondary check, that would still allow someone with Attribute Update to mark as reviewed without being able to edit the membership.

 

The button to Mark Reviewed should also be changed to only show for users that can actually update, to avoid errors.

 

Thanks,

-Chad

 

 

 

 

From: Hyzer, Chris []
Sent: Wednesday, August 09, 2017 11:22 AM
To: Redman, Chad <>;
Subject: RE: Non-wheel privileges for attestation access

 

Im working on a patch for this that will be available shortly.  The thought is that any user can use attestation regardless of the attribute security, if the user can READ/UPDATE or ADMIN a group.  The UI will be a façade around the attribute security and just make that happen.  Does that sound reasonable / acceptable or do you want the attribute security too?  My thought is that it is burdensome in this case and not a requirement.

 

Thanks

Chris

 

From: [] On Behalf Of Redman, Chad
Sent: Wednesday, August 02, 2017 7:58 AM
To:
Subject: [grouper-users] RE: Non-wheel privileges for attestation access

 

The users were waiting on a fix for this, so I debugged the source code to figure out exactly what was needed for a regular user to view the attestation or mark it as Reviewed.

 

To view the attestation page:

 

1)      User needs to have Read on etc:attribute:attestation:attestationDef

2)      User needs to have Read on etc:attribute:attestation:attestationValueDef

3)      User needs both Read and Attribute Read on the group in question

 

Note that the button to mark it as reviewed shows up for these users, even though they don't have the update privilege that would make it work. They just get a user-unfriendly message about no access to the attribute definition. Checking for the correct permissions before showing the button would be helpful here.

 

 

To be able to mark the group as Reviewed:

 

1)      User needs to have Read and Update on etc:attribute:attestation:attestationDef

2)      User needs to have Read and Update on etc:attribute:attestation:attestationValueDef

3)      User needs Read on the group in question (Update isn't necessary unless you want them to edit the membership)

4)      User needs both Attribute Read and Attribute Update on the group in question

 

 

To simplify configuration slightly, we created a Readers group and an Updaters group, instead of granting individual permissions to the attribute definitions in etc:attribute. Any users who would be doing any kind of attestation work would be put into one of these groups. It's possible that it's safe to make access to the attribute definitions public, as you can only read or edit groups where you have attribute read/update anyway. We were just playing it safe there for now.

 

-Chad

 

 

 

 

From: [] On Behalf Of Redman, Chad
Sent: Wednesday, June 28, 2017 11:44 AM
To:
Subject: [grouper-users] Non-wheel privileges for attestation access

 

This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing

Feedback

We just had our first user get an attestation recertification email, and when they tried to certify, they reported back an error: "etc:attribute:attestation:attestation attribute doesn't exist".

 

The user actually wasn't an admin for the group, but got the email because the address was explicitly set in the Email addresses field. However, in my testing using a non-wheel account, being an admin for the group is not enough. When I gave my non-wheel user admin privileges, I could reproduce the same error. The only way I could get attestation to work was to grant the user read/update on etc:attribute:attestation:attestationDef and etc:attribute:attestation:attestationValueDef. But this is not desirable, as it now allows the user to edit attestation for any group.

 

Am I looking at this the wrong way?

 

Thanks!

-Chad

 

 

 

 

 




Archive powered by MHonArc 2.6.19.

Top of Page