Grouper Users - Open Discussion List

["Biernath, Jutta" <>]

Hi all,

 

I’ve found the error: For assigning the attribute I’ve used the groupPostInsert hook, but at that stage the group doesn’t really exist yet, so the creator has no admin rights yet. They are set later in the progress. So I’ve shifted my assignment into the groupPostCommitInsert hook. Now it works fine.

 

 

Thanks,

 

Jutta

 

--------------------

 

Freie Universität Berlin

Zentraleinrichtung Datenverarbeitung

FU Directory and Identity Service

Fabeckstr. 32

14195 Berlin, Germany

 

Telefon +49 30 838-58385

https://www.zedat.fu-berlin.de/FUDIS

 

Von: [mailto:] Im Auftrag von Biernath, Jutta
Gesendet: Freitag, 25. August 2017 09:17
An: Julio Polo <>
Cc:
Betreff: AW: [grouper-users] Subject cannot groupAttrRead

 

Hi, Julio,

 

I have given the group admins all rights I could give via UI (v. 2.2). They are admins of the Attribute Definition as well as admins of the group. This „groupAttrRead“ privilege seems to be different from the normal „Attribute Read“ privilege. The web application log is the only place where it is mentioned.

 

 

Thank you,

 

Jutta

 

 

 

 

--------------------

 

Freie Universität Berlin

Zentraleinrichtung Datenverarbeitung

FU Directory and Identity Service

Fabeckstr. 32

14195 Berlin, Germany

 

Telefon +49 30 838-58385

https://www.zedat.fu-berlin.de/FUDIS

 

Von: Julio Polo []
Gesendet: Donnerstag, 24. August 2017 21:34
An: Biernath, Jutta <>
Cc:
Betreff: Re: [grouper-users] Subject cannot groupAttrRead

 

We're using Grouper 2.2.2 and I'm able to set "Attribute Read" by using the New UI like this:

Search for and click on the group (which takes you to the membership tab)

Click on the Privileges tab.

Click on "Add members" button near the top right, and you'll be able to assign the ATTRIBUTE READ on that group for any subject.

 

-julio

 

On Thu, Aug 24, 2017 at 4:02 AM, Jutta Biernath <> wrote:

Hello,

I have recently introduced a group attribute via AttributeFramework which is
now already assignd to several groups. As long as a wheel group member works
with it, everything works fine.

There are also users that have to be able to assign and handle this attribute
themselves without being member of the wheel group. For them I have edited the
group mask in the NewUI so that the can assign it if they want.  Also this
works - as long as a wheel group member does it.

For making sure that the named users can handle that too I have made them
admins of the group as well as admins of the attribute. I.e. I have given them
ALL privileges I could, at least via NewUI and LiteUI.

Now the problem: If one of the other users tries to assign this attribute via
NewUI he gets the message "Insufficient privileges". Checking the log files of
the web application I find:

"Insufficient privilege exception for group create: 'xxx'/'person'/'xxx'
edu.internet2.middleware.grouper.exception.InsufficientPrivilegeException:
Subject Subject id: xx, sourceId: xxx cannot groupAttrRead"

I have understood that the privilege "groupAttrRead" came along with the
upgrade to Grouper 2.2, but there seems to be no way to assign this privilege
anywhere in the UIs. In the source code I found it in AccessPrivilege.java;
can you please give me an example of how to handle that? Is it planned to
include it in one of the UIs?


Thank you,

Jutta Biernath
FU Berlin