Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Noob Question about VIEW permissions

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Noob Question about VIEW permissions


Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: Rob Gorrell <>, Andrew Morgan <>
  • Cc: Jeffrey Williams <>, Grouper-Users <>
  • Subject: RE: [grouper-users] Noob Question about VIEW permissions
  • Date: Tue, 10 Apr 2018 18:26:32 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:NSpemxE7hTMpXonsgzG7kp1GYnF86YWxBRYc798ds5kLTJ7yr8iwAkXT6L1XgUPTWs2DsrQY07GQ6/iocFdDyK7JiGoFfp1IWk1NouQttCtkPvS4D1bmJuXhdS0wEZcKflZk+3amLRodQ56mNBXdrXKo8DEdBAj0OxZrKeTpAI7SiNm82/yv95HJbAhEmDSwbaluIBmqsA7cqtQYjYx+J6gr1xDHuGFIe+NYxWNpIVKcgRPx7dqu8ZBg7ipdpesv+9ZPXqvmcas4S6dYDCk9PGAu+MLrrxjDQhCR6XYaT24bjwBHAwnB7BH9Q5fxri73vfdz1SWGIcH7S60/VC+85Kl3VhDnlCYHNyY48G7JjMxwkLlbqw+lqxBm3oLYfJ2ZOP94c6jAf90VWHBBU95RWSJfH428c4UBAekPPelaronyu1QBoACkCgWwGO/i0CNEimP00KA8zu8vERvG3AslH98WvnjartX0NaYMXuCv1KXD0CvOb/NM2Tf884jEfA0qrPaJXb1sccrQyUguGB3fjliLqIzlJC+a2v4Qs2iD8eVgU+Svh3Q5pA5svzii38EhgZTKiIIN0l3I6z92zJooKdC9VUJ3fMOoHZ5etyyVK4d6XsYvTmN2tys10LILvJu2cDYWxJko3xLTdvKKf5SS7h/nSeqdOyl0iG9hdb6lmhq/80mtxvXyVsaq01tGsi9In9zMu30JzRPc9M2KR/hh8Ui/3TuC0hzc5fxeLkwpkKfWJJoszqA/m5cVrE/NBDX5mF/sg6+Tbkgk+van6+DgYrj+vpGRK4h6hh3wP6g3h8GwA/o0PhEJX2eA5+uwzrrj/VDlQLpRif02j6/Zv43AKcQDvK65BBNV3Zg/5BajDjem19IYkWMALFJYZBKHi4/pO1bNIPziEfi/hFGsnC9qx/DAILLhHo3AImbZn7v9YLpw7lNQxBcuwd1a6ZJZBa0NLO72V0LzqtPVAQU2Pgmxzur5FNlw2ZsSWWeVDa+YNKPSv0WI5uUqI+SUYY8apDb9Kvgk5vHwl380gl4dfbK10pcNdXC4BuppI0OfYXb2nNgODHoKshIkTOP2kF2CTSJTZ3GqUqIz/DE7D5+mDZ/dSYC3mbCBwTy7EYNMZmBdEV2MFXbod56YW/cXdi6eOM5hkjoYVbe/UY8h0w+htBPkx7Z9MOXb5zAY5trf041P4OebuhYo7zFwC4zJyX6CSHtuk2cgWjk90+ZyrVErjh+q16RijuMQMNtJ6PpPGlM/MoTTxupSDMrpRkTMcsrfG3i8RdDzSxEgXN8rh5clY1x8AJ/q2hXI3zu4DqU9lqeAQoEs/6TamXX9OpAumD79yKA9ggx+EYN0Pmq8i/s6rlCLCg==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Yes correct.

 

A grouper sysadmin could construct the groups for someone else who doesn’t have READ on the underlying FERPA groups.  Otherwise users need READ or ADMIN on the member group.

 

If you can READ a group you can see whos in the group whether or not you can READ underlying member groups.

 

Thanks

Chris

 

 

From: [mailto:] On Behalf Of Rob Gorrell
Sent: Tuesday, April 10, 2018 1:09 PM
To: Andrew Morgan <>
Cc: Jeffrey Williams <>; Grouper-Users <>
Subject: Re: [grouper-users] Noob Question about VIEW permissions

 

Andy, 

 

I thought I had seen situations where an admin who has privs to both groups adds group A as a member to B. If A's owner doesn't have READ privs to B, they would simply not see B's subjects listed as indirect members of A (even though they were in fact members). This gave me hope this is what the VIEW permission was intended for... the ability to use a group as a component factor preserving anonymity of its members from those that lack READ. But thats not what you are saying... the purpose of VIEW seems simply a way of announcing the group's existence, though this permission alone implies no practical usability of the group to those that possess it, is that correct?

 

Do you have any suggestions on how to approach groups with sensitive membership (say FERPA) that might need to be used in construction of other non-sensitive groups? Or are you going to say there's not getting away from transitivity here?

 

-Rob

 

 

On Tue, Apr 10, 2018 at 11:41 AM, Andrew Morgan <> wrote:

On Tue, 10 Apr 2018, Jeffrey Williams wrote:

I'm working on a permissions model for a group of users to allow them to
use a group without seeing its membership.

When I apply the view permission for a group, the target user can see that
the group exists, can't see the membership, but also cannot add it to
groups of their own for use.

To contrast, a user with read permissions can add the group as a member of
target group.  The user with view permissions of that same target group can
see the member group, but not the resulting indirect member names(I think
only blank rows).

Should users have read permissions in order to add a group as a member?  Is
there something I can configure or have misconfigured to adjust that
behavior?

 

If your users need to add group FOO to one of their groups, then they need READ privileges on group FOO.

If a person with VIEW privileges were able to add group FOO to their own group, they could discover the membership of group FOO.

        Andy



 

--

Robert W. Gorrell
IT Manager, Identity and Access Management

University of NC at Greensboro
336-334-5954
PGP Key ID B36DB0CA


Archive powered by MHonArc 2.6.19.

Top of Page