Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Is it possible to block inherited privs on some objects?

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Is it possible to block inherited privs on some objects?


Chronological Thread 
  • From: "Black, Carey M." <>
  • To: "" <>
  • Subject: [grouper-users] Is it possible to block inherited privs on some objects?
  • Date: Mon, 14 Jan 2019 15:13:10 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is 128.146.138.8) smtp.mailfrom=osu.edu; internet2.edu; dkim=pass (signature was verified) header.d=osu.edu;internet2.edu; dmarc=pass action=none header.from=osu.edu;
  • Authentication-results-original: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:JCmo4h+fAZHoWv9uRHKM819IXTAuvvDOBiVQ1KB21eMcTK2v8tzYMVDF4r011RmVBdWds6oMotGVmpioYXYH75eFvSJKW713fDhBt/8rmRc9CtWOE0zxIa2iRSU7GMNfSA0tpCnjYgBaF8nkelLdvGC54yIMFRXjLwp1Ifn+FpLPg8it2O2+557ebx9UiDahfLh/MAi4oQLNu8cMnIBsMLwxyhzHontJf+RZ22ZlLk+Nkhj/+8m94odt/zxftPw9+cFAV776f7kjQrxDEDsmKWE169b1uhTFUACC+2ETUmQSkhpPHgjF8BT3VYr/vyfmquZw3jSRMMvrRr42RDui9b9mRh/2hikaKz43/mLZis1sg6xUrx2svAB/w5fIbI2JKPZyYr3RcNUHTmRBRMZRUClBD5uyY4YSC+oOJ/pXr4rlq1ATsxaxHxOsC/3vyzRVgXH6x6M22PkmHA7d2AwvBc4BsHfOoNnoKqsfX/u4zK7TzTXedf9Zxyry6JXRfx0nvPqCXqpwfNLPxUY1Cw/Jk1CdpZH4Mz+I0+kNvWeW4/Z8We+qhW4otQ58riWqy8opiITFmoMYxkja+Sh43oo5Odi1RFJ+bNK5CpRcqj2WOo50T84gTWFnpCM3xaYatZO5YicHzZcqyATfZvOcdoWE/wnsWemQLDp9mn1pZLGyihSq/Uiu1OLxVdW43VNPoyVYkdTBt2oC2hnO5sebUfRx40Ks1DeM2g3T5OFJJE40mKTbJpMvxLM7i4Advl7ZHiDsnUX7lK+WeVsg+uiv8+npeqnrqJiAO4Npkw3zL7wgl8KmDeQ/KQcBQXKX+eOh1L3/5kL5R6hKjvsrnaXDqJDaP8MbprKnDABJzoYj6hG/DzG83NQfgHkHMFZFeBWAj4jqIV3BPPf4DfKnj1Stljdk2ezGM6X/DprXMnTPjbLscatg50JBzQczw99S645IBrwELvL8RED8uMHdAxI8MQG43+fqBM141owEWGKPBqGZMLnVsV+N/u8gOO2Ma5UJtzb+MfQp+uDigHEilF8aZqmpwIEbZ26lEfR7O0mZe2bjgs8dEWcWuQozVOPqiEeFUT5Of3a9Qbg86igmCIK9E4jDXJutjaeF3Ce6BZ1WentGBk6WHXfpcYWER+kDaDiUIsB/jjwIS6KtRJE82hGz50fGzO8tIfDT5zUVr9f+z9Vv/MXSkw0/7zp5E57b3m2QBSkgkXkPWic7xuViukFn0X+C17R1mfpVCYYV6v9UBFQUL5nZmqZQD9n5WUaJVd6TRUfuZ5PsSWU7Sts6wJlXOR1VHM6/yB3Pwnz5UPcui7WXCclsoern1H/rKpMlkSyU3bQ9j1QgXspEPHGngag67QXIGorViBzIz/SxbapJxCfW7y/D1meIsExCGC9IGaTeFSlFNg2P8Yq/vxiSCe/vbNZvKQ5d0YiHI6pOZMfuiABBX+qlNdjDMCqwnXu9HxCF2unKYYb3KC0R3yTYXVANiBtbvW2HOg43Gjq7rirBBScmC1/1Yk3t/OU/zRHzTkI9wwyQKUE00KGovBMZmK+dTe8exLQJpH1npjlpTx6x2tvMAI+YrhF6NKxXfdI65gJB0mTU/wxwN5CtNeZsnFkbJgNsogXj2wgkBw==
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Before I go invent something for myself....
Is there an existing way to tag/restricted inherited privileges in
Grouper?


I have a condition where generally I want to use inherited privileges on
(groups/folders/attributes) but I also have some exceptions to that as well.
A folder that should be "fully controlled" (read ADMIN) by GroupA.
However, GroupB wants some groups/folders to exist in that folder and they
don't want GroupA to be able to make changes to them.
NOTE: I am not concerned about GroupA having visibility to the
objects. I am only concerned about preventing GroupA from being able to
change the objects. ( all things like: object rename, object delete, member
changes, attribute changes (values, Add/remove,etc....))

I am leaning toward making a set of hooks that add an additional
"authorization check" before allowing any Stem, Group, Attribute, Membership
event from completing.
Attribute would have a "GroupName" value, or a list with a
"requireOne, RequireAll" specification . If user making the change is not a
member of "GroupName" then throw HookVeto with message.


Is there an easier way to achieve this?

Other thoughts?

--
Carey Matthew






Archive powered by MHonArc 2.6.19.

Top of Page