Skip to Content.
Sympa Menu

grouper-users - [grouper-users] Re: Is it possible to block inherited privs on some objects?

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] Re: Is it possible to block inherited privs on some objects?

Chronological Thread 
  • From: "Hyzer, Chris" <>
  • To: "Black, Carey M." <>, "" <>
  • Subject: [grouper-users] Re: Is it possible to block inherited privs on some objects?
  • Date: Wed, 23 Jan 2019 16:23:54 +0000
  • Accept-language: en-US
  • Authentication-results: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:lZsK5RWPWxB7zgkEAqAdpDS+CADV8LGtZVwlr6E/grcLSJyIuqrYZRSGtadThVPEFb/W9+hDw7KP9fy4CSpYud6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCybL9uLxi6txndutULioZ+N6g9zQfErGFVcOpM32NoIlyTnxf45siu+ZNo7jpdtfE8+cNeSKv2Z6s3Q6BWAzQgKGA1+dbktQLfQguV53sTSXsZnxxVCAXY9h76X5Pxsizntuph3SSRIMP7QawoVTmk8qxmUwHjhjsZODEl8WHXks1wg7xdoBK9vBx03orYbJiIOPZiYq/ReNUXTndDUMlMTSxMGoOyYZUSAeodM+hWrIf9qFkPrRSiCgahH/ngxiNUinLswaE2z/otHAfb1wIgBdIOt3HUoc37OKkQUeG0zbfHzS/bY/hLxzr96JLIchE6of2CQLl9ds/RxlUvFwLFj1Sft5blMiiU1uQWr2eX9fdgVfqxhG4hrQF9uCagydoxioTQgI8e11PK9T1hzYorP9K0VFN3bNu5HJdNqi2XMoV2T8w+T210vSs3yKMJtJGncCUPzZkr2QLTZv2ff4SV7B/vSPydLDNliH5/Zr6zmhK//VK9xuD+V8S4yFhKoTRGn9XQs30A0hLe5dSJSvRg+0quxCqD2g7X5+xBL0A5lqTbJpwkz74+jZUes0rOEynrk0vslqCWbF8r+u2w5uTnfLrmopicOpdshAziNaoihtGzDf0lPAYWQmSX4OO826b98kHjR7VKk+E2nbLesJDHI8QUu7S1AxdP0oYk9xawESup0MgZnXkAKlJJYhWHj5X1O1HKJ/D4CvS/j06wnzdswvDKJrzhApPTIXjfiLrtY6xy51JBxAc20NxT+o9YB7QPIP/8RkP9qNnVAx0nPAG73+rqDdBw2p0CVW+OGqOZNbndsV6M5uIhOemMY4oVtS74K/c55/7vjX44lkEHfaSy3JsXc2y3Eu57I0WBf3XshNEBHX0UsQUjUezmkEeCXiJLZ3auQ6I84Sk2CI28DYfEW4CtmKKO3D2iEp1LfWBJFEqMEWzzeoWAWvcMcz6SItR/njAeVLihTZMh2g+0tA/81bVnMvTY9jcGup3+ydgmr9HUwFsY8TV/DIDV+GiXQnA8uyVCD2s82Kl0ogokkAyr1rNlxfFUCIoXr7lGSAAnLZPGivFhBsrpcgPHYtqTTlu6GJOrDSx7BoY+2dgTe0tnXsi5gwrY9yusH7IPkbGXXto5/r+KjFbrIMMogVbXxqQ7yxENQtFOLifu0qt09xnBCpThkl6S0buyeKIamiPB6THQniK1oEhEXVsoAu3+VncFax6T9IyhvBmQRqKyCbkhLgpKwNKDLa0PcNDykFFaX6m/as/GbTe3nGG9TVaTy7WAYZCiWl1V3T6VSS1m2xsW4W7AMAE/Aim7pGeLCTduBEDieWvt6uI4tWu2SElywg2XPAVs
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99

Nope.  Can you organize your folders so that the inheritance is pure?  e.g. put a folder to the side that has the one-offs.  Otherwise if you inherit priv, I wouldnt change those afterwards with a hook.  You could do the whole thing outside of inherited privs if that what you mean.  Thanks, Chris

From: <> on behalf of Black, Carey M. <>
Sent: Monday, January 14, 2019 10:13:10 AM
Subject: [grouper-users] Is it possible to block inherited privs on some objects?
Before I go invent something for myself....
        Is there an existing way to tag/restricted inherited privileges in Grouper?

I have a condition where generally I want to use inherited privileges on (groups/folders/attributes) but I also have some exceptions to that as well.
        A folder that should be "fully controlled" (read ADMIN) by GroupA. However, GroupB wants some groups/folders to exist in that folder and they don't want GroupA to be able to  make changes to them.
        NOTE: I am not concerned about GroupA having visibility to the objects. I am only concerned about preventing GroupA from being able to change the objects. ( all things like: object rename, object delete, member changes, attribute changes (values, Add/remove,etc....))

I am leaning toward making a set of hooks that add an additional "authorization check" before allowing any Stem, Group, Attribute, Membership event from completing.
        Attribute would have a "GroupName" value, or a list with a "requireOne, RequireAll" specification . If user making the change is not a member of "GroupName" then throw HookVeto with message.

Is there an easier way to achieve this?

Other thoughts?

Carey Matthew

Archive powered by MHonArc 2.6.19.

Top of Page