Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Is it possible to block inherited privs on some objects?

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Is it possible to block inherited privs on some objects?

Chronological Thread 
  • From: "Black, Carey M." <>
  • To: "Hyzer, Chris" <>, "" <>
  • Subject: [grouper-users] RE: Is it possible to block inherited privs on some objects?
  • Date: Wed, 23 Jan 2019 17:37:59 +0000
  • Accept-language: en-US
  • Authentication-results: spf=pass (sender IP is;; dkim=pass (signature was verified);; dmarc=pass action=none;
  • Authentication-results-original: spf=none (sender IP is ) ;
  • Ironport-phdr: 9a23:TmV0wR2V2u+O31LgsmDT+DRfVm0co7zxezQtwd8ZseMQLfad9pjvdHbS+e9qxAeQG9mDu7Qc06L/iOPJYSQ4+5GPsXQPItRndiQuroEopTEmG9OPEkbhLfTnPGQQFcVGU0J5rTngaRAGUMnxaEfPrXKs8DUcBgvwNRZvJuTyB4Xek9m72/q99pHPYAhEniaxba9vJxiqsAvdsdUbj5F/Iagr0BvJpXVIe+VSxWx2IF+Yggjx6MSt8pN96ipco/0u+dJOXqX8ZKQ4UKdXDC86PGAv5c3krgfMQA2S7XYBSGoWkx5IAw/Y7BHmW5r6ryX3uvZh1CScIMb7S60/Vza/4KdxUBLmiDkJOSMl8G/ZicJwgqBUoBO9qBNw2IPbep2ZOOZkc6/BYd8WW2xMVdtRWSxbBYO8apMCA+QcMOZctYbyu1gOoQOjDgSyHuzv0CFHh3/r1qM9yegtHxzN0Qs7ENIKqnvbsNb1OL0PXeyrwqTF1jLDb+hL2Tvn9ofHbw0hrOiKULltcsTR0VEiGx3fgVmMtIDoOi6Z2vkQv2We4eptWv6jh3IipgF/vDeiydogh4zMi48X1FzJ9T11zJg6KNGiVkJ3fd2pHIFOuy2EOYZ6WN4uTmNrtSoixL0Jp522cDQPxZki2hHSaP2KfJKN7x7+SOmeOip0iXdkdb+8hxuy/02tyuPyW8S03ltHqDdOnMPWuXAXzRPT79CKSvtj8Uel3jaCzxjd5/1DL0woiKbXMoMszKY+m5YKtkTMBTH5lF/xjK+LakUr4e+o6/nhYrr7vJOcL5V0igbiMqswhsO/HeU4Mg8IX2SB/uS8yaHj/Un+QLVNjf06iLXWsJffJcgDp665BRFa0po75hqhFTiqzMkUkHwaIF5YZR6KiobpNl7SLPzkCPq/jUqjnTh2y/3DO7DsAIvBI3jbnLfkZ7l96kpcyAQpzdBY4pJZEqoOIPbpVUDtt9zUFAI1PxK6zuv8D9V9zZ4eVXiRDaCELaPeqUWI6f43I+mQeI8Vvy7wK/c/5/7pkH85gUESfbOw0ZsKc3C3AO5mI16CbHrog9cBCnsKvhEgQODwiV2CVyJTaGioX6I6+D47FJyqAZ3dSY+wnbzSlBu8S9d2d3JLEBTEOnfydp7OE6MJYyKDMMJ7uj0fXv68U4In01ejuBKsj/ItIfDT5zUVr9f+z9Vv/MXSkw0/7zp5E57b3m2QBSkgkXkPWic7xuViukFn0X+C17R1mfpVCYYV6v9UBFQUL5nZmqZQD9n5WUaJVd6TRUfuZ5PsSWU7Sts6wJlXOR1VHM6/yB3Pwnz5UPcui7WXCclsoern1H/rKpMlkSyU3bQ9j1QgXspEPHGngag67QXIGorViBzIzvSxbapJxCfW7y/D1meIsExCGC9IGaTeFSlFNg2P8Yq/vxiSCeb2SNFFehBE1dbEL6JLbtPzilATQ+z+ftnSfjH5mmGsCAyOy6/WKofmZjZV0CbcDR0cmhsItTadNAc4Dzu8uW+WEzV1XUzieULi8ORy6RbZBk85xg2HdQttgr2u51gYieHPSvUP06gCtTt77Th4AQX109ffEdHVvwN6Z+1Vas8851ES02XfukR9M5WsIrokiEQZdlFwpF6o2hlqWYg=
  • Spamdiagnosticmetadata: NSPM
  • Spamdiagnosticoutput: 1:99



Sadly the placement is relevant to how the groups are being used.


The basics for my needs are that the exceptions to the rule ( inherited permissions ) are smaller, and definable. While the rule is “open ended”.


Essentially ( in short form)

                in a folder there will be a set of N groups that need to be “restricted”. But the folder should allow others to add new groups at will.



To be fair I also long for the ability to:

                Allow some users to ( in a folder):

                                Create groups but not new folders.

                And other users to:

                                Create groups and folders.



So I really think that I need the hook based “additional access controls”. ( I think I can generally “skin this cat” via some attributes and hooks. )



Carey Matthew


From: Hyzer, Chris <>
Sent: Wednesday, January 23, 2019 11:24 AM
To: Black, Carey M. <>;
Subject: Re: Is it possible to block inherited privs on some objects?


Nope.  Can you organize your folders so that the inheritance is pure?  e.g. put a folder to the side that has the one-offs.  Otherwise if you inherit priv, I wouldnt change those afterwards with a hook.  You could do the whole thing outside of inherited privs if that what you mean.  Thanks, Chris

From: <> on behalf of Black, Carey M. <>
Sent: Monday, January 14, 2019 10:13:10 AM
Subject: [grouper-users] Is it possible to block inherited privs on some objects?


Before I go invent something for myself....
        Is there an existing way to tag/restricted inherited privileges in Grouper?

I have a condition where generally I want to use inherited privileges on (groups/folders/attributes) but I also have some exceptions to that as well.
        A folder that should be "fully controlled" (read ADMIN) by GroupA. However, GroupB wants some groups/folders to exist in that folder and they don't want GroupA to be able to  make changes to them.
        NOTE: I am not concerned about GroupA having visibility to the objects. I am only concerned about preventing GroupA from being able to change the objects. ( all things like: object rename, object delete, member changes, attribute changes (values, Add/remove,etc....))

I am leaning toward making a set of hooks that add an additional "authorization check" before allowing any Stem, Group, Attribute, Membership event from completing.
        Attribute would have a "GroupName" value, or a list with a "requireOne, RequireAll" specification . If user making the change is not a member of "GroupName" then throw HookVeto with message.

Is there an easier way to achieve this?

Other thoughts?

Carey Matthew

Archive powered by MHonArc 2.6.19.

Top of Page