Grouper Users - Open Discussion List

["Black, Carey M." <>]

Olivier,

 

RE: “The only drawback: it provides view privilege on the complete Grouper hierarchy (not on a specific stem)."

 

                If you want it limited to a stem (and/or sub stems) then the way to go would be with https://spaces.at.internet2.edu/display/Grouper/Grouper+rules+privileges+inheritance+on+UI.

               

--

Carey Matthew

 

From: <> On Behalf Of Olivier Salaün
Sent: Friday, March 27, 2020 9:44 AM
To: Hyzer, Chris <>;
Subject: Re: [grouper-users] How to define stem navigator privileges

 

Thank you for your help, Chris.

I tried enabling the security.show.folders.where.user.can.see.subobjects properties, but, as you mentionned, it does not provide visibility on groups.

I ended up setting these properties in grouper.properties :

# A viewonly wheel group allows you to enable non-GrouperSystem subjects to act
# like a root user when viewing the registry.
# {valueType: "boolean", required: true}
groups.wheel.viewonly.use                      = true

# Set to the name of the group you want to treat as the viewonly wheel group.
# The members of this group will be treated as root-like users when viewing objects.
# {valueType: "group", required: true}
groups.wheel.viewonly.group                    = etc:administration:globalViewers

The etc:administration:globalViewers includes other groups to meet our target population.

The only drawback: it provides view privilege on the complete Grouper hierarchy (not on a specific stem). But this is acceptable in our context.

Le 25/03/2020 à 17:25, Hyzer, Chris a écrit :

In the grouper.properties set this:

 

security.show.folders.where.user.can.see.subobjects = false

 

and see if it does what you want.

 

Note, users will be able to see folders but not groups…    you want all users to be able to see all groups but not members?  Maybe make a group of people who can see everyone (add all your active people in there or from reference group), and assign an inherited priv on the root folder that says that group can VIEW all groups and attributes.  Then your active people can see things exist.  Note, I don’t really recommend using EveryEntity since you cant restrict that in future and it might not be what you really want.

 

Thanks

 

 

From: On Behalf Of Olivier Salaün
Sent: Wednesday, March 25, 2020 11:49 AM
To:
Subject: [grouper-users] How to define stem navigator privileges

 

After an upgrade from Grouper 2.2.2 => 2.4.0 we noticed a difference regarding stem navigation in th GUI.

With Grouper 2.2.2 any logged in user could navigate through the stems/groups. However he could not view group members, unless he was member of the group listed in groups.wheel.readonly.group properties. This behavior was suiteable for us.

With Grouper 2.4.0 (with parameters from 2.2.2 maintained) any logged in user can no more navigate through the stems/groups. Here is what he sees :

 

I went through the wiki, changelog and grouper-ui-ng.base.properties properties, but could not find a way to change this behavior.

Is this a known change from 2.2.2 to 2.4.0?

Is there a property to customize this behavior?

 

Thanks you

-- 

Olivier Salaün

DSI / pôle SI / équipe SNUM

Tel : 02 23 23 74 54

-- 

Olivier Salaün

DSI / pôle SI / équipe SNUM

Tel : 02 23 23 74 54