grouper-users - RE: [grouper-users] stemAdmin vs stem privilege

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] stemAdmin vs stem privilege

From: "Hyzer, Chris" <>
To: Julio Polo <>, "Black, Carey M." <>
Cc: Grouper-Users <>
Subject: RE: [grouper-users] stemAdmin vs stem privilege
Date: Thu, 14 May 2020 15:42:13 +0000
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isc.upenn.edu; dmarc=pass action=none header.from=isc.upenn.edu; dkim=pass header.d=isc.upenn.edu; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S12N1MzXrapTX5gffBteGfz/KHnk/naZMnh+pxUrv/U=; b=V2mCHcaKMKLBt9Ojnvuss8XUY92Y/r9blj8ijrVr6acZR+9haeAClTbEXekGGGuVsIwQ1gidFqmgQ3NOi9vpu3Zu9sEZqEjcaKkjzkoLoJYw3h8dLa06oesC5AQOysbZ1D67Msso2+DULJlMuya1TGmnNcA251vEJFo7hcPUMEG5Ef5T0OlfJY1rQANBK0u4ZUmfLO8uQCK4cU+40p1IDrU8Tu9KdDpSxVh0W+KVbqD/vsjMRlIlHLqit1UVSG1OoQ8+o6QZrggu0kqCLE7YKe5cMvH1KhO1uceoPxQNeZVfQzp++NhsljG7C2lrYUSy3HNR4swmLqn6wB1148v92g==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EklgbSBgv2+lhyAbvk0bno6M/u4bGzNjZ91DOXryzzTFcWoaoM19mPGNd7JFzDxRwOwccU0TJZ2smhN9ZDpjVbvqCJMx01+gujchLhOXeXq7St+EBkXMjQNqgZ6QxXBao7U8tjbzgQv+RAz6hDsPAYp412qlBCCtscx81X8Fvjw1UOqnA7wfiiQOKK/wGaQzmaRevtoBfJepOJ9szGAf/mIGo0YnqTsEEuyfy7oRCCbeM1ORE8DRsf6j9UAsudN8GwBiSq6voCyKjsX+7OOROAK53LaWmXxIsSdcZDP2He3DJ3PzGUvVESdFkI5azljiZ7QLuIoD1fXdK3hBzfCTfw==

Yes please adjust your WS call. We keep the structures the same for backwards compatibility, and we could have conceivably done something here but we missed that part. Thanks!

From: On Behalf Of Julio Polo
Sent: Monday, May 11, 2020 4:45 PM
To: Black, Carey M. <>
Cc: Grouper-Users <>
Subject: Re: [grouper-users] stemAdmin vs stem privilege

So it looks like 'create' has also changed its meaning, even though the privilegeNames string remains as "create". In 2.2, "create" meant that you could create groups only, not folders. With 2.5, "create" means you can create groups, attributes and subfolders.

To summarize the differences:

2.2 UI shows "Create Folder and "Create Group"

2.5 UI shows "Admin" and "Create"

and they probably reflect these WS privileges:

2.2 WS uses "create" (can create groups) and "stem" (can create subfolders)

2.5 WS uses "create" (can create groups, attributes and subfolders) and "stemAdmin" (same as 2.5 WS "create" but can also delete the folder and assign privileges)

Thanks Carey!

-julio

On Fri, May 8, 2020 at 5:10 PM Black, Carey M. <> wrote:

Julio,

Thanks for testing that older WS call. That is a bit disappointing to learn that it works that way. Sorry for the wild goose chase.

I think this is the part of the docs that show what you are asking about.
                The answer looks like “yes” to me. ( “STEM” (old name) à”ADMIN” (new name) )

https://spaces.at.internet2.edu/pages/viewpage.action?pageId=26576345 à Grouper Glossary ( version 13 circa Nov 2011 )



Naming Privileges

These privileges determine what a Subject can do with a Naming Stem. They are:

·         CREATE - can create a group(s) named with a naming stem, and

·         STEM - can assign who has CREATE for the naming stem, and can create naming stems subordinate to this one.

Naming privileges are now referred to as Creation privileges and the two types are Create Group (replaces CREATE) and Create Folder (replaces STEM)

Current version: https://spaces.at.internet2.edu/display/Grouper/Glossary à Grouper Glossary ( version 55 circa Dec 2019 )

Naming Privileges

These privileges determine what a Subject can do with a Naming Stem. They are:

·         CREATE - can create groups, attributes, and subfolders in the stem.

·         ADMIN - can create groups, attributes, and subfolders in the stem. Also can delete the stem or assign any privilege to any entity.

·         STEM_ATTR_READ - can read attributes assigned to the stem. Note that the subject must also have ATTR_READ privilege on the attributeDef.

·         STEM_ATTR_UPDATE - can assign attributes to the stem. Note that the subject must also have ATTR_UPDATE privilege on the attributeDef.

Naming privileges are now referred to as Creation privileges.

And both version say “Naming Stem” = Stem is a UI "folder".

--

Carey Matthew

From: Julio Polo <>
Sent: Friday, May 8, 2020 10:55 PM
To: Black, Carey M. <>
Cc: Grouper-Users <>
Subject: Re: [grouper-users] stemAdmin vs stem privilege

Thanks Carey, but that didn't help. I called it with /grouper-ws/servicesRest/xml/v2_2_002 instead of v2_5_000, and it still acts as if I sent it 'stemAdmin'

I noticed the UI also changed the label for this privilege. When in the Privileges tab for a folder, the 2.2 UI calls that column 'Create folder' while the 2.5 UI calls it 'Admin'

I couldn't find any announcement about the stem naming privilege being deprecated by stemAdmin. If I get official word that this is the case, I'll happily adjust our code for Grouper 2.5

-julio

-julio

On Fri, May 8, 2020 at 4:39 PM Black, Carey M. <> wrote:

Julio,

I have no idea if this will work or make anything better….

However, I am curious if you change the endpoint that you were calling in the WS call?
   Can you use the “old endpoint” and get the expected “old formatted” result?   ( I think that might still work…..)

Meaning.. if you ask the v2.5 API it will give you a v2.5 answer.
                  If you ask the v2.2 API it should give you a v2.2 answer.

Just a thought, and I have no idea if it would work as I expect it too. ( Shrug. YMMV )

Also it may or may not help.. but I try to hold to this page for “definitions in Grouper terms”: https://spaces.at.internet2.edu/display/Grouper/Glossary

--

Carey Matthew

From: <> On Behalf Of Julio Polo
Sent: Friday, May 8, 2020 9:31 PM
To: Grouper-Users <>
Subject: [grouper-users] stemAdmin vs stem privilege

We're testing the WS for Grouper 2.5. Has the 'stem' naming privilege been changed to 'stemAdmin' after Grouper 2.2?

We noticed an unexpected response from the 2.5 WS. We would send 'stem' as the naming privilege to assign, but the WS returns 'stemAdmin' as what was actually set.

Shall we stop using 'stem' and use 'stemAdmin' instead?

Here are the relevant portions of the HTTP request and response:

<WsRestAssignGrouperPrivilegesRequest>
<replaceAllExisting>F</replaceAllExisting>
<allowed>T</allowed>
<wsStemLookup>
<stemName>tmp:foobar</stemName>
</wsStemLookup>
<privilegeType>naming</privilegeType>
<privilegeNames>
<string>stem</string>
<string>create</string>
</privilegeNames>
<wsSubjectLookups>
<WsSubjectLookup>
<subjectId>1234567890</subjectId>
</WsSubjectLookup>
</wsSubjectLookups>
</WsRestAssignGrouperPrivilegesRequest>

Here's a pretty-printed version of the XML we got back:

{
'wsSubject' => {
'success' => 'T',
'resultCode' => 'SUCCESS',
'name' => 'test person',
'id' => '1234567890'
},
'privilegeName' => 'stemAdmin',
'resultMetadata' => {
'success' => 'T',
'resultCode' => 'SUCCESS_ALLOWED'
},
'privilegeType' => 'naming'
},
{
'wsSubject' => {
'success' => 'T',
'resultCode' => 'SUCCESS',
'name' => 'test person',
'id' => '1234567890'
},
'privilegeName' => 'create',
'resultMetadata' => {
'success' => 'T',
'resultCode' => 'SUCCESS_ALLOWED'
},
'privilegeType' => 'naming'
}
];

Thanks.

Julio Polo

University of Hawaii

[grouper-users] stemAdmin vs stem privilege, Julio Polo, 05/09/2020
- RE: [grouper-users] stemAdmin vs stem privilege, Black, Carey M., 05/09/2020
  - Re: [grouper-users] stemAdmin vs stem privilege, Julio Polo, 05/09/2020
    - RE: [grouper-users] stemAdmin vs stem privilege, Black, Carey M., 05/09/2020
      - Re: [grouper-users] stemAdmin vs stem privilege, Julio Polo, 05/11/2020
        
        RE: [grouper-users] stemAdmin vs stem privilege, Hyzer, Chris, 05/14/2020

List archive

RE: [grouper-users] stemAdmin vs stem privilege