grouper-users - Re: [grouper-users] Structuring Scoped Roles in Grouper
Subject: Grouper Users - Open Discussion List
List archive
- From: "Hyzer, Chris" <>
- To: "" <>, Jonathan Keller <>
- Subject: Re: [grouper-users] Structuring Scoped Roles in Grouper
- Date: Thu, 14 Jan 2021 22:47:55 +0000
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=isc.upenn.edu; dmarc=pass action=none header.from=isc.upenn.edu; dkim=pass header.d=isc.upenn.edu; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YmfkQbRQw/FnjSvFWxJAclRzAeBGB2YT8x13lj1RMOg=; b=V0VgLqFEKmSoaBU+A4dxTcnTjWey14O3dQmgk4oSasEtLk0ghmYxIOIIcCdw/aiTFERz9IeEice06MKDp0J7X5X+EvsMHI6O61ihwXdVLYp5XsGMRbkw+t9w9ha2ZmaWYGmAjP014urtwN4/O20BWwTuVAsh+0i+x4pXahmSBs/x2n6xDsTbhw7PWl3jNvUqepjdFj9S/jTy5XFxy5skal2X6JSkFTeMLZPYipiFdxSLHiPWJXe3VlW+R5zo+gOcXYro0vjUJ0caUwbWzQs22dBtGOnEatpQ3ITZ0NbNhdTYlfhreuCQZRt1CjKR1hIBy4Xog5n7WOBvlI4Pr3RVHw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nK5qN6U9a9KHIvKJ/vglohDf6rKVvV61PU/PnkWYxGfbIOrN0LT87SxL8EwCdu0+xBuAU/w0VTxyOSM9fu+PQZc59EYVtrDXSaKes+U+qO1f+M+eH0PtzTyvswHiVfUz6BmTwUp2lLkY+I9PBlKVLC16B4MVmtDZkOELvTW0mBiz1+Oqt0geTCQa07thUAwRXKC7Tesmle7RSIM+FDtkIirTM8uCDOJGw4Zu5uRMP/voQ1ESwEqvUIsn3U7ba/TR8QH3JKSai4sMELq/zvl2Yc3X8xhnm+8MLyr0gNEmg5+2i6OHMpZOet9mS5ZQDp0wGogegbGUc8G9zWiTemLGRg==
Did you look at "permissions"? Create an attribute definition for each set of departments in a security group. assign who can use it as READ/UPDATE on that permission attribute definition. Make the names. It difficult to explain these things over email,
maybe slack me a doodle poll and we can discuss some options? 🙂
Would be nice to have form element control on attributes, that could help. And security over the values.
Do the people assigning know the code values? i.e. could they type them in? If so, maybe an attribute and instead of picking the attribute name, just type
in the value? Or comma separated values? A rule can validate that the user can access to the value and can veto if not?
There is an up and coming provisioning feature that allows "metadata" on a membership to be provisioned. This could be a drop down and we could integrate security so the list is secure. Maybe this could be used in future?
🙂
From: <> on behalf of Jonathan Keller <>
Sent: Thursday, January 14, 2021 4:54 PM
To: <>
Subject: [grouper-users] Structuring Scoped Roles in Grouper
Sent: Thursday, January 14, 2021 4:54 PM
To: <>
Subject: [grouper-users] Structuring Scoped Roles in Grouper
TL;DR : looking for _A_ "right" way within Grouper to create policy groups with qualifiers (limits?) E.g., a manually maintained scoped role which would be used to limit a user's access
to a set of departments for an external system.
In our existing system (Kuali Rice), we have the ability to assign qualifiers to role memberships. We can then query that role using context data to see if someone has the role for a given department code. I had been assuming that attributes could serve the same function. (A custom process would be pulling this data via the API - so I'm fine with having to run a few calls to extract the data.)
But, the method for getting into the attributes and assigning them makes it feel like that is not really what they were designed for. And, the visibility and maintainability of this through the UI is not great. In the use case I am testing, we have people who are responsible for many different department codes (and some who only have one)
I toyed with the idea of just using department groups for these people, and adding them to those per-department groups. But, I really didn't want to create yet-another-set of 600+ home department groups, just for one application. Plus, for those who have responsibility for 50+ other departments, it seems that maintenance might be even more of a headache.
I've been banging around with the attribute definitions, and linking them, and getting them assigned to memberships such that I do have a setup like the following. And, I am able (sort of) to pull it via the WS API. But it just doesn't feel right, and that I might be creating a setup which would either be hard to maintain or might disallow the use of certain other Grouper feature to help maintain this group.
I'd appreciate any guidance this group might have on this. We are just getting started with grouper on our campus, so are feeling out its capabilities and trying to map them against what we have as our group management system today.
In our existing system (Kuali Rice), we have the ability to assign qualifiers to role memberships. We can then query that role using context data to see if someone has the role for a given department code. I had been assuming that attributes could serve the same function. (A custom process would be pulling this data via the API - so I'm fine with having to run a few calls to extract the data.)
But, the method for getting into the attributes and assigning them makes it feel like that is not really what they were designed for. And, the visibility and maintainability of this through the UI is not great. In the use case I am testing, we have people who are responsible for many different department codes (and some who only have one)
I toyed with the idea of just using department groups for these people, and adding them to those per-department groups. But, I really didn't want to create yet-another-set of 600+ home department groups, just for one application. Plus, for those who have responsibility for 50+ other departments, it seems that maintenance might be even more of a headache.
I've been banging around with the attribute definitions, and linking them, and getting them assigned to memberships such that I do have a setup like the following. And, I am able (sort of) to pull it via the WS API. But it just doesn't feel right, and that I might be creating a setup which would either be hard to maintain or might disallow the use of certain other Grouper feature to help maintain this group.
I'd appreciate any guidance this group might have on this. We are just getting started with grouper on our campus, so are feeling out its capabilities and trying to map them against what we have as our group management system today.
Thanks in advance for any help.
--
Jonathan Keller
Application Architect - Administrative IT
- [grouper-users] Structuring Scoped Roles in Grouper, Jonathan Keller, 01/14/2021
- Re: [grouper-users] Structuring Scoped Roles in Grouper, Hyzer, Chris, 01/14/2021
- Re: [grouper-users] Structuring Scoped Roles in Grouper, Jonathan Keller, 01/15/2021
- <Possible follow-up(s)>
- Re: [grouper-users] Structuring Scoped Roles in Grouper, Black, Carey M., 01/15/2021
- Re: [grouper-users] Structuring Scoped Roles in Grouper, Jonathan Keller, 01/15/2021
- Re: [grouper-users] Structuring Scoped Roles in Grouper, Hyzer, Chris, 01/14/2021
Archive powered by MHonArc 2.6.24.