Grouper 2.0 adds allow/deny to permissions. This means that permission assignments have a true/false flag which indicates if the assignment is an allow or deny.
is another way to solve the permissions allow/deny problem. Instead of Deny being a Deny, it is a DisAllow, where you filter the allows. The difference from the first pass is that an An equal inherited allow and deny will result in an allow, and the depth of the inheritance is a factor.
Right now Grouper has permissions for external applications.
...
There are inheritance directed graphs of the resources (MATH101), actions (READ), and roles (payrollUser). And for Penn to use this it needs to be able to DENY as well as ALLOW a permission. Currently Grouper can only allow. So if we add DENY, then a payroll ADMIN could get ALLOW on the entire university, and DENY exec_pay, and DENY their own org.Grouper 2.0 adds allow/deny to permissions. This means that permission assignments have a true/false flag which indicates if the assignment is an allow or deny.
An issue is depending on the directed graph assignments if the overall result of a permission query is an allow or deny.
...