Versions Compared

Old Version 17

changes.mady.by.user Emily Eisbruch (internet2.edu)

Saved on

compared with

New Version 18

changes.mady.by.user Hyzer

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

There are 7 screens to control and view inherited privileges.

Table of Contents

Patch improvements

In grouper newer than these patches:

grouper_v2_3_0_api_patch_90
grouper_v2_3_0_ui_patch_38

These Jiras are implemented:

GRP-1663: inherited privileges should revoke those privileges to subobjects
GRP-1664: do not add admin privileges to root or wheel when creating objects
GRP-1665: do not add admin privileges to inherited admins
GRP-1667: a folder inherited privilege should apply to the assigned folder

Screen: View or assign inherited privileges in a folder

On a folder screen, if you are an ADMIN (and you can manage inherited privileges, see below), you can click "More -> Privileges inherited to objects in folder"

 


Click "Add members" to add a new inherited privilege

 


 


Select a member and the type to "Assign to" (which could be multiple types at once)

 


 


You can delete direct inherited privileges (which are assigned to this folder).  To delete inherited indirect entries, click on that folder and delete from there

 


Screen: View inherited privileges that affect a group

If you are an ADMIN of a group and can view inherited privileges, pull a group up on the UI and click "More -> This group's privileges inherited from folders"

 


 


Screen: View inherited privileges that affect a folder

If you are an ADMIN of a folder and can view inherited privileges, pull a folder up on the UI and click "More -> This folder's privileges inherited from ancestor folders"

 

 



 


Screen: View inherited privileges that affect an attribute definition

If you are an ADMIN of an attribute definition and can view inherited privileges, pull an attribute definition up on the UI and click "More -> This attribute's privileges inherited from ancestor folders"

 


Screen: View inherited privileges that affect a subject

If you can view inherited privileges, pull an entity up on the UI and click "More -> This subject's privileges inherited from folders"

 


 


 


Screen: View inherited privileges assigned to members of a group

...

If you can view inherited privileges, pull a group you can VIEW up on the UI and click "More -> This subject's privileges inherited from folders"

 


 


 


Screen: View all inherited privileges in registry

...

Click on Miscellaneous (if you can see inherited privs you will see this link) 


 


Click "Inherited privileges"

 


 


Privileges required to manage inherited privileges

...

Code Block
# require admin (GrouperSysAdmin or wheel group) to update inherited privileges
uiV2.privilegeInheritanceUpdateRequireAdmin = false


# require admin (GrouperSysAdmin or wheel group) to read inherited privileges
uiV2.privilegeInheritanceReadRequireAdmin = false


# require admin (GrouperSysAdmin or wheel group) to update inherited privileges
uiV2.privilegeInheritanceUpdateRequireGroup = 


# require admin (GrouperSysAdmin or wheel group) to read inherited privileges
uiV2.privilegeInheritanceReadRequireGroup =

 


Note, you dont need to be able to read attributes on the assigned (parent or ancestor folder) to be able to see the privilege inheritance.  You also do not need privileges on rule attributes.  If you want to require rules attributes privileges set this in the grouper-ui.properties.

...

Code Block
# if show miscellaneous link
uiV2.showMiscellaneousLink = true

# if show global inherited privileges link
uiV2.showGlobalInheritedPrivilegesLink = true

...


sfd