Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-3784

add readSelf group privilege

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Fixed
    • Minor
    • 2.6.14
    • None
    • None
    • None

    Description

      Add a property in Grouper for global self read of memberships.  If true, users would be able to see their own memberships for groups that they have the VIEW privilege on.

      This should work for WS calls for getGroups and getMemberships (when one subject is specified).  And also when viewing my groups in the UI.

      The new property is grouper.membership.allowSelfRead

       

       

      Old description:

       

      Drew Aschenbrener  19 hours ago
      Was talking with Bill about how the Grouper privileges work, with being able to see your own membership.
      View - Allows you to see the group, but not see any memberships, even your own. (The group doesn't show up under the 'My memberships' tab).
      Opt-In/Opt-Out - Allows you to see the group, your own membership, but not others. (The group does show up under the 'My memberships' tab).
      In a use case where you don't want the group memberships to be optional, but want member's to be able to see only their own membership, there doesn't seem to be a configuration that allows this.
      I was curious if there is/was a use case for having 'View' not be able to see your own membership?

       

       

      Justin Robinson  19 hours ago
      Meaning is there a reason one might want a group in which a member cannot see they are a member of it

      Drew Aschenbrener  19 hours ago
      No. That's already easily done by not granting members any priviledges at all on the group.
      Why would you grant members the ability to see the group, but not know whether they are a member of it?

      Justin Robinson  19 hours ago
      Use it to craft a reference group for a service but not have rights to see the underlying members?

      Michael Gettes  19 hours ago
      It would seem you want a “Read-Self” capability, yes?  that makes sense - and yes @Justin Robinson that would be a perfect use case.

      Drew Aschenbrener  19 hours ago
      @gettes essentially yes. Regarding the use case, I agree it's a valid use case, but I'm not convinced that expanding view to inherently have 'read-self' (the same as opt-in and opt-out), would be problematic. You are building a reference group with a group that you can't see the memberships of, but you can tell whether you yourself are in it. Is that a security concern?

      Michael Gettes  19 hours ago
      i don’t believe it is a security concern - it’s a privacy concern.  depending on how the app works that would ultimately consume the group and access to the group via the app - being able to have someone see if they are in a group and NOT the other members of the group is a useful feature to secure the privacy of all the other members.
      :+1::+1::skin-tone-2:
      2

      Michael Gettes  19 hours ago
      if one could define which users were able to see all members of a group (maybe by another group membership) then deploying Grouper with such default access would simplify the visibility/privacy concerns deploying to the institution - might allow to provide MORE info from the subject source and still preserve privacy so only those who need to say may see the additional info.

      Gail Lift  19 hours ago
      We are still in the early stage of setting up grouper permissions, but I suspect we will be interested in this. We also need to worry about the case where you can’t see the members of a ref group (eg, all students), but once you, but adding the group as an include to your group means you can see the members by looking at the members of your group.

      Chris Hyzer  14 hours ago
      so you want readSelf to be a new priv (so some people can read self on a group and some people cant?)  or you want to be able to identify which groups allow anyone with view to readSelf?  (e.g. add attribute to it?)
      @Gail Lift if you cant read a group then you cant add it to another group.  If someone else adds the group to your group then yes, you can figure out who the members are if you remove all other member and then see who is in the enclosing group.  I cant really picture how else it could work...

      Carey Black  4 hours ago
      Would a GSH Template be a "way around this"?
        Could be limited by attributes/flags on the groups to show in the output.
        Could be limited to only those allowed to run the GSH Template.
      Or maybe a report of some kind?
        Could be limited by attributes/flags on the groups to show in the report.
        Could be limited to only those allowed to run the report. ( However getting the report to run for just the user who executed it would likely be a current challenge. )
      Would that meet the use case?
      Grant a member the ability to see themselves in the group ( paraphrased) without direct access to the group.
      (edited)

      Carey Black  4 hours ago
      Or maybe one of the 'Custom UI' tricks?

      Drew Aschenbrener  4 hours ago
      @mchyzer I was either thinking one of two things:
      Modify the 'View' privilege to allow one to see their own membership (exactly the same as opt-in, opt-out).
      Create new group privilege called 'read-self'. When applied to a group, any member of that group can see their own membership, but not others.
      (edited)
      Added to your saved items

      Drew Aschenbrener  4 hours ago
      Based on Gettes' earlier response about privacy concerns, I think the latter option is a safer approach.

      Attachments

        Activity

          People

            shilen.patel@at.internet2.edu Shilen Patel (duke.edu)
            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: