Details
Description
In Brown's Grouper 1.2.0 instance, we have modified the default group privileges granted to GrouperAll, thinking that by default, we do not want users to see that a group exists unless explicitly granted View privilege. These are the pertinent settings from our grouper.properties file:
- If set to true, the ALL subject will be granted that privilege on
- each new group that is created.
groups.create.grant.all.admin = false
groups.create.grant.all.optin = false
groups.create.grant.all.optout = false
groups.create.grant.all.read = false # (was true)
groups.create.grant.all.update = false
groups.create.grant.all.view = false # (was true)
So as I understand it, this should prevent anyone from having any privileges on any group, unless they have privileges explicitly set upon group creation--either in the MACE Grouper UI, or through our provisioning program.
But our typical MACE Grouper user's subject summary page looks like this:
is a member of : []
is a member of : []
is a member of : []
is a member of : []
is a member of : []
is a member of : [COURSE:TEST:0001:2007-Fall:S01: Learner Students ]
The nameless lines are various demographic groups, including EAB:EMPLOYEE:ONCAMPUS. We created a command line script to evaluate the explicit privileges set on a group. This script shows that only members of the ADMIN:COMMUNITY group have View privilege on EAB:EMPLOYEE:ONCAMPUS. The ADMIN:COMMUNITY group is empty, and was created only to support the ACL. This setup is why I can't view the name of the group, but I would expect Grouper to not fetch the group, if I don't have view privilege on that group.
Conversely, the 2nd example below shows the group info for the test course group listed on my Subject Summary page. Presumably, I can only see this name because I have the View privilege inherited from the Admin privilege I have as a member of ADMIN:COURSE.
Conclusion: Grouper's UI is heeding the View privilege correctly, but the fetch logic is fetching groups for which I do not have View privilege. I would expect Grouper to only fetch groups that I can view.
Group: EAB:EMPLOYEE:ONCAMPUS
Person members: (10720)
<snip>
No group members
Group types: (2)
base
provisioned
ACLs:
admin:
GrouperSystem
view:
ADMIN:COMMUNITY
Creation and modification:
createSource = ""
createSubjectName = "GrouperSystem"
createTime = "Wed Aug 22 17:14:05 EDT 2007"
modifySource = ""
modifySubjectName = "GrouperSystem"
modifyTime = "Tue Sep 11 03:34:31 EDT 2007"
Attributes:
description = "Base group for EMPLOYEE.ONCAMPUS"
displayExtension = "ONCAMPUS"
displayName = "EAB:EMPLOYEE:ONCAMPUS"
extension = "ONCAMPUS"
name = "EAB:EMPLOYEE:ONCAMPUS"
provisionLastUpdate = "20070911032245"
provisionSource = "EAB.EMPLOYEE.ONCAMPUS"
Group: COURSE:TEST:0001:2007-Fall:S01:Student
Person members: (3)
<snip>
No group members
Group types: (1)
base
ACLs:
admin:
ADMIN:COURSE
GrouperSystem
read:
COURSE:TEST:0001:2007-Fall:S01:Administrator
SERVICE:BULK_MAIL
SERVICE:WEBAUTH
update:
COURSE:TEST:0001:2007-Fall:S01:Administrator
Creation and modification:
createSource = ""
createSubjectName = "GrouperSystem"
createTime = "Thu Sep 06 11:12:43 EDT 2007"
modifySource = ""
modifySubjectName = "GrouperSystem"
modifyTime = "Thu Sep 06 11:14:15 EDT 2007"
Attributes:
description = "Students for TEST0001 S01 2007-Fall"
displayExtension = " Learner Students "
displayName = "COURSE:TEST:0001:2007-Fall:S01: Learner Students "
extension = "Student"
name = "COURSE:TEST:0001:2007-Fall:S01:Student"