Description
If I grant create to a folder, a user can create a group and set up attestation with no issues. The user has all the write privileges it needs.
If there is attestation on the folder, a non-root user creating a group needs:
- READ and UPDATE on etc:attribute:attestation:attestationDef and etc:attribute:attestation:attestationValueDef
- STEM_ATTR_READ on the folder
Sample errors:
ERROR edu.internet2.middleware.grouper.exception.AttributeDefNameNotFoundException:
|
Cannot find (or not allowed to find) attribute def name with name: 'etc:attribute:attestation:attestationStemScope',
|
ERROR edu.internet2.middleware.grouper.exception.AttributeDefNameNotFoundException:
|
Cannot find (or not allowed to find) attribute def name with id: '570cd32fdfc04f5d86aed77972fc2723',
|
ERROR edu.internet2.middleware.grouper.exception.InsufficientPrivilegeException:
|
Subject Subject id: 730104343, sourceId: pid cannot stemAdmin/stemAttrRead in stem app:its:attested:test1Folder,
|
Granting global read/update on the attribute definitions seems excessive. Plus it requires extra permission setup that isn't documented.