Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1946

Attestation on a folder requires READ/UPDATE on attestationDef and attestationValueDef

    XMLWordPrintable

Details

    • Improvement
    • Resolution: Unresolved
    • Minor
    • None
    • 2.4.0
    • API, UI
    • None

    Description

      If I grant create to a folder, a user can create a group and set up attestation with no issues. The user has all the write privileges it needs.

      If there is attestation on the folder, a non-root user creating a group needs:

      • READ and UPDATE on etc:attribute:attestation:attestationDef and etc:attribute:attestation:attestationValueDef
      • STEM_ATTR_READ on the folder

      Sample errors:

      ERROR edu.internet2.middleware.grouper.exception.AttributeDefNameNotFoundException:
      		 
      Cannot find (or not allowed to find) attribute def name with name: 'etc:attribute:attestation:attestationStemScope',


      ERROR edu.internet2.middleware.grouper.exception.AttributeDefNameNotFoundException:
      		 
      Cannot find (or not allowed to find) attribute def name with id: '570cd32fdfc04f5d86aed77972fc2723',


      ERROR edu.internet2.middleware.grouper.exception.InsufficientPrivilegeException:
      		 
      Subject Subject id: 730104343, sourceId: pid cannot stemAdmin/stemAttrRead in stem app:its:attested:test1Folder,

      Granting global read/update on the attribute definitions seems excessive. Plus it requires extra permission setup that isn't documented.

      Attachments

        Activity

          People

            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            chad.redman@at.internet2.edu Chad Redman (unc.edu)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: