Description
From: On Behalf Of Tim Darby
Sent: Wednesday, July 24, 2013 7:24 PM
To: grouper-users
Subject: [grouper-users] Question on get grouper privileges lite
I've just started using the REST interface and I'm confused about permissions. For example, with the get grouper privileges lite interface, if I'm authenticated as an unprivileged user (and not using actAs) and I specify the groupName only in the request, I get back no results. It seems that my user has to have "admin" on that group to get anything back. However, if I do the same query but also specify a subjectId that is an admin of that group, then I get back all the privileges of that subject on the group. Is that the way it's supposed to work?
Tim Darby
The University of Arizona
Mosaic, Systems Integration and Architecture
UITS, Rm 335,
From: On Behalf Of Tim Darby
Sent: Thursday, July 25, 2013 12:24 PM
To: Chris Hyzer
Subject: Re: [grouper-users] Question on get grouper privileges lite
Here's the query:
I removed all privileges for GrouperAll on this group and authenticated to grouper-ws with a user who only has "view" privileges on the group. When I run the query I get:
<WsGetGrouperPrivilegesLiteResult>
<resultMetadata>
<resultCode>SUCCESS</resultCode>
<success>T</success>
</resultMetadata>
<responseMetadata>
<resultWarnings/>
<millis>42</millis>
<serverVersion>2.1.4</serverVersion>
</responseMetadata>
</WsGetGrouperPrivilegesLiteResult>
Which makes sense, because I assume that you need admin rights to get the privileges on a group, right?
But then if do this query:
I get this:
<WsGetGrouperPrivilegesLiteResult>
<resultMetadata>
<resultCode>SUCCESS</resultCode>
<success>T</success>
</resultMetadata>
<privilegeResults>
<WsGrouperPrivilegeResult>
<allowed>T</allowed>
<ownerSubject>
<resultCode>SUCCESS</resultCode>
<success>T</success>
<id>119xxx</id>
<name>Brett L Bendickson</name>
<sourceId>ldap</sourceId>
</ownerSubject>
<privilegeName>admin</privilegeName>
<privilegeType>access</privilegeType>
<revokable>T</revokable>
<wsGroup>
<extension>sa-tech-team</extension>
<typeOfGroup>group</typeOfGroup>
<displayExtension>SA-Tech-Team</displayExtension>
<description>SA Tech Team</description>
<displayName>
University of Arizona:Dept:UITS:Adhoc:Mosaic:SA:SA-Tech-Team
</displayName>
<name>arizona.edu:dept:uits:adhoc:mosaic:sa:sa-tech-team</name>
<uuid>6c4f46613faa424586aa8feecbf7e9fb</uuid>
</wsGroup>
<wsSubject>
<resultCode>SUCCESS</resultCode>
<success>T</success>
<id>119xxx</id>
<name>Brett L Bendickson</name>
<sourceId>ldap</sourceId>
</wsSubject>
</WsGrouperPrivilegeResult>
</privilegeResults>
<responseMetadata>
<resultWarnings/>
<millis>277</millis>
<serverVersion>2.1.4</serverVersion>
</responseMetadata>
</WsGetGrouperPrivilegesLiteResult>
Tim Darby
The University of Arizona
Mosaic, Systems Integration and Architecture
On Wed, Jul 24, 2013 at 6:21 PM, Chris Hyzer <mchyzer> wrote:
Can you give example requests/responses that shows the problem? Also let me know what privileges are assigned to GrouperAll if any on the applicable objects.
Thanks
Chris
Yes, that subjectid has admin rights. Let me know if you want me to run any more tests.
Tim Darby
The University of Arizona
Mosaic, Systems Integration and Architecture
On Thu, Jul 25, 2013 at 9:34 AM, Chris Hyzer <mchyzer> wrote:
Thanks for the example, that doesn’t look good. Just curious, does the subjectid you pass in have admin rights on the group? Not that it makes it any better, but just curious…
Thanks,
Chris