Groups API Questions - Security

Owned by Chris Hyzer
Last updated: Jan 11, 2011 by EricEVersion comment
2 min read

Questions

  1. Act as another user?
  2. Do privileges on groups factor in?  Can you assign a privilege on a group to someone (e.g. someone can edit the memberships of the group)?

COmanage responses

  1. Not currently required.
  2. Yes. A "group admin" privilege is required (editing memberships, and probably also selecting if the group is open or closed).

Grouper responses

  1. Act as another user?  Grouper supports this, and I think it is useful for applications proxying as people using the application, though maybe not necessary for release 1
  2. Do privileges on groups factor in?  Can you assign a privilege on a group to someone (e.g. someone can edit the memberships of the group)?  Grouper supports this, and I think it is useful, though maybe not for release 1.

Kuali responses

  1. Kuali has the concept of super users and things along those lines but they are implemented outside of groups.  Can someone describe more about what "Act as another user" means?
  2. I think the answer here is yes, but at least in KIM we use a separate permission service which determines whether an individual has permissions to modify group membership.  It seems the implementation of the group service should make such checks, but I'm not sure we need to make such information available from the group api.  At least not for version 1.  I'm curious if this would manifest on the api as an operation that allows you to query whether or not a particular person has privileges to modify a group?

NAU responses

  1. Yes. It is important that some behind the scenes operations be done as the admin user on behalf of the user managing the group, and we have a "super user" concept where, if you belong to that group your operations are done as the admin user.
  2. Yes. Only group owners can add/mod/delete their group and memberships. "Super users" have those privileges on all groups.

uPortal responses

  1. uPortal does allow administrators to impersonate another user. I'm not sure we need this functionality on the groups API side though, since once a user has entered that impersonation mode the portal will represent him or her as the second user to other APIs.
  2. Yes. uPortal relies on the ability to delegate administration of groups and other portal entities.

Etc