Menu
▾
▴
Re: [Unity-idm-discuss] Naming of groups created via upman
|
From: Sander A. <sa....@fz...> - 2020-08-03 06:39:55
|
Good morning Krzysztof,
I agree that identifiers are needed. But is there a possibility to grab
the displayname of a group, e.g. in output translation profile? In this
case we could release the group membership information like the group
administrators and service providers would expect them.
I'll give you an example. We have a group m-team which is managed by a
group administrator. He created a subgroup feudal-developers and asked
specific service providers to support his group /m-team/feudal-
developers but the service provider only see /m-team/NNE09.
Having the possibility to access the displayname, we could create a new
attribute containing the expected information.
Cheers,
Sander
On Sun, 2020-08-02 at 00:05 +0200, Krzysztof Benedyczak wrote:
> Dear Sander,
>
> W dniu 31.07.2020 o 07:49, Sander Apweiler pisze:
> > Dear Krzysztof,
> >
> > We encountered a problem with the names of groups, which was
> > created by
> > groupadministrators in upman endpoint. The name of the group which
> > is
> > released in groups attribute differs from the name which entered
> > the
> > user. It seems that unity creates a name randomly and the entered
> > name
> > is only used as display name.
> >
> > I agree that the group administrators should only enter one name
> > and
> > not two like the unity administrators can do. But the information
> > is
> > used for group based access management on service provider level.
> > If
> > the groupname differs from the name which was entered by the group
> > administrators, this is not possible.
> >
> > What is the reason for the randomly generated grounames? Can this
> > behaviour changed?
>
> The group "internal" name, or its identifier, is set in stone. On
> the
> other hand the displayed name can be changed at will.
>
> If admin can define the internal name, then it will have a semantic
> name
> typically. And this leads to troubles ("err I named it /cookies, but
> should be /chockolate-bars really"). Also group names when used
> externally should not relay on displayed name but on some stable id
> -
> what is the internal name.
>
> BTW in the full unity this should be the same, and is not only
> because
> of the legacy of in-file configurations, where software can not
> assign
> ids on its own.
>
> All in all I would advise to simply use the identifiers externally,
> especially in policies. If this is hard let me know why precisely;
> chances are I'll be able to help as we use this approach in many
> non-upman scenarios too. Or if not, we can think about an improvement
> then.
>
> Best
> Krzysztof
>
>
--
Federated Systems and Data
Juelich Supercomputing Centre
phone: +49 2461 61 8847
fax: +49 2461 61 6656
email: sa....@fz...
----------------------------------------------------------------------
-----------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich
Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzender des Aufsichtsrats: MinDir Volker Rieke
Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender),
Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt
-----------------------------------------------------------------------
-----------------------------------------------------------------------
|
