[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ganymede Help] Permission Problem
|
| 10q , Jonathan..
|
| I am trying to log in as the demo1:Test ..
sze, the problem is that the 'demo1:Test' persona does not have permission
to edit any owner groups. Your demo1:Test persona is only linked to single
Role, as shown here:
<object type="Admin_Persona" id="demo1:Test">
<Name>Test</Name>
<Owner_Sets>
<invid type="Owner_Group" id="mPerson3"/>
</Owner_Sets>
<User><invid type="User" id="demo1"/></User>
<Privilege_Sets>
<invid type="Role" id="ABC"/>
^---------------------------------- see?
</Privilege_Sets>
<Admin_Console>true</Admin_Console>
<Full_Console>true</Full_Console>
<Email_Address>test@</Email_Address>
<Label>demo1:Test</Label>
<Owner_list>
<invid type="Owner_Group" id="mPerson3"/>
</Owner_list>
</object>
As you can see, the 'Privilege Sets' field only lists one Role,
ABC.
Here is your definition for the ABC Role. If you look at this, you
will see that the ABC Role is only allowed to view or edit the mPerson
object type.
<object type="Role" id="ABC">
<Name>ABC</Name>
<Owned_Object_Bits>
<permissions>
<mPerson perm="VECD">
<displayname perm="VEC"/>
<Owner_list perm="VEC"/>
<mServer perm="VEC"/>
<mMemberOf perm="VEC"/>
<mPrecedence perm="VEC"/>
<ter perm="EC"/>
<mail perm="VEC"/>
<cn perm="VEC"/>
<Removal_Date perm="VEC"/>
<Expiration_Date perm="VEC"/>
<dn perm="VEC"/>
<Notes perm="VEC"/>
<sn perm="VEC"/>
</mPerson>
</permissions>
</Owned_Object_Bits>
<Default_Bits>
<permissions>
<mPerson perm="VECD">
<displayname perm="VEC"/>
<Owner_list perm="VEC"/>
<mServer perm="VEC"/>
<mMemberOf perm="VEC"/>
<mPrecedence perm="VEC"/>
<ter perm=""/>
<mail perm="VEC"/>
<cn perm="VEC"/>
<Removal_Date perm="VEC"/>
<Expiration_Date perm="VEC"/>
<dn perm="VEC"/>
<Notes perm="VEC"/>
<sn perm="VEC"/>
<mCertDN perm="VEC"/>
</mPerson>
</permissions>
</Default_Bits>
<Persona_entities>
<invid type="Admin_Persona" id="lszeyee"/>
<invid type="Admin_Persona" id="demo1:Test"/>
</Persona_entities>
</object>
Admin persona can *only* do operations allowed by the Roles they are
connected to, and *only* for those objects which they own, or which
the Role allows them to perform for objects which they don't own.
In your database, the "Group Admin" Role allows more permissions. In
particular, notice that the "Group Admin" Role allows viewing and
editing of any Owner Groups that the admin persona is a member of.
<object type="Role" id="Group Admin">
<Name>Group Admin</Name>
<Owned_Object_Bits>
<permissions>
<Owner_Group perm="VE">
<Name perm="VEC"/>
<Members perm="VEC"/>
<Mail_List perm="VEC"/>
<Objects_owned perm="VEC"/>
<Cc_All_Admins perm="VEC"/>
</Owner_Group>
^---------------------------------- see?
<Group perm="VECD">
<Home_Users perm="VEC"/>
<GID perm="VC"/>
<Password perm="VEC"/>
<Users perm="VEC"/>
<Group_Name perm="VEC"/>
</Group>
<User perm="VECD">
<UID perm="VC"/>
<Login_Shell perm="VEC"/>
<Username perm="VEC"/>
<Home_Group perm="VEC"/>
<Groups perm="VEC"/>
<Admin_Personae perm="VEC"/>
<Location perm="VEC"/>
<Password perm="VEC"/>
<Full_Name perm="VEC"/>
<Office_Phone perm="VEC"/>
<Home_Phone perm="VEC"/>
<Home_Directory perm="VEC"/>
</User>
</permissions>
</Owned_Object_Bits>
<Default_Bits>
<permissions>
<Group perm="V">
</Group>
<User perm="V">
</User>
</permissions>
</Default_Bits>
</object>
If you log in as supergash, edit your demo1:Test admin persona, and
add the "Group Admin" Role, the demo1:Test admin persona will be
allowed to add or remove objects from the mPerson3 Owner Group.
| thanz a lot once again
|
| sze yee
-------------------------------------------------------------------------------
Jonathan Abbey jonabbey@arlut.utexas.edu
Applied Research Laboratories The University of Texas at Austin
Ganymede, a GPL'ed metadirectory for UNIX http://www.arlut.utexas.edu/gash2
Re: [Ganymede Help] Permission Problem
- From: Jonathan Abbey <jonabbey@arlut.utexas.edu>