You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "Markus Joschko (JIRA)" <ji...@apache.org> on 2011/07/04 09:58:21 UTC

[jira] [Created] (JCR-3010) Introduce new default group whose members can add contribute members to the userAdmin group

Introduce new default group whose members can add contribute members to the userAdmin group
-------------------------------------------------------------------------------------------

                 Key: JCR-3010
                 URL: https://issues.apache.org/jira/browse/JCR-3010
             Project: Jackrabbit Content Repository
          Issue Type: New Feature
          Components: jackrabbit-core
            Reporter: Markus Joschko
            Priority: Minor


There is a check in the UserAccessControlProvider that effectively forbids everyone but the admin to add users to the UserAdmin Group. 
This makes delegated administration of users where the admin user is not available to the "application administrators" impossible.
As it is a security risk to allow every member of the group-admin group access to the user-admin group, I'd like to ask to either allow members of the administrator group to add user to that group or
 to add an additional group user-group-assignee-group (maybe with a better name) with that right.

460                     /*
461                     below group-tree:
462                     - test if the user is group-administrator.
463                     - make sure group-admin cannot modify user-admin or administrators
464                     - ... and cannot remove itself.
465                     */

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Resolved] (JCR-3010) Introduce new default group whose members can add contribute members to the userAdmin group

Posted by "angela (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/JCR-3010?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

angela resolved JCR-3010.
-------------------------

    Resolution: Won't Fix

> Introduce new default group whose members can add contribute members to the userAdmin group
> -------------------------------------------------------------------------------------------
>
>                 Key: JCR-3010
>                 URL: https://issues.apache.org/jira/browse/JCR-3010
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>          Components: jackrabbit-core
>            Reporter: Markus Joschko
>            Priority: Minor
>
> There is a check in the UserAccessControlProvider that effectively forbids everyone but the admin to add users to the UserAdmin Group. 
> This makes delegated administration of users where the admin user is not available to the "application administrators" impossible.
> As it is a security risk to allow every member of the group-admin group access to the user-admin group, I'd like to ask to either allow members of the administrator group to add user to that group or
>  to add an additional group user-group-assignee-group (maybe with a better name) with that right.
> 460                     /*
> 461                     below group-tree:
> 462                     - test if the user is group-administrator.
> 463                     - make sure group-admin cannot modify user-admin or administrators
> 464                     - ... and cannot remove itself.
> 465                     */

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (JCR-3010) Introduce new default group whose members can add contribute members to the userAdmin group

Posted by "angela (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/JCR-3010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13067757#comment-13067757 ] 

angela commented on JCR-3010:
-----------------------------

the UserAccessControlProvider is a very simple implementation of the access control provider interface. if you need additional logic i would suggest to use a different ac-provider that allows to specify permission on a very fine grained level. extending the UserAccessControlProvider is not worth the effort IMO.

> Introduce new default group whose members can add contribute members to the userAdmin group
> -------------------------------------------------------------------------------------------
>
>                 Key: JCR-3010
>                 URL: https://issues.apache.org/jira/browse/JCR-3010
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>          Components: jackrabbit-core
>            Reporter: Markus Joschko
>            Priority: Minor
>
> There is a check in the UserAccessControlProvider that effectively forbids everyone but the admin to add users to the UserAdmin Group. 
> This makes delegated administration of users where the admin user is not available to the "application administrators" impossible.
> As it is a security risk to allow every member of the group-admin group access to the user-admin group, I'd like to ask to either allow members of the administrator group to add user to that group or
>  to add an additional group user-group-assignee-group (maybe with a better name) with that right.
> 460                     /*
> 461                     below group-tree:
> 462                     - test if the user is group-administrator.
> 463                     - make sure group-admin cannot modify user-admin or administrators
> 464                     - ... and cannot remove itself.
> 465                     */

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira