You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jackrabbit.apache.org by "Markus Joschko (JIRA)" <ji...@apache.org> on 2011/07/04 09:58:21 UTC
[jira] [Created] (JCR-3010) Introduce new default group whose
members can add contribute members to the userAdmin group
Introduce new default group whose members can add contribute members to the userAdmin group
-------------------------------------------------------------------------------------------
Key: JCR-3010
URL: https://issues.apache.org/jira/browse/JCR-3010
Project: Jackrabbit Content Repository
Issue Type: New Feature
Components: jackrabbit-core
Reporter: Markus Joschko
Priority: Minor
There is a check in the UserAccessControlProvider that effectively forbids everyone but the admin to add users to the UserAdmin Group.
This makes delegated administration of users where the admin user is not available to the "application administrators" impossible.
As it is a security risk to allow every member of the group-admin group access to the user-admin group, I'd like to ask to either allow members of the administrator group to add user to that group or
to add an additional group user-group-assignee-group (maybe with a better name) with that right.
460 /*
461 below group-tree:
462 - test if the user is group-administrator.
463 - make sure group-admin cannot modify user-admin or administrators
464 - ... and cannot remove itself.
465 */
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (JCR-3010) Introduce new default group whose
members can add contribute members to the userAdmin group
Posted by "angela (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-3010?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
angela resolved JCR-3010.
-------------------------
Resolution: Won't Fix
> Introduce new default group whose members can add contribute members to the userAdmin group
> -------------------------------------------------------------------------------------------
>
> Key: JCR-3010
> URL: https://issues.apache.org/jira/browse/JCR-3010
> Project: Jackrabbit Content Repository
> Issue Type: New Feature
> Components: jackrabbit-core
> Reporter: Markus Joschko
> Priority: Minor
>
> There is a check in the UserAccessControlProvider that effectively forbids everyone but the admin to add users to the UserAdmin Group.
> This makes delegated administration of users where the admin user is not available to the "application administrators" impossible.
> As it is a security risk to allow every member of the group-admin group access to the user-admin group, I'd like to ask to either allow members of the administrator group to add user to that group or
> to add an additional group user-group-assignee-group (maybe with a better name) with that right.
> 460 /*
> 461 below group-tree:
> 462 - test if the user is group-administrator.
> 463 - make sure group-admin cannot modify user-admin or administrators
> 464 - ... and cannot remove itself.
> 465 */
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (JCR-3010) Introduce new default group whose
members can add contribute members to the userAdmin group
Posted by "angela (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/JCR-3010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13067757#comment-13067757 ]
angela commented on JCR-3010:
-----------------------------
the UserAccessControlProvider is a very simple implementation of the access control provider interface. if you need additional logic i would suggest to use a different ac-provider that allows to specify permission on a very fine grained level. extending the UserAccessControlProvider is not worth the effort IMO.
> Introduce new default group whose members can add contribute members to the userAdmin group
> -------------------------------------------------------------------------------------------
>
> Key: JCR-3010
> URL: https://issues.apache.org/jira/browse/JCR-3010
> Project: Jackrabbit Content Repository
> Issue Type: New Feature
> Components: jackrabbit-core
> Reporter: Markus Joschko
> Priority: Minor
>
> There is a check in the UserAccessControlProvider that effectively forbids everyone but the admin to add users to the UserAdmin Group.
> This makes delegated administration of users where the admin user is not available to the "application administrators" impossible.
> As it is a security risk to allow every member of the group-admin group access to the user-admin group, I'd like to ask to either allow members of the administrator group to add user to that group or
> to add an additional group user-group-assignee-group (maybe with a better name) with that right.
> 460 /*
> 461 below group-tree:
> 462 - test if the user is group-administrator.
> 463 - make sure group-admin cannot modify user-admin or administrators
> 464 - ... and cannot remove itself.
> 465 */
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira