You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2011/07/19 16:50:57 UTC

[jira] [Commented] (JCR-3010) Introduce new default group whose members can add contribute members to the userAdmin group

    [ https://issues.apache.org/jira/browse/JCR-3010?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13067757#comment-13067757 ] 

angela commented on JCR-3010:
-----------------------------

the UserAccessControlProvider is a very simple implementation of the access control provider interface. if you need additional logic i would suggest to use a different ac-provider that allows to specify permission on a very fine grained level. extending the UserAccessControlProvider is not worth the effort IMO.

> Introduce new default group whose members can add contribute members to the userAdmin group
> -------------------------------------------------------------------------------------------
>
>                 Key: JCR-3010
>                 URL: https://issues.apache.org/jira/browse/JCR-3010
>             Project: Jackrabbit Content Repository
>          Issue Type: New Feature
>          Components: jackrabbit-core
>            Reporter: Markus Joschko
>            Priority: Minor
>
> There is a check in the UserAccessControlProvider that effectively forbids everyone but the admin to add users to the UserAdmin Group. 
> This makes delegated administration of users where the admin user is not available to the "application administrators" impossible.
> As it is a security risk to allow every member of the group-admin group access to the user-admin group, I'd like to ask to either allow members of the administrator group to add user to that group or
>  to add an additional group user-group-assignee-group (maybe with a better name) with that right.
> 460                     /*
> 461                     below group-tree:
> 462                     - test if the user is group-administrator.
> 463                     - make sure group-admin cannot modify user-admin or administrators
> 464                     - ... and cannot remove itself.
> 465                     */

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira