Subgroup membership implies group membership #25
Labels
AARC-G056
Community profile attributes
AARC-G069
Guidelines for expressing group membership and role information
authZ
Authorisation
PROFILE-AARC
AARC Attribute Profile
PROFILE-GUT
Grand Unified Token (GUT) profile
This issue applies to
For a user who is member of a subgroup of a group, the implication is that they are also member of the parent group. Thus, it should not be necessary to assert
Instead, the statement
asserts the same information. The implication is that implementations MUST NOT use full string comparison alone to check whether the user is a member of
snap
(additionally, this example makes use of the rule that allows a list of one element to be replaced with that element)The corollary is that RPs MUST do a prefix string match. E.g. in C,
or in python 3.11,
In contrast, we would not suggest requiring regexp matching, as the configuration then becomes more complicated.
See also #10 and #24
The text was updated successfully, but these errors were encountered: