I suspect our user deprovisioning scripts would break by trying to
explicitly remove users from those groups. Though would be easy enough
to fix. And I'm in favor of having this extra output.
Two questions/thoughts would be:
1) If this is a "backwards-incompatible" change (is it?) should it be
The Protection Service groups fall into two categories. Those with
explicit membership lists and those with implicit membership lists.
For example, the "system:anyuser" and "system:authuser" groups are
implicit whereas "system:administrators", "system:ptsviewers", and
I second the inclusion of an explicit way of requesting one behavior or the
other. As long as I have a way to explicitly specify both behaviors working
around the change in anything that wraps the pts command should be simple
enough.
I think I prefer the new behavior you are suggesting as the
On Wed, Jul 13, 2022 at 1:49 PM Jeffrey E Altman wrote:
> The question for cell admins is whether anyone is aware of any internal
> scripts which process the output of "pts membership" which will break as
> a result of the inclusion of the implicit groups "system:anyuser" and
> "system:authuser"
As of the writing of this reply there have been several other replies to
my original e-mail from Ed Rude, Richard Brittain, and Gary Buhrmaster.
As there is some overlap in the responses I will reply once to Dave
Botsch's but I intend to touch on the feedback from all of the above.
On
Ditto - our deprovisioning scripts use pts membership output, and I expect this
is common. Filtering out system:anyuser etc. would be easy, but a flag to omit
those and revert to 'old behaviour' would be even better. I do like the
improved transparency of listing them though.
I hope that