I hope that doesn't lead people to expect 'pts membership system:authuser' to show all users.Richard
I'm curious. Why would it be wrong for users to expect 'pts membership system:authuser' and 'pts membership system:anyuser' to list their membership assuming the caller had the necessary access rights? My primary objection to the existing behavior is that these groups are special and end users / administrators must understand that they are special. If an authorized user can obtain the membership list from 'pts membership system:authuser@foreign' why shouldn't the same be true for 'system:authuser'? If the concern is the cost of generating the result set, its no more expensive then executing 'pts listentries'.
In a private response to my original message someone wrote that their cell uses the output of 'pts membership' to generate the list of entities that have access to a file object given the assigned ACL. This is a perfectly reasonable action to expect to work. However, the generated list will be incomplete when 'pts membership system:anyuser' and 'pts membership system:authuser' succeed while at the same time generate empty output.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
