Hi Andy, I understand. My goal would be to support exactly the example stated in the documentation: ``` = atlprod o: atlas g: /atlas r: production ``` Seeing how vomxsrd seems to work, to do that, the triplets would have to be checked (i.e. not multi-valued fields, but a series of triplets). A real life example which should work (as you can see from the first post in this issue) would be: ``` secgsiVOMS_Fun: ---> group: '/atlas', role: 'production', cap: 'NULL' secgsiVOMS_Fun: ---> group: '/atlas', role: 'NULL', cap: 'NULL' secgsiVOMS_Fun: ---> group: '/atlas/lcg1', role: 'NULL', cap: 'NULL' secgsiVOMS_Fun: ---> group: '/atlas/usatlas', role: 'NULL', cap: 'NULL' ``` This would result (if I parse the vomsxrd code correctly) in: vo: `atlas atlas atlas atlas` group: `/atlas /atlas /atlas/lcg1 /atlas/usatlas` role: `producton NULL NULL NULL` So for correct behaviour, the authorization code would have to go through these triplets in order - in other words, it is important that the `production` role belongs to group `/atlas` and VO `atlas`, and not to any of the other groups. A real life example which is broken right now (I think) is: ``` attribute : /atlas/de/Role=production/Capability=NULL attribute : /atlas/de/Role=NULL/Capability=NULL attribute : /atlas/Role=NULL/Capability=NULL ``` This proxy must _not_ match: ``` = atlprod o: atlas g: /atlas r: production ``` since it only has the `production` role for the "smaller" subgroup `/atlas/de`, but not for full `/atlas`. Cheers, Oliver -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/xrootd/xrootd/issues/1006#issuecomment-503743549 ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-DEV list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-DEV&A=1