directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smckin...@apache.org
Subject [directory-fortress-enmasse] branch master updated: refine
Date Sun, 17 Mar 2019 15:50:17 GMT
This is an automated email from the ASF dual-hosted git repository.

smckinney pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/directory-fortress-enmasse.git


The following commit(s) were added to refs/heads/master by this push:
     new 7bce996  refine
7bce996 is described below

commit 7bce9967b386092206c6283f5817a08818e81ed5
Author: Shawn McKinney <smckinney@apache.org>
AuthorDate: Sun Mar 17 10:50:12 2019 -0500

    refine
---
 README-SECURITY-MODEL.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README-SECURITY-MODEL.md b/README-SECURITY-MODEL.md
index a5a1b44..e681ef5 100644
--- a/README-SECURITY-MODEL.md
+++ b/README-SECURITY-MODEL.md
@@ -84,12 +84,14 @@ is.arbac02=true
 The ARBAC checks when enabled, include the following:
 
 a. All service invocations, except AccessMgr and DelAccessMgr, perform an ADMIN permission
check automatically corresponding with the exact service/API being called. 
+ 
  For example, the permission with an objectName: **org.apache.directory.fortress.core.impl.AdminMgrImpl**
and operation name: **addUser** is automatically checked
  during the call to the **userAdd** service.   
  This means at least one ADMIN role must be activated for the user calling the service that
has been granted the required permission.
  The entire list of permissions, and their mappings to services are listed in the table that
follows.
 
-b. Some services (#'s 1 - 12 listed below) perform organizational verification, comparing
the org on the ADMIN role with that on the target user or permission in the HTTP request.
 
+b. Some services (#'s 1 - 12 listed below) perform organizational verification, comparing
the org on the ADMIN role with that on the target user or permission in the HTTP request.
+  
  There are two types of organziations being checked, User and Permission.  For example, **roleAsgn**
and **roleDeasgn**  (9 and 10 below) will verify that the caller has an ADMIN role with a
user org unit that matches the ou of the target user.  
  There is a similar check on **roleGrant** and **roleRevoke** (11 and 12) verifying the caller
has an activated ADMIN role with a perm org unit that matches the ou on the target permission.
 


Mime
View raw message