directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn McKinney (JIRA)" <>
Subject [jira] [Commented] (FC-74) DSD checking on hierarchical relationships incorrect
Date Sun, 01 Mar 2015 13:00:07 GMT


Shawn McKinney commented on FC-74:

incits 359 says this about when to apply dsd checks:

"The semantics of creating an instance of DSD relation are identical to that of an SSD
relation. While constraints associated with an SSD relation are enforced during user assignments
(as well as while creating role hierarchies), the constraints associated with DSD are enforced
only at the time of role activation within a user session."

which clearly states that dsd checks are applied only when role is activated in session. 
This brings a problem where a role hierarchy is created that contains roles that have mutual
exclusive dsd constraints.  What is the reasonable way to handle this... should we display
a warning when such a conflict is detected?

In any case, the system should be doing this:

"However, the additional functionality required of these functions in the DSD RBAC model context
is that they should enforce the DSD constraints. For example, during the invocation of the
CreateSession function, the default active role set that is made available to the user should
not violate any of the DSD constraints. Similarly, the AddActiveRole function shall check
and prevent the addition of any active role to the session’s active role set that violates
any of the DSD constraints."

> DSD checking on hierarchical relationships incorrect
> ----------------------------------------------------
>                 Key: FC-74
>                 URL:
>             Project: FORTRESS
>          Issue Type: Bug
>    Affects Versions: 1.0.0-RC39
>            Reporter: Shawn McKinney
>             Fix For: 1.0.0-RC40
> Manually testing of fortress detected that did constraints between roles can be bypassed
via inheritance.  
> For example this constraint:
>   sdset name="Demo2DSD" 
>   description="ROLE_TEST DATA roles are mutually exclusive" cardinality="2"
>   setType="DYNAMIC"
>   setmembers="PAGE1_123,PAGE1_456,PAGE1_789,
>                          PAGE2_123,PAGE2_456,PAGE2_789,
>                          PAGE3_123,PAGE3_456,PAGE3_789"/>
> can be bypassed thru these inheritance relationships:
>                 <relationship child="PERSON1" parent="ROLE_PAGE1"/>
>                 <relationship child="PERSON1" parent="PAGE1_123"/>
>                 <relationship child="PERSON1" parent="PAGE1_456"/>
>                 <relationship child="PERSON1" parent="PAGE1_789"/>
> and then assigning to user:
> userrole userId="anyuser" name="PERSON1"
> when user 'any user' logs on, and  activate person1 role, which bypasses the constraint
checks for dad on the roles person1 inherits.

This message was sent by Atlassian JIRA

View raw message