directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <smckin...@apache.org>
Subject Re: All or Anonymous User Roles
Date Tue, 08 Dec 2015 18:23:39 GMT

> On Dec 8, 2015, at 11:53 AM, Chris Pike <clp207@psu.edu> wrote:
> 
> Here the example I'm thinking about... if the permission check on my method is "alert.status.view",
I can create a role with that permission and add users into the role. Later on if I want all
authenticated users to have that permission, I would have to add all 40k users (and new users
as they come into the system) into the role. Even later on if I want anyone, even anonymous
users to have access to the method, I would have to do a code change and remove the permission
check from my method.
> 

It sounds like a provisioning use case to me.  First, setup a base role for all authenticated
users, i.e. AuthUsers and another for unauthenticated users, i.e. AnonUsers.  And then periodically
you run a batch job to scan the ou=people subdirectory based on criteria, i.e. do they have
a password setup or not.  If one or the other, and user hasn’t been already assigned, assign
it then.  

That way when you want to allow anon users access, you grant that perm the corresponding role
and be done with it (as opposed to code change).  

Or course this can also be done with some sort of 3rd party provisioning, or other synch service,
i.e. when setting up a new user, always give them one or the other role.  Or detect (listen
for) when a new user is being added, to assign to one or the other.  

What would you like to see happen here?

Shawn

Mime
View raw message