directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Pike <clp...@psu.edu>
Subject Re: All or Anonymous User Roles
Date Thu, 10 Dec 2015 18:01:21 GMT
Not entirely sure what I would like to see happen, was looking to see what was currently possible
and see if you had any thoughts. Being able to specify that all users have a role, all authenticated
users have a role, or all users in a specified UserOU have a role would be nice, but not sure
that could be done without breaking or at least extending RBAC.


----- Original Message -----
From: "Shawn McKinney" <smckinney@apache.org>
To: fortress@directory.apache.org
Sent: Tuesday, December 8, 2015 1:23:39 PM
Subject: Re: All or Anonymous User Roles

> On Dec 8, 2015, at 11:53 AM, Chris Pike <clp207@psu.edu> wrote:
> 
> Here the example I'm thinking about... if the permission check on my method is "alert.status.view",
I can create a role with that permission and add users into the role. Later on if I want all
authenticated users to have that permission, I would have to add all 40k users (and new users
as they come into the system) into the role. Even later on if I want anyone, even anonymous
users to have access to the method, I would have to do a code change and remove the permission
check from my method.
> 

It sounds like a provisioning use case to me.  First, setup a base role for all authenticated
users, i.e. AuthUsers and another for unauthenticated users, i.e. AnonUsers.  And then periodically
you run a batch job to scan the ou=people subdirectory based on criteria, i.e. do they have
a password setup or not.  If one or the other, and user hasn’t been already assigned, assign
it then.  

That way when you want to allow anon users access, you grant that perm the corresponding role
and be done with it (as opposed to code change).  

Or course this can also be done with some sort of 3rd party provisioning, or other synch service,
i.e. when setting up a new user, always give them one or the other role.  Or detect (listen
for) when a new user is being added, to assign to one or the other.  

What would you like to see happen here?

Shawn

Mime
View raw message