directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <>
Subject Re: All or Anonymous User Roles
Date Thu, 10 Dec 2015 18:28:44 GMT

> On Dec 10, 2015, at 12:01 PM, Chris Pike <> wrote:
> Not entirely sure what I would like to see happen, was looking to see what was currently
possible and see if you had any thoughts. Being able to specify that all users have a role,
all authenticated users have a role, or all users in a specified UserOU have a role would
be nice, but not sure that could be done without breaking or at least extending RBAC.

There are a couple of areas we can work in and stay within the limits of a classic rbac system,
i.e. incits 359.  

The first that comes to mind is role activation workflow somewhere during the session creation
phase.  For example, the client could make the determination if user is anonymous or authenticated,
and based on that knowledge, can either include one role or the other - i.e. AuthUser or AnonUser.

So you could call createSession, perhaps with trusted = true, meaning no authN required. 
And subsequently call addActiveRole with the AnonUser role.  

Or if user has authenticated, you would call addActiveRole with AuthUser.
Of course this doesn’t solve the provisioning use case we discussed earlier, i.e. assigning
one or the other role.  But wait, maybe it does… could we always assign both and then just
activate one or the other?  Thinking…. 


View raw message