directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Pike <clp...@psu.edu>
Subject Re: Access Manager Role Filtering
Date Sun, 09 Oct 2016 12:58:52 GMT
With the addition of the ABAC / Role Constraint, this is the plan for how each of our applications
will check permissions

1. Application starts up and registers all of it's permissions into an application specific
Perm-OU
2. When a user makes a request, the application gets all the session user roles (AccessMgr.sessionRoles).
Because of role constraints, can't use sessionPermissions.
3. For each role found, it finds the permissions (ReviewMgr.rolePermissions). 
4. If necessary, it find the permission attribute sets for each permission (ReviewMgr.readPermAttributeSet)
5. The permissions are part of the application's request context, so every check can be done
internally, don't need to make a call to fortress. 

There will be caching, so this flow doesn't need done on every request. We will have many
applications, so in Step #2, lots of roles will be returned, most of which are not relevant
to the application since they don't contain any permissions in the application's Perm-OU.
My questions was directed at seeing if there was a way to make this process more efficient.



----- Original Message -----
From: "Shawn McKinney" <smckinney@apache.org>
To: fortress@directory.apache.org
Sent: Sunday, October 9, 2016 8:16:02 AM
Subject: Re: Access Manager Role Filtering

Chris, not exactly sure what you mean.  Please elaborate with a sample use case and data.
 If it worked the way you wanted, what would the API be?


> On Oct 8, 2016, at 11:22 AM, Chris Pike <clp207@psu.edu> wrote:
> 
> Shawn,
> 
> Would there be any way to efficiently get all session roles that only contain permissions
in a specified permission OU?
> 
> Thanks,
> 
> ~Chris
>

Mime
View raw message