directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Pike <>
Subject Re: Access Manager Role Filtering
Date Tue, 11 Oct 2016 17:08:40 GMT
AR1 could only revoke R1, R2, and R3 if it's role range (or role group, which we plan on adding
to add to ARBAC roles) allowed.

Role Groups: RG1, RG2, RG3

Roles: R1 (RG1), R2 (RG2), R3 (RG3)

AR1 - P01 / RG1
AR2 - P02 / RG2
AR3 - P01, P02, P03 / RG3

Only someone in AR1 could remove "sleeper" from R1
Only someone in AR2 could remove "sleeper" from R2
Only someone in AR3 could remove "sleeper" from R3

----- Original Message -----
From: "Shawn McKinney" <>
Sent: Tuesday, October 11, 2016 9:35:30 AM
Subject: Re: Access Manager Role Filtering

> On Oct 11, 2016, at 7:24 AM, Chris Pike <> wrote:
> Not sure if I understand your questions about how can one set of roles be associated
with a perm with multiple OUs. The Perm OUs are just an ARBAC thing correct?

Yes, but there are semantics here that need to be understood.  

This discussion is too complicated in the abstract.  We need use cases.

For example:

Roles:  R1, R2, R3

Perm OUs : P01, P02, P03

AR1 - P01
AR2 - P02
AR3 - P01, P02, P03

PermObj: foo
op: fighter: ous:(P01), roles(R1)
op: eater: ous:P02), roles:(R2)
op: sleeper: ous(P01, P02, P03) roles(R1, R2, R3)

So we have 3 perms, the first two are typical, the last one, foo.sleeper is not as it has
multiple perm ous associated with it.

Now let us consider the operation:
boolean canRevoke(Session session, Role role, Permission perm) throws SecurityException

Any administrator that has any of the adminroles listed could revoke any of foo.sleeper’s
roles.  e.g. admin AR1, could revoke R1, R2 and R3.  Is that desirable behavior?


View raw message