directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn McKinney <>
Subject Re: Access Manager Role Filtering
Date Tue, 11 Oct 2016 13:35:30 GMT

> On Oct 11, 2016, at 7:24 AM, Chris Pike <> wrote:
> Not sure if I understand your questions about how can one set of roles be associated
with a perm with multiple OUs. The Perm OUs are just an ARBAC thing correct?

Yes, but there are semantics here that need to be understood.  

This discussion is too complicated in the abstract.  We need use cases.

For example:

Roles:  R1, R2, R3

Perm OUs : P01, P02, P03

AR1 - P01
AR2 - P02
AR3 - P01, P02, P03

PermObj: foo
op: fighter: ous:(P01), roles(R1)
op: eater: ous:P02), roles:(R2)
op: sleeper: ous(P01, P02, P03) roles(R1, R2, R3)

So we have 3 perms, the first two are typical, the last one, foo.sleeper is not as it has
multiple perm ous associated with it.

Now let us consider the operation:
boolean canRevoke(Session session, Role role, Permission perm) throws SecurityException

Any administrator that has any of the adminroles listed could revoke any of foo.sleeper’s
roles.  e.g. admin AR1, could revoke R1, R2 and R3.  Is that desirable behavior?

View raw message