directory-fortress mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Pike <clp...@psu.edu>
Subject Re: Access Manager Role Filtering
Date Sun, 09 Oct 2016 22:18:49 GMT
Well, my thinking was that if you moved Perm OU down into the operation, then the app could
use the Perm OU hierarchy to find relevant permissions

Parent Perm OU = myapp
 - Child Perm OU = myapp.1
 - Child Perm OU = myapp.2

perm obj name == Customer
perm op name == add
perm op ou == myapp.1

perm op name == update
perm op ou == myapp.2

So if I queried for all permissions that belong to Perm OU "myapp" (either directly or from
a child OU), I would get the list of permissions relevant to "myapp". It would then allow
delegation of Perm OU myapp.1 and myapp.2 to separate ARBAC roles.

Of course managing the Perm OU hierarchy and managing changes becomes challenging. Maybe it's
worth thinking through the implications of making Perm OU multi-occuring on the Perm Op...





----- Original Message -----
From: "Shawn McKinney" <smckinney@apache.org>
To: fortress@directory.apache.org
Sent: Sunday, October 9, 2016 5:35:04 PM
Subject: Re: Access Manager Role Filtering

> On Oct 9, 2016, at 4:17 PM, Chris Pike <clp207@psu.edu> wrote:
> 
> Could the Perm OU hierarchy be used to manage grouping permissions within an application?

Perhaps.  Depends on the req’s I suppose.  Can you elaborate?

Mime
View raw message