You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Chris Pike (JIRA)" <ji...@apache.org> on 2016/10/12 12:50:20 UTC
[jira] [Created] (FC-196) ARBAC Perm OU Placement
Chris Pike created FC-196:
-----------------------------
Summary: ARBAC Perm OU Placement
Key: FC-196
URL: https://issues.apache.org/jira/browse/FC-196
Project: FORTRESS
Issue Type: Improvement
Reporter: Chris Pike
Assignee: Chris Pike
User Story: As a fortress super administrator, I want to delegate different Permission Operation assignment to different application owners. (i.e. One group can give out account creation, another can give out account reset, and a third can give out both)
Current Steps:
1. Create Permission Object (account.create) with Perm OU (POU1) and Operation (do)
2. Create Permission Object (account.reset) with Perm OU (POU2) and Operation (do)
3. Create an ARBAC Role (AR1) that has jurisdiction over Perm OU (POU1)
4. Create an ARBAC Role (AR2) that has jurisdiction over Perm OU (POU2)
5. Create an ARBAC Role (AR3) that has jurisdiction over Perm OUs (POU1 and POU2)
6. U1 adds Permission (account.create.do) into R1
7. U2 adds Permission (account.reset.do) into R2
8. U3 adds Permissions (account.create.do and account.reset.do) into R3
9. Create new Permission Object (account.delete) with Perm OU (POU3) and Operation (do)
10. Update AR2 to add POU3
11. Update AR3 to add POU3
End State:
account.create.do -> POU1
account.reset.do -> POU2
account.delete.do -> POU3
AR1 -> POU1
AR2 -> POU2, POU3
AR3 -> POU1, POU2, POU3
Issues / Notes:
- A one to one mapping between Permissions and PermOUs
- Adding a new permission may require updating many ARBAC roles
Steps after Perm OU Move to Operation
1. Create Permission Object (account) with Operations (create with POU1 / reset with POU2)
Steps are the same after this point
End State:
account.create -> POU1
account.reset -> POU2
account.delete -> POU3
AR1 -> POU1
AR2 -> POU2, POU3
AR3 -> POU1, POU2, POU3
Issues / Notes:
- Same issues as previous use case
Steps after Perm OU Move to Operation and Multi Instance
1. Create Permission Object (account) with Operations (create with POU1 / reset with POU1)
2. Create Perm OU (POU2) and add to account.create
2. Create an ARBAC Role (AR1) that has jurisdiction over Perm OU (POU2)
3. Create Perm OU (POU3) and add to account.reset
4. Create an ARBAC Role (AR2) that has jurisdiction over Perm OU (POU3)
5. Create an ARBAC Role (AR3) that has jurisdiction over Perm OUs (POU1)
6. U1 in AR1 adds Permission (account.create) into R1
7. U2 in AR2 adds Permission (account.reset) into R2
8. U3 in AR3 adds Permissions (account.create and account.reset) into R3
9. Create new Permission Operation (account.delete with POU1 and POU3)
End State:
account.create -> POU1, POU2
account.reset -> POU1, POU3
account.delete -> POU1, POU3
AR1 -> POU2
AR2 -> POU3
AR3 -> POU1
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)