You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Emmanuel Lecharny (JIRA)" <ji...@apache.org> on 2016/05/06 15:24:13 UTC

[jira] [Updated] (FC-111) Enhance ARBAC Coverage

     [ https://issues.apache.org/jira/browse/FC-111?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Emmanuel Lecharny updated FC-111:
---------------------------------
    Fix Version/s:     (was: 1.0.0)
                   1.0.1

> Enhance ARBAC Coverage
> ----------------------
>
>                 Key: FC-111
>                 URL: https://issues.apache.org/jira/browse/FC-111
>             Project: FORTRESS
>          Issue Type: New Feature
>    Affects Versions: 1.0.0-RC42
>            Reporter: Shawn McKinney
>             Fix For: 1.0.1
>
>   Original Estimate: 40h
>  Remaining Estimate: 40h
>
> Administrative Role-Based Access Control, or ARBAC gives the capability to control authorization on the Fortress Core APIs themselves.  To enable fortress to perform these checks, a session must be set on the manager function before usage.  For example:
> this.adminMgr.setAdmin( SecUtils.getSession( this ) );
> setting a fortress session onto a manager impl enforces arbac checking on subsequent apis calls:
> 1. makes sure that the caller has the permission to call the method
> 2. (in some cases) enforces the caller is entitled to perform the function for a given organization.
> This enhancement is to expand the coverage for #2.  Currently the ou checks performed on these calls:
> assign and deassignUser
> grant and revokePermission
> Needs to be added for:
> add, update, delete and findUser
> add, update, delete, and findPermissions
> resetPassword, unlockAccount
> The additional checks will require hooks to be inserted inside the manager flow before the actual dao is invoked.  The exception to this rule is for the search of users and permissions which will require additional search filters to be inserted into the query.
> for user functions enforce the caller has admin role with matching userou.
> for perm functions enforce the caller has admin role with matching permou.
> This enhancement will require additional test routines as well to verify the additional constraints checks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)