You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@directory.apache.org by "Shawn McKinney (JIRA)" <ji...@apache.org> on 2016/10/25 14:17:58 UTC

[jira] [Commented] (FC-75) Add Role grouping mechanism

    [ https://issues.apache.org/jira/browse/FC-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15605426#comment-15605426 ] 

Shawn McKinney commented on FC-75:
----------------------------------

FC-75 is superceded by FC-144

> Add Role grouping mechanism
> ---------------------------
>
>                 Key: FC-75
>                 URL: https://issues.apache.org/jira/browse/FC-75
>             Project: FORTRESS
>          Issue Type: Improvement
>    Affects Versions: 1.0.0-RC39
>            Reporter: Shawn McKinney
>            Assignee: Shawn McKinney
>             Fix For: 2.0.0-RC1
>
>
> Ansi rbac allows groups of roles.  An rbac group map to a collection of roles:
> Rbac group one to many relationship with role.
> This will help with administration to simplify the task of assigning multiple roles to a single user.  
> It is worth noting that role hierarchies are a similar concept in that they too are a collection of roles - with one key difference.  If one wanted to assign a collection of roles to a user where two or more have dynamic separation of duty constraints, having those roles related via a hierarchy prevents selective activation into session.
> With a group of roles assigned, it is possible for the user or system itself to choose which of the assigned roles to activate into a given session.  
> from the ansi incits 369 2004:
> "CreateSession(user, session)
> This function creates a new session with a given user as owner, and a given set of active roles. The function is valid if and only if:
> - the user is a member of the USERS data set, and
> - the active role set is a subset of the roles authorized for that user. Note that if a role is
> active for a session, its descendants or ascendants are not necessarily active for that session. In a RBAC implementation, the session’s active roles might actually be the groups that represent those roles."



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)