You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by "Shawn McKinney (JIRA)" <ji...@apache.org> on 2015/06/11 00:31:00 UTC
[jira] [Created] (FC-111) Enhance ARBAC Coverage
Shawn McKinney created FC-111:
---------------------------------
Summary: Enhance ARBAC Coverage
Key: FC-111
URL: https://issues.apache.org/jira/browse/FC-111
Project: FORTRESS
Issue Type: New Feature
Affects Versions: 1.0.0-RC41
Reporter: Shawn McKinney
Fix For: 1.0.0
Administrative Role-Based Access Control, or ARBAC gives the capability to control authorization on the Fortress Core APIs themselves. To enable fortress to perform these checks, a session must be set on the manager function before usage. For example:
this.adminMgr.setAdmin( SecUtils.getSession( this ) );
setting a fortress session onto a manager impl enforces arbac checking on subsequent apis calls:
1. makes sure that the caller has the permission to call the method
2. (in some cases) enforces the caller is entitled to perform the function for a given organization.
This enhancement is to expand the coverage for #2. Currently the ou checks performed on these calls:
assign and deassignUser
grant and revokePermission
Needs to be added for:
add, update, delete and findUser
add, update, delete, and findPermissions
resetPassword, unlockAccount
The additional checks will require hooks to be inserted inside the manager flow before the actual dao is invoked. The exception to this rule is for the search of users and permissions which will require additional search filters to be inserted into the query.
for user functions enforce the caller has admin role with matching userou.
for perm functions enforce the caller has admin role with matching permou.
This enhancement will require additional test routines as well to verify the additional constraints checks.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)