You are viewing a plain text version of this content. The canonical link for it is here.
Posted to fortress@directory.apache.org by Chris Pike <cl...@psu.edu> on 2015/09/24 21:40:56 UTC
Admin Roles and RBAC Role Range
RBAC roles are assigned to ARBAC roles through role ranges (a starting child node and an ending parent node). This range determines the set of roles that a user in the Admin Role can assign users. Given a complex RBAC role hierarchy or many roles not part of a hierarchy, this would require many ARBAC roles to be created. Is this correct?
Furthermore, when a new RBAC role is created, it will not belong to any ARBAC role (unless it happens to be inside of a role range). A new ARBAC role might need to be created for every new RBAC role. So, if we want to delegate role creation to a particular user(s), they would also need to have permissions to then create ARBAC roles and assign users to those roles?
Re: Admin Roles and RBAC Role Range
Posted by Shawn McKinney <sm...@apache.org>.
> On Sep 24, 2015, at 2:40 PM, Chris Pike <cl...@psu.edu> wrote:
>
> RBAC roles are assigned to ARBAC roles through role ranges (a starting child node and an ending parent node). This range determines the set of roles that a user in the Admin Role can assign users. Given a complex RBAC role hierarchy or many roles not part of a hierarchy, this would require many ARBAC roles to be created. Is this correct?
>
Yes. I believe one could derive a set of roles targeted for a particular admin role from a common parent. Then assign the parent to the arbac role range.
>
> On Sep 24, 2015, at 2:40 PM, Chris Pike <cl...@psu.edu> wrote:
>
> Furthermore, when a new RBAC role is created, it will not belong to any ARBAC role (unless it happens to be inside of a role range). A new ARBAC role might need to be created for every new RBAC role. So, if we want to delegate role creation to a particular user(s), they would also need to have permissions to then create ARBAC roles and assign users to those roles?
Another possible solution is to add a multi-occurring attribute, i.e. ftRoles, to the admin role entity that contains references to one or more non-related rbac roles. This would be useful if not part of the ARBAC02 model. Don’t think that would be too difficult to do. There are other entities that maintain multi-occurring references to rbac roles - e.g. permissions.
Shawn