You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2018/08/30 02:25:18 UTC
directory-fortress-core git commit: refine
Repository: directory-fortress-core
Updated Branches:
refs/heads/master 307f2bf48 -> 0b251f06e
refine
Project: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/commit/0b251f06
Tree: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/tree/0b251f06
Diff: http://git-wip-us.apache.org/repos/asf/directory-fortress-core/diff/0b251f06
Branch: refs/heads/master
Commit: 0b251f06e3e81deaab51e153c07a60ca737ad566
Parents: 307f2bf
Author: Shawn McKinney <sm...@apache.org>
Authored: Wed Aug 29 00:55:38 2018 -0500
Committer: Shawn McKinney <sm...@apache.org>
Committed: Wed Aug 29 00:55:38 2018 -0500
----------------------------------------------------------------------
ldap/setup/RbacAbacSample.xml | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-fortress-core/blob/0b251f06/ldap/setup/RbacAbacSample.xml
----------------------------------------------------------------------
diff --git a/ldap/setup/RbacAbacSample.xml b/ldap/setup/RbacAbacSample.xml
index c578116..a50a767 100644
--- a/ldap/setup/RbacAbacSample.xml
+++ b/ldap/setup/RbacAbacSample.xml
@@ -28,17 +28,7 @@
<target name="all">
<FortressAdmin>
- <!-- This config setting constrains role activation by locale on Teller and Washer -->
-<!--
- <updconfig>
- <config props="config.realm:DEFAULT"/>
- <config props="Tellers:locale"/>
- <config props="Washers:locale"/>
- </updconfig>
--->
-
<adduser>
- <!-- The userProps attribute is used to map user role activation to locale (branch) attribute. -->
<user userId="curly"
password="password"
description="Head Teller of the East, Coin Washer in North and South"
@@ -60,7 +50,7 @@
</adduser>
<adduserrole>
- <!-- Although each user is assigned both Teller and Washer, activation is limited by locale. -->
+ <!-- Although each user is assigned both Teller and Washer, activation is limited by locale, and a DSD constraint. -->
<userrole userId="curly" name="Bank_Users"/>
<userrole userId="curly" name="Tellers"/>
<userrole userId="curly" name="Washers"/>
@@ -79,22 +69,30 @@
</addrole>
<addroleconstraint>
+ <!-- Rle constraints w/out userid bind a particular role to a particular constraint name. -->
<roleconstraint role="tellers" key="locale" typeName="USER"/>
<roleconstraint role="washers" key="locale" typeName="USER"/>
+ <!-- The role constraints w/ uid map the a user and role with a constraint. -->
+ <!-- These role constraints define a users allowed locales for a given role. -->
+
+ <!-- Curly is the head teller of the east, coin washer in north and south. -->
<roleconstraint userId="curly" role="tellers" key="locale" value="east" typeName="USER"/>
<roleconstraint userId="curly" role="washers" key="locale" value="north" typeName="USER"/>
<roleconstraint userId="curly" role="washers" key="locale" value="south" typeName="USER"/>
+ <!-- Moe is the head teller of the north, coin washer in east and south. -->
<roleconstraint userId="moe" role="tellers" key="locale" value="north" typeName="USER"/>
<roleconstraint userId="moe" role="washers" key="locale" value="east" typeName="USER"/>
<roleconstraint userId="moe" role="washers" key="locale" value="south" typeName="USER"/>
+ <!-- Larry is the head teller of the south, coin washer in north and east. -->
<roleconstraint userId="larry" role="tellers" key="locale" value="south" typeName="USER"/>
<roleconstraint userId="larry" role="washers" key="locale" value="north" typeName="USER"/>
<roleconstraint userId="larry" role="washers" key="locale" value="east" typeName="USER"/>
</addroleconstraint>
+<!--
<delroleconstraint>
<roleconstraint role="tellers" key="locale" typeName="USER"/>
<roleconstraint role="washers" key="locale" typeName="USER"/>
@@ -111,9 +109,11 @@
<roleconstraint userId="larry" role="washers" key="locale" value="north" typeName="USER"/>
<roleconstraint userId="larry" role="washers" key="locale" value="east" typeName="USER"/>
</delroleconstraint>
+-->
<addsdset>
+ <!-- This Dynamic Separation of Duty policy prevents Tellers and Washers roles being activated together, no matter what goes on with role constraints. -->
<sdset name="BankSafe" setmembers="Tellers,Washers" cardinality="2" setType="DYNAMIC" description="User may only activate one of these roles"/>
</addsdset>