directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject [Triplesec] [AuthZ] Role Assignment
Date Wed, 24 Oct 2007 17:36:33 GMT
Role Assignment
-------------------------

Once an application is deployed, identities must be granted permissions to
be
authorized to perform operations and access resources.  Assigning
permissions
one at a time to users is unmanageable and prone to error.  Role based
access
control arose primarily from this requirement to associate permissions
within
roles and assign roles to identities rather than permissions directly.  This
way,
identities that have roles assigned to them, are granted the permissions
associated
with their assigned roles.

There are several benefits to RBAC which I won't go into in this section but
consider
the impact of a change in the application which alters a role by adding a
new permission.
Most administrators, I am sure, would prefer to add a new permission to a
role and
have that trickle down to users, rather than modifying each user in the
system to have
this new permission.

Role assignment during and after deployment is required for identities to
fulfill their
designated functions within applications and systems.  Role assignment can
be done
on a per principal basis and should be allowed.  However doing so for every
assignment
would not be very tractible especially within the scale of an enterprise.
Role assignment
to groups must be possible to make management feasible at medium to large
scales.
Role assignment is a task required of application and system
administrators.  Role
assignment begins as part of an application's deployment yet it continues
indefinately as
an operational overhead while identities are created, destroyed, regrouped
and allowed to
access the application at with various roles.

Alex

Mime
View raw message