Return-Path: X-Original-To: apmail-directory-dev-archive@www.apache.org Delivered-To: apmail-directory-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id ACC0C17FBD for ; Sun, 1 Mar 2015 16:13:04 +0000 (UTC) Received: (qmail 28717 invoked by uid 500); 1 Mar 2015 16:13:04 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 28662 invoked by uid 500); 1 Mar 2015 16:13:04 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 28652 invoked by uid 99); 1 Mar 2015 16:13:04 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 01 Mar 2015 16:13:04 +0000 Date: Sun, 1 Mar 2015 16:13:04 +0000 (UTC) From: "Shawn McKinney (JIRA)" To: dev@directory.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (FC-75) Add Role grouping mechanism MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 Shawn McKinney created FC-75: -------------------------------- Summary: Add Role grouping mechanism Key: FC-75 URL: https://issues.apache.org/jira/browse/FC-75 Project: FORTRESS Issue Type: Improvement Affects Versions: 1.0.0-RC39 Reporter: Shawn McKinney Fix For: 1.0.0 Ansi rbac allows groups of roles. An rbac group map to a collection of rol= es: Rbac group one to many relationship with role. This will help with administration to simplify the task of assigning multip= le roles to a single user. =20 It is worth noting that role hierarchies are a similar concept in that they= too are a collection of roles - with one key difference. If one wanted to= assign a collection of roles to a user where two or more have dynamic sepa= ration of duty constraints, having those roles related via a hierarchy prev= ents selective activation into session. With a group of roles assigned, it is possible for the user or system itsel= f to choose which of the assigned roles to activate into a given session. = =20 from the ansi incits 369 2004: "CreateSession(user, session) This function creates a new session with a given user as owner, and a given= set of active roles. The function is valid if and only if: - the user is a member of the USERS data set, and - the active role set is a subset of the roles authorized for that user. No= te that if a role is active for a session, its descendants or ascendants are not necessarily act= ive for that session. In a RBAC implementation, the session=E2=80=99s activ= e roles might actually be the groups that represent those roles." -- This message was sent by Atlassian JIRA (v6.3.4#6332)