directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn McKinney (JIRA)" <>
Subject [jira] [Created] (FC-111) Enhance ARBAC Coverage
Date Wed, 10 Jun 2015 22:31:00 GMT
Shawn McKinney created FC-111:

             Summary: Enhance ARBAC Coverage
                 Key: FC-111
             Project: FORTRESS
          Issue Type: New Feature
    Affects Versions: 1.0.0-RC41
            Reporter: Shawn McKinney
             Fix For: 1.0.0

Administrative Role-Based Access Control, or ARBAC gives the capability to control authorization
on the Fortress Core APIs themselves.  To enable fortress to perform these checks, a session
must be set on the manager function before usage.  For example:

this.adminMgr.setAdmin( SecUtils.getSession( this ) );

setting a fortress session onto a manager impl enforces arbac checking on subsequent apis

1. makes sure that the caller has the permission to call the method
2. (in some cases) enforces the caller is entitled to perform the function for a given organization.

This enhancement is to expand the coverage for #2.  Currently the ou checks performed on these

assign and deassignUser
grant and revokePermission

Needs to be added for:

add, update, delete and findUser
add, update, delete, and findPermissions
resetPassword, unlockAccount

The additional checks will require hooks to be inserted inside the manager flow before the
actual dao is invoked.  The exception to this rule is for the search of users and permissions
which will require additional search filters to be inserted into the query.

for user functions enforce the caller has admin role with matching userou.
for perm functions enforce the caller has admin role with matching permou.

This enhancement will require additional test routines as well to verify the additional constraints

This message was sent by Atlassian JIRA

View raw message