directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn McKinney (JIRA)" <>
Subject [jira] [Updated] (FC-75) Add Role grouping mechanism
Date Tue, 25 Oct 2016 14:15:58 GMT


Shawn McKinney updated FC-75:
    Fix Version/s: 2.0.0-RC1

> Add Role grouping mechanism
> ---------------------------
>                 Key: FC-75
>                 URL:
>             Project: FORTRESS
>          Issue Type: Improvement
>    Affects Versions: 1.0.0-RC39
>            Reporter: Shawn McKinney
>            Assignee: Shawn McKinney
>             Fix For: 2.0.0-RC1
> Ansi rbac allows groups of roles.  An rbac group map to a collection of roles:
> Rbac group one to many relationship with role.
> This will help with administration to simplify the task of assigning multiple roles to
a single user.  
> It is worth noting that role hierarchies are a similar concept in that they too are a
collection of roles - with one key difference.  If one wanted to assign a collection of roles
to a user where two or more have dynamic separation of duty constraints, having those roles
related via a hierarchy prevents selective activation into session.
> With a group of roles assigned, it is possible for the user or system itself to choose
which of the assigned roles to activate into a given session.  
> from the ansi incits 369 2004:
> "CreateSession(user, session)
> This function creates a new session with a given user as owner, and a given set of active
roles. The function is valid if and only if:
> - the user is a member of the USERS data set, and
> - the active role set is a subset of the roles authorized for that user. Note that if
a role is
> active for a session, its descendants or ascendants are not necessarily active for that
session. In a RBAC implementation, the session’s active roles might actually be the groups
that represent those roles."

This message was sent by Atlassian JIRA

View raw message