What this thread talks about is Discretionary Access Control [1] (DAC). Who can create, update, remove APIs, Apps, etc are governed by Mandatory Access Control (MAC) which is implemented on the product REST API using OAuth scopes. So a given person can have rights to update APIs, granted to him via MAC. However there could be certain APIs this user is prevented from updating, through DAC.
[1] - https://sites.google.com/site/jimmyxu101/concepts/accesscontrol Thanks, NuwanD. On Wed, Jan 4, 2017 at 11:32 AM, Roshan Wijesena <[email protected]> wrote: > Hi Joe, > > On Wed, Jan 4, 2017 at 10:25 AM, Joseph Fonseka <[email protected]> wrote: > >> Also how do you manage role and group permission conflicts let say in a >> group there is a user which do not have creator role will he be allowed to >> update the API. > > > IMO, roles and groups are two different things and we need to validate > both when perform an operation. If someone has "create" role permission, > can create new API and if he is in "update" group he should be able to edit > that API. I think "publisher" role is not required anymore because it can > be achieved by "update" group permission. > > Regards > Roshan. > > -- > Roshan Wijesena. > Senior Software Engineer-WSO2 Inc. > Mobile: *+94719154640 <+94%2071%20915%204640>* > Email: [email protected] > *WSO2, Inc. :** wso2.com <http://wso2.com/>* > lean.enterprise.middleware. > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Nuwan Dias Software Architect - WSO2, Inc. http://wso2.com email : [email protected] Phone : +94 777 775 729
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
