Hi Johann, will a model comparable to “NIST Model for Role-Based Access Control” [1] be the foundation for C5 ? Are nested / hierarchical roles in place?
As Groups are not modelled in [1] I’m wondering if Groups will be modelled flat or hierarchically in C5? With external user stores, this is out of scope of C5, of course. [1] http://csrc.nist.gov/groups/SNS/rbac/documents/sandhu-ferraiolo-kuhn-00.pdf Thanks, Jochen On 27 January 2017 at 07:49:21, Johann Nallathamby ([email protected]) wrote: Hi Nuwan, On Fri, Jan 27, 2017 at 10:40 AM, Nuwan Dias <[email protected]> wrote: > Hi, > > In C5, since Groups and Roles are supposed to be treated as two different > entities, we need to clearly understand how to use them and a bit of their > implementation details. I'm listing some assumptions and questions below, > please see if the assumptions are correct and please provide answers to the > questions too. > > *Assumptions* > > 1. Groups are in the LDAP (User Store) and Roles are in the Context of > Carbon (in a DB schema introduced by WSO2 Products). > Yes. User Store can be in Database as well. So Groups can exist in User StoreDB schema as well. > 2. Roles are always created through a carbon admin service (MSF4J). > Yes. We have an OSGi service as well which exposes AuthorizationStore API as a service. > 3. Roles can be attached to users *and* groups. > Yes. > 4. Role to User and Role to Group mappings will be will be stored in a DB > schema maintained by carbon. > Yes. > 5. Users, Roles and Groups will all have unique identifiers (ids) so that > products don't have to maintain direct references to the their literal > values. > Yes. Another addition is Users and Groups can have attributes in C5. @Jayanga: can you confirm if this is implemented already? If not we need to track this user story. > > *Questions* > > 1. When saving information to represent "who can do what", do we save the > role or group? Ex: GET /apis can be performed by [role or group or both]? > Its Roles. The question "who" represents either user or group - a set of users. The mapping between resource, action (resource + action = permission) and user or group is done through roles. > 2. Do we have a concept of "default role(s)" or "internal role(s)" which > are common to all products? > So far we have not come across any requirement for "default" roles. But that would depend on the products I guess. E.g. in APIM we would need publisher and subscriber roles. There will be no concept of "internal" roles because technically roles are anyway internal to IS. Only groups can be external in a user store. Earlier we had the concept of "internal" roles because we treated both groups and roles as roles. So groups were called "external roles" and roles were called "internal roles". > 3. Are roles common across all user stores? If my assumption (1) is > correct, the answer should be yes I guess. > Yes. > > > Thanks, > NuwanD. > > -- > Nuwan Dias > > Software Architect - WSO2, Inc. http://wso2.com > email : [email protected] > Phone : +94 777 775 729 <+94%2077%20777%205729> > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* _______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
