Hi All,
We can share a device group among the users with a specific set of
permissions(through a Role). However in the current implementation, Even if
the group is shared still the users in the group will not be able to
operate the device unless they have the admin permission. This restricts
scenarios that we can cover through the grouping capability.
In the device access authorization implementation we have 3 level of
authorization checks[1].
1. IsAdmin
2. IsOwner
3. IsAuthorizedThroughGroup
In here the shared user falls into the 3rd level.
In the grouping implementation, we have followed a fine-grained permission
model. This is to solve scenarios such as "An administrator shares the POS
terminal to a set of employees in a supermarket allowing only to operate
few capabilities in the device".
In order for this to work, We need a permission to feature mapping and also
we have to assign that permissions to the group. In the current
implementation, we have not assigned any permission to the feature. But we
have allowed assigning permissions to the group through the role.
Therefore in order to solve the disconnection between authorization service
and the device sharing model, I wanted to suggest to include the permission
as part of the feature definition. This way we can evaluate the permission
of the feature with the role that is assigned to the group.
feature :{ code, name, description, *permission*}
Please share your thoughts about this.
[1] https://github.com/wso2/carbon-device-mgt/blob/master/
components/device-mgt/org.wso2.carbon.device.mgt.common/
src/main/java/org/wso2/carbon/device/mgt/common/authorization/
DeviceAccessAuthorizationService.java
Thanks
*Ayyoob Hamza*
*Senior Software Engineer*
WSO2 Inc.; http://wso2.com
email: [email protected] cell: +94 77 1681010 <%2B94%2077%207779495>
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
