[jira] [Commented] (FC-74) DSD checking on hierarchical relationships incorrect

Shawn McKinney (JIRA) Sun, 01 Mar 2015 05:00:21 -0800

    [ 
https://issues.apache.org/jira/browse/FC-74?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14342213#comment-14342213
 ]


Shawn McKinney commented on FC-74:
----------------------------------

incits 359 says this about when to apply dsd checks:

"The semantics of creating an instance of DSD relation are identical to that of 
an SSD
relation. While constraints associated with an SSD relation are enforced during 
user assignments (as well as while creating role hierarchies), the constraints 
associated with DSD are enforced only at the time of role activation within a 
user session."

which clearly states that dsd checks are applied only when role is activated in 
session.  This brings a problem where a role hierarchy is created that contains 
roles that have mutual exclusive dsd constraints.  What is the reasonable way 
to handle this... should we display a warning when such a conflict is detected?

In any case, the system should be doing this:

"However, the additional functionality required of these functions in the DSD 
RBAC model context is that they should enforce the DSD constraints. For 
example, during the invocation of the CreateSession function, the default 
active role set that is made available to the user should not violate any of 
the DSD constraints. Similarly, the AddActiveRole function shall check and 
prevent the addition of any active role to the session’s active role set that 
violates any of the DSD constraints."



> DSD checking on hierarchical relationships incorrect
> ----------------------------------------------------
>
>                 Key: FC-74
>                 URL: https://issues.apache.org/jira/browse/FC-74
>             Project: FORTRESS
>          Issue Type: Bug
>    Affects Versions: 1.0.0-RC39
>            Reporter: Shawn McKinney
>             Fix For: 1.0.0-RC40
>
>
> Manually testing of fortress detected that did constraints between roles can 
> be bypassed via inheritance.  
> For example this constraint:
>   sdset name="Demo2DSD" 
>   description="ROLE_TEST DATA roles are mutually exclusive" cardinality="2"
>   setType="DYNAMIC"
>   setmembers="PAGE1_123,PAGE1_456,PAGE1_789,
>                          PAGE2_123,PAGE2_456,PAGE2_789,
>                          PAGE3_123,PAGE3_456,PAGE3_789"/>
> can be bypassed thru these inheritance relationships:
>                 <relationship child="PERSON1" parent="ROLE_PAGE1"/>
>                 <relationship child="PERSON1" parent="PAGE1_123"/>
>                 <relationship child="PERSON1" parent="PAGE1_456"/>
>                 <relationship child="PERSON1" parent="PAGE1_789"/>
> and then assigning to user:
> userrole userId="anyuser" name="PERSON1"
> when user 'any user' logs on, and  activate person1 role, which bypasses the 
> constraint checks for dad on the roles person1 inherits.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (FC-74) DSD checking on hierarchical relationships incorrect

Reply via email to