Shawn McKinney created FC-75:
--------------------------------
Summary: Add Role grouping mechanism
Key: FC-75
URL: https://issues.apache.org/jira/browse/FC-75
Project: FORTRESS
Issue Type: Improvement
Affects Versions: 1.0.0-RC39
Reporter: Shawn McKinney
Fix For: 1.0.0
Ansi rbac allows groups of roles. An rbac group map to a collection of roles:
Rbac group one to many relationship with role.
This will help with administration to simplify the task of assigning multiple
roles to a single user.
It is worth noting that role hierarchies are a similar concept in that they too
are a collection of roles - with one key difference. If one wanted to assign a
collection of roles to a user where two or more have dynamic separation of duty
constraints, having those roles related via a hierarchy prevents selective
activation into session.
With a group of roles assigned, it is possible for the user or system itself to
choose which of the assigned roles to activate into a given session.
from the ansi incits 369 2004:
"CreateSession(user, session)
This function creates a new session with a given user as owner, and a given set
of active roles. The function is valid if and only if:
- the user is a member of the USERS data set, and
- the active role set is a subset of the roles authorized for that user. Note
that if a role is
active for a session, its descendants or ascendants are not necessarily active
for that session. In a RBAC implementation, the session’s active roles might
actually be the groups that represent those roles."
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
