[jira] [Commented] (FC-111) Enhance ARBAC Coverage

Thu, 11 Jun 2015 07:53:38 -0700 

    [ 
https://issues.apache.org/jira/browse/FC-111?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14582014#comment-14582014
 ] 

Shawn McKinney commented on FC-111:
-----------------------------------

FYI, more info on ARBAC : 
https://iamfortress.wordpress.com/2015/06/11/what-is-delegated-administration/

> Enhance ARBAC Coverage
> ----------------------
>
>                 Key: FC-111
>                 URL: https://issues.apache.org/jira/browse/FC-111
>             Project: FORTRESS
>          Issue Type: New Feature
>    Affects Versions: 1.0.0-RC41
>            Reporter: Shawn McKinney
>             Fix For: 1.0.0
>
>   Original Estimate: 40h
>  Remaining Estimate: 40h
>
> Administrative Role-Based Access Control, or ARBAC gives the capability to 
> control authorization on the Fortress Core APIs themselves.  To enable 
> fortress to perform these checks, a session must be set on the manager 
> function before usage.  For example:
> this.adminMgr.setAdmin( SecUtils.getSession( this ) );
> setting a fortress session onto a manager impl enforces arbac checking on 
> subsequent apis calls:
> 1. makes sure that the caller has the permission to call the method
> 2. (in some cases) enforces the caller is entitled to perform the function 
> for a given organization.
> This enhancement is to expand the coverage for #2.  Currently the ou checks 
> performed on these calls:
> assign and deassignUser
> grant and revokePermission
> Needs to be added for:
> add, update, delete and findUser
> add, update, delete, and findPermissions
> resetPassword, unlockAccount
> The additional checks will require hooks to be inserted inside the manager 
> flow before the actual dao is invoked.  The exception to this rule is for the 
> search of users and permissions which will require additional search filters 
> to be inserted into the query.
> for user functions enforce the caller has admin role with matching userou.
> for perm functions enforce the caller has admin role with matching permou.
> This enhancement will require additional test routines as well to verify the 
> additional constraints checks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to