[
https://issues.apache.org/jira/browse/FC-75?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shawn McKinney reassigned FC-75:
--------------------------------
Assignee: Shawn McKinney
> Add Role grouping mechanism
> ---------------------------
>
> Key: FC-75
> URL: https://issues.apache.org/jira/browse/FC-75
> Project: FORTRESS
> Issue Type: Improvement
> Affects Versions: 1.0.0-RC39
> Reporter: Shawn McKinney
> Assignee: Shawn McKinney
> Fix For: 1.0.1
>
>
> Ansi rbac allows groups of roles. An rbac group map to a collection of roles:
> Rbac group one to many relationship with role.
> This will help with administration to simplify the task of assigning multiple
> roles to a single user.
> It is worth noting that role hierarchies are a similar concept in that they
> too are a collection of roles - with one key difference. If one wanted to
> assign a collection of roles to a user where two or more have dynamic
> separation of duty constraints, having those roles related via a hierarchy
> prevents selective activation into session.
> With a group of roles assigned, it is possible for the user or system itself
> to choose which of the assigned roles to activate into a given session.
> from the ansi incits 369 2004:
> "CreateSession(user, session)
> This function creates a new session with a given user as owner, and a given
> set of active roles. The function is valid if and only if:
> - the user is a member of the USERS data set, and
> - the active role set is a subset of the roles authorized for that user. Note
> that if a role is
> active for a session, its descendants or ascendants are not necessarily
> active for that session. In a RBAC implementation, the session’s active roles
> might actually be the groups that represent those roles."
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
