Chris Pike created FC-196:
-----------------------------

             Summary: ARBAC Perm OU Placement
                 Key: FC-196
                 URL: https://issues.apache.org/jira/browse/FC-196
             Project: FORTRESS
          Issue Type: Improvement
            Reporter: Chris Pike
            Assignee: Chris Pike


User Story: As a fortress super administrator, I want to delegate different 
Permission Operation assignment to different application owners. (i.e. One 
group can give out account creation, another can give out account reset, and a 
third can give out both)

Current Steps:
 1. Create Permission Object (account.create) with Perm OU (POU1) and Operation 
(do)
 2. Create Permission Object (account.reset) with Perm OU (POU2) and Operation 
(do)
 3. Create an ARBAC Role (AR1) that has jurisdiction over Perm OU (POU1)
 4. Create an ARBAC Role (AR2) that has jurisdiction over Perm OU (POU2)
 5. Create an ARBAC Role (AR3) that has jurisdiction over Perm OUs (POU1 and 
POU2)
 6. U1 adds Permission (account.create.do) into R1
 7. U2 adds Permission (account.reset.do) into R2
 8. U3 adds Permissions (account.create.do and account.reset.do) into R3
 9. Create new Permission Object (account.delete) with Perm OU (POU3) and 
Operation (do)
 10. Update AR2 to add POU3
 11. Update AR3 to add POU3

 End State:
   account.create.do -> POU1
   account.reset.do -> POU2
   account.delete.do -> POU3
   AR1 -> POU1
   AR2 -> POU2, POU3
   AR3 -> POU1, POU2, POU3

 Issues / Notes:
   - A one to one mapping between Permissions and PermOUs
   - Adding a new permission may require updating many ARBAC roles


Steps after Perm OU Move to Operation
 1. Create Permission Object (account) with Operations (create with POU1 / 
reset with POU2)
 Steps are the same after this point

 End State:
   account.create -> POU1
   account.reset -> POU2
   account.delete -> POU3
   AR1 -> POU1
   AR2 -> POU2, POU3
   AR3 -> POU1, POU2, POU3

  Issues / Notes:
   - Same issues as previous use case

Steps after Perm OU Move to Operation and Multi Instance
 1. Create Permission Object (account) with Operations (create with POU1 / 
reset with POU1)
 2. Create Perm OU (POU2) and add to account.create
 2. Create an ARBAC Role (AR1) that has jurisdiction over Perm OU (POU2)
 3. Create Perm OU (POU3) and add to account.reset
 4. Create an ARBAC Role (AR2) that has jurisdiction over Perm OU (POU3)
 5. Create an ARBAC Role (AR3) that has jurisdiction over Perm OUs (POU1)
 6. U1 in AR1 adds Permission (account.create) into R1
 7. U2 in AR2 adds Permission (account.reset) into R2
 8. U3 in AR3 adds Permissions (account.create and account.reset) into R3
 9. Create new Permission Operation (account.delete with POU1 and POU3)

 End State:
   account.create -> POU1, POU2
   account.reset -> POU1, POU3
   account.delete -> POU1, POU3
   AR1 -> POU2
   AR2 -> POU3
   AR3 -> POU1




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to