[
https://issues.apache.org/jira/browse/RANGER-606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14711615#comment-14711615
]
Alok Lal commented on RANGER-606:
---------------------------------
[~madhan.neethiraj] Would it help to tie deny policies to a regular/allow
policy, say, as a child? If we assume that need for denial arises from a need
to tweak the authorizations allowed by a regular policy to account for some
exceptions then *tying* deny policies to regular policies this way might help
to keep understanding of model simple. Such policies would share the resource
specification at the main policy level and only contain policy items which
could be used to tweak the results of main policy. This precludes use cases
for stand alone deny policies and adds complexity of relation between policies.
> Add support for deny policies
> ------------------------------
>
> Key: RANGER-606
> URL: https://issues.apache.org/jira/browse/RANGER-606
> Project: Ranger
> Issue Type: Bug
> Components: admin, plugins
> Affects Versions: 0.5.0
> Reporter: Madhan Neethiraj
> Assignee: Madhan Neethiraj
> Fix For: 0.5.0
>
>
> Currently Ranger supports creation of policies that can allow access when
> specific conditions are met (for example, resources, user, groups,
> access-type, custom-conditions..). In addition to this, having the ability to
> create policies that deny access for specific conditions will help address
> many usecases, like:
> - deny access for specific users/groups/ip-addresses/time-of-day
> - deny access when specific conditions are met - like
> resources/users/groups/access-types/custom-conditions
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
