On 12/12/2014 06:34 AM, Nicolas Eirea wrote:
> We need that the bank teller assigned to a "Teller" role only act within
> role in the building of branch "A" of the bank, if the same bank teller
> goes to the building of branch "B" of the same bank he shouldn't act within
> the "Teller" role.
>
> How do you think is the best/correct way to do this in Fortress??
Fortress supports two types of constraints on role activations:
1. temporal constraints.
2. dynamic separation of duty constraints
Both types are evaulated during runtime - e.g. createSession, checkAccess, etc.
The first type of constraint is not part of the rbac standard, the second type
is part of the standard.
The type of constraint you describe is what I would call a location based
constraint. It is not part of the rbac standard. I expect the requirement to
be something like:
Only activate role X if subject is present in location y.
Like temporal constraints it requires environmental attributes to be present
and evaulated during runtime.
You could enforce the location constraint inside the application. The fortress
client would need to determine if a role is suitable to be activated using
whatever logic is suitable in that app. It can limit the activated roles by
using the following apis:
Here you can add only the roles suitable for user into the user object before
calling:
public Session createSession(User user, boolean isTrusted)
throws SecurityException;
or you may call:
public void addActiveRole(Session session, UserRole role)
throws SecurityException;
public void dropActiveRole(Session session, UserRole role)
throws SecurityException;
and add/remove roles as necessary to meet the requirement.
****************
Or, if you want to get your feet wet programming in fortress you can add a new
role activation validator. Follow the example for LockDate, Date, Time, etc
located in the util/time package. Your validator must implement the Validator
interface and you must register the validator with the fortress runtime by
adding it to the fortress.properties and making your binaries available to the
classpath:
temporal.validator.n=mylocationchecker:com.mycompany.security.LocationChecker
where n = n+1 the highest number of previous validator and class name is the
class you coded. You could store location info in the user properties for a
particular user.
Shawn
