I would like to seperate different administrative tasks for different permissions but to show the same user for different administrative roles.
A user u has RoleA in order to get permissions in perm group PA. I create an admin role AdminA, which can assign RoleA to users in Org Unit OUA in order to get permissions from perm group A, so happened for user u when AdminA assigned RoleA to him. There is a new application with his own permissions organized in perm group B an assigned to RoleB. I would like to create a similar admin role AdminB, which can assign RoleB to users in OUB in order to get permissions from perm group B. But now the user u in OUA needs the permissions from perm group B. AdminB cannot assign RoleB to him, because user u is in OUA and not in OUB. And I don't want AdminB watching all users in OUA, he only should see users from OUB. Fortress should allow the assignment of several OU's for this use case or is something wrong in my structure? Olaf Jentsch -----Original Message----- From: Shawn McKinney [mailto:[email protected]] Sent: Wednesday, September 09, 2015 10:57 PM To: [email protected] Subject: Re: User membership in different OrgUnit's > On Sep 9, 2015, at 3:30 PM, Olaf Jentsch <[email protected]> wrote: > > In the Fortress API I found only one method in the class > org.apache.directory.fortress.core.rbac.User > to set a one-to-one relationship between one user and one OrgUnit. > > How can I achieve a one-to-many relationship without using LDAP API directly > to set the user entity? Sorry if I was not clear before. You are right, fortress will not allow it. My question is, why is this a problem? i.e. what is the use case that we can’t satisfy today using this data model?
