> On Sep 24, 2015, at 2:40 PM, Chris Pike <[email protected]> wrote: > > RBAC roles are assigned to ARBAC roles through role ranges (a starting child > node and an ending parent node). This range determines the set of roles that > a user in the Admin Role can assign users. Given a complex RBAC role > hierarchy or many roles not part of a hierarchy, this would require many > ARBAC roles to be created. Is this correct? >
Yes. I believe one could derive a set of roles targeted for a particular admin role from a common parent. Then assign the parent to the arbac role range. > > On Sep 24, 2015, at 2:40 PM, Chris Pike <[email protected]> wrote: > > Furthermore, when a new RBAC role is created, it will not belong to any ARBAC > role (unless it happens to be inside of a role range). A new ARBAC role might > need to be created for every new RBAC role. So, if we want to delegate role > creation to a particular user(s), they would also need to have permissions to > then create ARBAC roles and assign users to those roles? Another possible solution is to add a multi-occurring attribute, i.e. ftRoles, to the admin role entity that contains references to one or more non-related rbac roles. This would be useful if not part of the ARBAC02 model. Don’t think that would be too difficult to do. There are other entities that maintain multi-occurring references to rbac roles - e.g. permissions. Shawn
