> On Nov 19, 2015, at 10:21 AM, Yudhi Karunia Surtan <[email protected]> > wrote: > > Do you have any plan to introduce permission object attributes? > At this moment i saw at LDAP that "ftObjNm" can have a children with > "ftOpNm". > Perhaps it is also possible to have other children like "ftAttNm" and allow > it to map the roles attribute inside those object. > > Anyway, i only want to know what inside your head about these feature > enhancement in the future. >
Currently we can map 0bjects to operations, e.g.: Customer.Read and can add object ids, e.g.: Customer.Read.123 There are discussions of adding attributes. Perhaps we add a multi-occurring attribute to the ftOperation object class to support this use case. > > On Nov 19, 2015, at 10:21 AM, Yudhi Karunia Surtan <[email protected]> > wrote: > > The motivation about my question is when specific user(registered at > fortress) ask for the object from fortress and fortress could answer it > with these possibility : > > a. access denied because of the user doesn't have permission to see those > object > b. access granted, object and attribute is given but only for the attribute > that mapped to his role. > c. access granted but since no attribute is mapped, then only the object > returned. > Sounds like an interesting idea. There are a few others ideas floating around so we should gather them all, create a JIRA ticket, and discuss the pros/cons of each. > > On Nov 19, 2015, at 10:21 AM, Yudhi Karunia Surtan <[email protected]> > wrote: > > Do you have any link or resources that i can read regarding to this > requirement? > I forget the document number for combining RBAC and ABAC standard. Here it is. It discusses using ANSI INCITS 494 RBAC Policy Enhanced to combine attributes with roles: http://csrc.nist.gov/groups/SNS/rbac/documents/coyne-weil-13.pdf Shawn
