Not entirely sure what I would like to see happen, was looking to see what was currently possible and see if you had any thoughts. Being able to specify that all users have a role, all authenticated users have a role, or all users in a specified UserOU have a role would be nice, but not sure that could be done without breaking or at least extending RBAC.
----- Original Message ----- From: "Shawn McKinney" <[email protected]> To: [email protected] Sent: Tuesday, December 8, 2015 1:23:39 PM Subject: Re: All or Anonymous User Roles > On Dec 8, 2015, at 11:53 AM, Chris Pike <[email protected]> wrote: > > Here the example I'm thinking about... if the permission check on my method > is "alert.status.view", I can create a role with that permission and add > users into the role. Later on if I want all authenticated users to have that > permission, I would have to add all 40k users (and new users as they come > into the system) into the role. Even later on if I want anyone, even > anonymous users to have access to the method, I would have to do a code > change and remove the permission check from my method. > It sounds like a provisioning use case to me. First, setup a base role for all authenticated users, i.e. AuthUsers and another for unauthenticated users, i.e. AnonUsers. And then periodically you run a batch job to scan the ou=people subdirectory based on criteria, i.e. do they have a password setup or not. If one or the other, and user hasn’t been already assigned, assign it then. That way when you want to allow anon users access, you grant that perm the corresponding role and be done with it (as opposed to code change). Or course this can also be done with some sort of 3rd party provisioning, or other synch service, i.e. when setting up a new user, always give them one or the other role. Or detect (listen for) when a new user is being added, to assign to one or the other. What would you like to see happen here? Shawn
