> On Dec 10, 2015, at 12:01 PM, Chris Pike <[email protected]> wrote:
>
> Not entirely sure what I would like to see happen, was looking to see what
> was currently possible and see if you had any thoughts. Being able to specify
> that all users have a role, all authenticated users have a role, or all users
> in a specified UserOU have a role would be nice, but not sure that could be
> done without breaking or at least extending RBAC.
There are a couple of areas we can work in and stay within the limits of a
classic rbac system, i.e. incits 359.
The first that comes to mind is role activation workflow somewhere during the
session creation phase. For example, the client could make the determination
if user is anonymous or authenticated, and based on that knowledge, can either
include one role or the other - i.e. AuthUser or AnonUser.
So you could call createSession, perhaps with trusted = true, meaning no authN
required. And subsequently call addActiveRole with the AnonUser role.
Or if user has authenticated, you would call addActiveRole with AuthUser.
Of course this doesn’t solve the provisioning use case we discussed earlier,
i.e. assigning one or the other role. But wait, maybe it does… could we always
assign both and then just activate one or the other? Thinking….
Shawn
