> On Feb 8, 2016, at 10:08 AM, Chris Pike <[email protected]> wrote: > > It is my understanding that anyone in an ARBAC role with the permission > org.apache.directory.fortress.core.impl.DelAdminMgrImpl.assignUser can assign > any user to any ARBAC role. Is that correct?
No. They may assign any user any ARBAC role using that particular manager. Granting the particular ARBAC role this permission: > org.apache.directory.fortress.core.impl.AdminMgrImpl.assignUser gives the assignee the ability to assign any RBAC role to any user with the AdminMgr. You can see all of the permissions that are covered by the ARBAC checks in the load script: https://github.com/apache/directory-fortress-core/blob/master/ldap/setup/DelegatedAdminManagerLoad.xml The finer grained checks, canAssign, canDeassign, are where the ARBAC rules, i.e. orgs are validated. There is an open ticket that describes how these explicit calls to DelAccessMgr functions (by the caller) can be made implicit, i.e. done automatically: https://issues.apache.org/jira/browse/FC-111?jql=project%20%3D%20FC Shawn
