I think you may have misread my question (or I misread your answer), but "They may assign any user any ARBAC role using that particular manager.", is what I wanted to confirm.
I was really looking to see if there is an ability to delegate the ARBAC assignment. For example, I want to give a UserX the ability to set role assigners for particular applications roles. If I understand your answer, this isn't possible, since having the "DelAdminMgrImpl.assignUser" permission allows UserX to assign any user to any ARBAC role, even ones not associated with their application. ----- Original Message ----- From: "Shawn McKinney" <[email protected]> To: [email protected] Sent: Monday, February 8, 2016 1:51:36 PM Subject: Re: ARBAC Role Assignment Question > On Feb 8, 2016, at 10:08 AM, Chris Pike <[email protected]> wrote: > > It is my understanding that anyone in an ARBAC role with the permission > org.apache.directory.fortress.core.impl.DelAdminMgrImpl.assignUser can assign > any user to any ARBAC role. Is that correct? No. They may assign any user any ARBAC role using that particular manager. Granting the particular ARBAC role this permission: > org.apache.directory.fortress.core.impl.AdminMgrImpl.assignUser gives the assignee the ability to assign any RBAC role to any user with the AdminMgr. You can see all of the permissions that are covered by the ARBAC checks in the load script: https://github.com/apache/directory-fortress-core/blob/master/ldap/setup/DelegatedAdminManagerLoad.xml The finer grained checks, canAssign, canDeassign, are where the ARBAC rules, i.e. orgs are validated. There is an open ticket that describes how these explicit calls to DelAccessMgr functions (by the caller) can be made implicit, i.e. done automatically: https://issues.apache.org/jira/browse/FC-111?jql=project%20%3D%20FC Shawn
