You are correct. The ability to delegate only covers the scope of RBAC roles. There is no delegation that scopes ARBAC roles.
Shawn > On Feb 8, 2016, at 1:20 PM, Chris Pike <[email protected]> wrote: > > I think you may have misread my question (or I misread your answer), but > "They may assign any user any ARBAC role using that particular manager.", is > what I wanted to confirm. > > I was really looking to see if there is an ability to delegate the ARBAC > assignment. For example, I want to give a UserX the ability to set role > assigners for particular applications roles. If I understand your answer, > this isn't possible, since having the "DelAdminMgrImpl.assignUser" permission > allows UserX to assign any user to any ARBAC role, even ones not associated > with their application. > > > > > ----- Original Message ----- > From: "Shawn McKinney" <[email protected]> > To: [email protected] > Sent: Monday, February 8, 2016 1:51:36 PM > Subject: Re: ARBAC Role Assignment Question > >> On Feb 8, 2016, at 10:08 AM, Chris Pike <[email protected]> wrote: >> >> It is my understanding that anyone in an ARBAC role with the permission >> org.apache.directory.fortress.core.impl.DelAdminMgrImpl.assignUser can >> assign any user to any ARBAC role. Is that correct? > > No. They may assign any user any ARBAC role using that particular manager. > > Granting the particular ARBAC role this permission: > >> org.apache.directory.fortress.core.impl.AdminMgrImpl.assignUser > > gives the assignee the ability to assign any RBAC role to any user with the > AdminMgr. > > You can see all of the permissions that are covered by the ARBAC checks in > the load script: > > https://github.com/apache/directory-fortress-core/blob/master/ldap/setup/DelegatedAdminManagerLoad.xml > > The finer grained checks, canAssign, canDeassign, are where the ARBAC rules, > i.e. orgs are validated. > > There is an open ticket that describes how these explicit calls to > DelAccessMgr functions (by the caller) can be made implicit, i.e. done > automatically: > > https://issues.apache.org/jira/browse/FC-111?jql=project%20%3D%20FC > > Shawn
