Wanted to start discussing this topic again... Issue is that ARBAC maps to role ranges (start node and end node in a tree). This causes two major problems.
1. A new role does not automatically belong to any ARBAC role, so a user may have the ability to create a role, but unless they are a super admin they will not be able to assign users or permissions to that role. 2. Since an ARBAC role can only map to one role range, there is an explosion of ARBAC role required to manage the RBAC roles. Managing the ARBAC roles becomes challenging when combined with issue #1. My proposal is to treat roles similar to how permissions are treated. Permissions get grouped into Perm OUs and an ARBAC role can be assigned jurisdiction over many Perm OUs. We would do the same thing for roles and create Role OUs. So an ARBAC role would point to many Role OUs, and when a user created a role it would be created in a Role OU which they already had jurisdiction over. The downside is that this violates the ARBAC spec, but given the issues I described above, I think it is necessary. It also would break backwards compatibility unless we allow both role ranges and Role OUs. I also found this issue that discusses RBAC grouping of roles, so maybe it plays in somehow (https://issues.apache.org/jira/browse/FC-75). Thanks, ~Chris
