> On May 12, 2016, at 11:05 AM, Chris Pike <[email protected]> wrote: > > If I understand what you are proposing, we would create role groups, and each > role could belong to 0 or 1 groups. ARBAC roles could then point at 0 to N > groups?
Yep > > On May 12, 2016, at 11:05 AM, Chris Pike <[email protected]> wrote: > > If so, then I think that is basically what I was proposing, just using the > term Role OU instead of Role Group (I wasn't really thinking about the > hierarchy of Role OU/Groups, need to think about if we would need that or > not). We could maintain backwards compatibility by still allowing role > ranges, but I don't see how either approach remains compliant with the spec. > Does it allow for extensions? Are there any systems other than fortress that > implement ARBAC02? Well having the role grouping use an ou hier rather than a flat group adds quite a bit of complexity to the coding and I think to the usability / understanding as well. ARBAC02 is a model rather than a spec. That is to say it was never adopted by a standards body (like ANSI) but that is beside the point. In Fortress we do a bit more than what either RBAC or ARBAC02 prescribe (e.g. temporal constraints) but that doesn’t prevent compliance. It means we are compliant + we do some more stuff that is useful and there is nothing wrong with that. The RBAC spec certainly allows roles to be grouped though it doesn’t require it. It’s been a while since I’ve read the ARBAC02 paper but I see no problem with us adding to this model with what is being described here. Shawn
