Sorry, meant to respond to this sooner. I think they should probably go into separate trees since it would give us more flexibility later on if needed.
----- Original Message ----- From: "Shawn McKinney" <[email protected]> To: [email protected] Sent: Saturday, May 14, 2016 4:44:09 PM Subject: Re: ARBAC and Role Grouping > On May 12, 2016, at 11:05 AM, Chris Pike <[email protected]> wrote: > > If I understand what you are proposing, we would create role groups, and each > role could belong to 0 or 1 groups. ARBAC roles could then point at 0 to N > groups? The good news here is there is already a group data structure with apis in GroupMgr. The original intent for this was user grouping but it will work for roles as well. There will have to be a tweak to support both mappings. We’ll need to think about how to differentiate. One idea is they could go in separate trees, another is to add a type attribute to the entry. Shawn
