With the addition of the ABAC / Role Constraint, this is the plan for how each of our applications will check permissions
1. Application starts up and registers all of it's permissions into an application specific Perm-OU 2. When a user makes a request, the application gets all the session user roles (AccessMgr.sessionRoles). Because of role constraints, can't use sessionPermissions. 3. For each role found, it finds the permissions (ReviewMgr.rolePermissions). 4. If necessary, it find the permission attribute sets for each permission (ReviewMgr.readPermAttributeSet) 5. The permissions are part of the application's request context, so every check can be done internally, don't need to make a call to fortress. There will be caching, so this flow doesn't need done on every request. We will have many applications, so in Step #2, lots of roles will be returned, most of which are not relevant to the application since they don't contain any permissions in the application's Perm-OU. My questions was directed at seeing if there was a way to make this process more efficient. ----- Original Message ----- From: "Shawn McKinney" <[email protected]> To: [email protected] Sent: Sunday, October 9, 2016 8:16:02 AM Subject: Re: Access Manager Role Filtering Chris, not exactly sure what you mean. Please elaborate with a sample use case and data. If it worked the way you wanted, what would the API be? > On Oct 8, 2016, at 11:22 AM, Chris Pike <[email protected]> wrote: > > Shawn, > > Would there be any way to efficiently get all session roles that only contain > permissions in a specified permission OU? > > Thanks, > > ~Chris >
