Well, my thinking was that if you moved Perm OU down into the operation, then the app could use the Perm OU hierarchy to find relevant permissions
Parent Perm OU = myapp - Child Perm OU = myapp.1 - Child Perm OU = myapp.2 perm obj name == Customer perm op name == add perm op ou == myapp.1 perm op name == update perm op ou == myapp.2 So if I queried for all permissions that belong to Perm OU "myapp" (either directly or from a child OU), I would get the list of permissions relevant to "myapp". It would then allow delegation of Perm OU myapp.1 and myapp.2 to separate ARBAC roles. Of course managing the Perm OU hierarchy and managing changes becomes challenging. Maybe it's worth thinking through the implications of making Perm OU multi-occuring on the Perm Op... ----- Original Message ----- From: "Shawn McKinney" <[email protected]> To: [email protected] Sent: Sunday, October 9, 2016 5:35:04 PM Subject: Re: Access Manager Role Filtering > On Oct 9, 2016, at 4:17 PM, Chris Pike <[email protected]> wrote: > > Could the Perm OU hierarchy be used to manage grouping permissions within an > application? Perhaps. Depends on the req’s I suppose. Can you elaborate?
