> On Oct 11, 2016, at 7:24 AM, Chris Pike <[email protected]> wrote: > > Not sure if I understand your questions about how can one set of roles be > associated with a perm with multiple OUs. The Perm OUs are just an ARBAC > thing correct?
Yes, but there are semantics here that need to be understood. This discussion is too complicated in the abstract. We need use cases. For example: Roles: R1, R2, R3 Perm OUs : P01, P02, P03 AdminRoles AR1 - P01 AR2 - P02 AR3 - P01, P02, P03 Perms PermObj: foo op: fighter: ous:(P01), roles(R1) op: eater: ous:P02), roles:(R2) op: sleeper: ous(P01, P02, P03) roles(R1, R2, R3) So we have 3 perms, the first two are typical, the last one, foo.sleeper is not as it has multiple perm ous associated with it. Now let us consider the operation: boolean canRevoke(Session session, Role role, Permission perm) throws SecurityException Any administrator that has any of the adminroles listed could revoke any of foo.sleeper’s roles. e.g. admin AR1, could revoke R1, R2 and R3. Is that desirable behavior? Shawn
