I created two new issues, FC-195 and FC-196

To answer your question, a new permission would be in a new PermOU that no 
existing ARBAC role could have jurisdiction over. So every relevant ARBAC role 
would have to be updated.

----- Original Message -----
From: "Shawn McKinney" <smckin...@apache.org>
To: fortress@directory.apache.org
Sent: Tuesday, October 11, 2016 6:21:45 PM
Subject: Re: ARBAC Perm OU change proposal (was Access Manager Role Filtering)

Ok this is good.  Let’s get a ticket opened with this info.  That way of we 
don’t have to fish around our email for it later.

I’m still working my way thru it but had a quick question below….

> On Oct 11, 2016, at 4:11 PM, Chris Pike <clp...@psu.edu> wrote:
> End State:
>   account.create.do -> POU1
>   account.reset.do -> POU2
>   account.delete.do -> POU3
>   AR1 -> POU1
>   AR2 -> POU2, POU3
>   AR3 -> POU1, POU2, POU3
> Issues / Notes:
>   - A one to one mapping between Permissions and PermOUs
>   - Adding a new permission may require updating many ARBAC roles

Why     would adding a new permission require updating many roles?


Reply via email to