I created two new issues, FC-195 and FC-196 To answer your question, a new permission would be in a new PermOU that no existing ARBAC role could have jurisdiction over. So every relevant ARBAC role would have to be updated.
----- Original Message ----- From: "Shawn McKinney" <smckin...@apache.org> To: fortress@directory.apache.org Sent: Tuesday, October 11, 2016 6:21:45 PM Subject: Re: ARBAC Perm OU change proposal (was Access Manager Role Filtering) Ok this is good. Let’s get a ticket opened with this info. That way of we don’t have to fish around our email for it later. I’m still working my way thru it but had a quick question below…. > On Oct 11, 2016, at 4:11 PM, Chris Pike <clp...@psu.edu> wrote: > > > End State: > account.create.do -> POU1 > account.reset.do -> POU2 > account.delete.do -> POU3 > AR1 -> POU1 > AR2 -> POU2, POU3 > AR3 -> POU1, POU2, POU3 > > Issues / Notes: > - A one to one mapping between Permissions and PermOUs > - Adding a new permission may require updating many ARBAC roles Why would adding a new permission require updating many roles? Thanks, Shawn