Shawn McKinney created FC-111:
---------------------------------
Summary: Enhance ARBAC Coverage
Key: FC-111
URL: https://issues.apache.org/jira/browse/FC-111
Project: FORTRESS
Issue Type: New Feature
Affects Versions: 1.0.0-RC41
Reporter: Shawn McKinney
Fix For: 1.0.0
Administrative Role-Based Access Control, or ARBAC gives the capability to
control authorization on the Fortress Core APIs themselves. To enable fortress
to perform these checks, a session must be set on the manager function before
usage. For example:
this.adminMgr.setAdmin( SecUtils.getSession( this ) );
setting a fortress session onto a manager impl enforces arbac checking on
subsequent apis calls:
1. makes sure that the caller has the permission to call the method
2. (in some cases) enforces the caller is entitled to perform the function for
a given organization.
This enhancement is to expand the coverage for #2. Currently the ou checks
performed on these calls:
assign and deassignUser
grant and revokePermission
Needs to be added for:
add, update, delete and findUser
add, update, delete, and findPermissions
resetPassword, unlockAccount
The additional checks will require hooks to be inserted inside the manager flow
before the actual dao is invoked. The exception to this rule is for the search
of users and permissions which will require additional search filters to be
inserted into the query.
for user functions enforce the caller has admin role with matching userou.
for perm functions enforce the caller has admin role with matching permou.
This enhancement will require additional test routines as well to verify the
additional constraints checks.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
