[ https://issues.apache.org/jira/browse/FC-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15283690#comment-15283690 ]
Shawn McKinney commented on FC-75: ---------------------------------- Use existing GroupMgr and group entity functionality. Extend with a type attribute. This will allow user and role groups to exist simultaneously under the same tree. > Add Role grouping mechanism > --------------------------- > > Key: FC-75 > URL: https://issues.apache.org/jira/browse/FC-75 > Project: FORTRESS > Issue Type: Improvement > Affects Versions: 1.0.0-RC39 > Reporter: Shawn McKinney > Assignee: Shawn McKinney > Fix For: 1.0.1 > > > Ansi rbac allows groups of roles. An rbac group map to a collection of roles: > Rbac group one to many relationship with role. > This will help with administration to simplify the task of assigning multiple > roles to a single user. > It is worth noting that role hierarchies are a similar concept in that they > too are a collection of roles - with one key difference. If one wanted to > assign a collection of roles to a user where two or more have dynamic > separation of duty constraints, having those roles related via a hierarchy > prevents selective activation into session. > With a group of roles assigned, it is possible for the user or system itself > to choose which of the assigned roles to activate into a given session. > from the ansi incits 369 2004: > "CreateSession(user, session) > This function creates a new session with a given user as owner, and a given > set of active roles. The function is valid if and only if: > - the user is a member of the USERS data set, and > - the active role set is a subset of the roles authorized for that user. Note > that if a role is > active for a session, its descendants or ascendants are not necessarily > active for that session. In a RBAC implementation, the session’s active roles > might actually be the groups that represent those roles." -- This message was sent by Atlassian JIRA (v6.3.4#6332)