Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
User Story: As a fortress super administrator, I want to delegate different Permission Operation assignment to different application owners. (i.e. One group can give out account creation, another can give out account reset, and a third can give out both)
Current Steps:
1. Create Permission Object (account.create) with Perm OU (POU1) and Operation (do)
2. Create Permission Object (account.reset) with Perm OU (POU2) and Operation (do)
3. Create an ARBAC Role (AR1) that has jurisdiction over Perm OU (POU1)
4. Create an ARBAC Role (AR2) that has jurisdiction over Perm OU (POU2)
5. Create an ARBAC Role (AR3) that has jurisdiction over Perm OUs (POU1 and POU2)
6. U1 adds Permission (account.create.do) into R1
7. U2 adds Permission (account.reset.do) into R2
8. U3 adds Permissions (account.create.do and account.reset.do) into R3
9. Create new Permission Object (account.delete) with Perm OU (POU3) and Operation (do)
10. Update AR2 to add POU3
11. Update AR3 to add POU3
End State:
account.create.do -> POU1
account.reset.do -> POU2
account.delete.do -> POU3
AR1 -> POU1
AR2 -> POU2, POU3
AR3 -> POU1, POU2, POU3
Issues / Notes:
- A one to one mapping between Permissions and PermOUs
- Adding a new permission may require updating many ARBAC roles
Steps after Perm OU Move to Operation
1. Create Permission Object (account) with Operations (create with POU1 / reset with POU2)
Steps are the same after this point
End State:
account.create -> POU1
account.reset -> POU2
account.delete -> POU3
AR1 -> POU1
AR2 -> POU2, POU3
AR3 -> POU1, POU2, POU3
Issues / Notes:
- Same issues as previous use case
Steps after Perm OU Move to Operation and Multi Instance
1. Create Permission Object (account) with Operations (create with POU1 / reset with POU1)
2. Create Perm OU (POU2) and add to account.create
2. Create an ARBAC Role (AR1) that has jurisdiction over Perm OU (POU2)
3. Create Perm OU (POU3) and add to account.reset
4. Create an ARBAC Role (AR2) that has jurisdiction over Perm OU (POU3)
5. Create an ARBAC Role (AR3) that has jurisdiction over Perm OUs (POU1)
6. U1 in AR1 adds Permission (account.create) into R1
7. U2 in AR2 adds Permission (account.reset) into R2
8. U3 in AR3 adds Permissions (account.create and account.reset) into R3
9. Create new Permission Operation (account.delete with POU1 and POU3)
End State:
account.create -> POU1, POU2
account.reset -> POU1, POU3
account.delete -> POU1, POU3
AR1 -> POU2
AR2 -> POU3
AR3 -> POU1
Attachments
Issue Links
- is duplicated by
-
FC-241 Associate Organization Unit with Permission Operation mapping
- Open