Skip to content
Permalink
Browse files
refine
  • Loading branch information
shawnmckinney committed Mar 17, 2019
1 parent 7bce996 commit 0f2563d42e43f7240e5aedd2d669f2704d517802
Showing 1 changed file with 5 additions and 3 deletions.
@@ -86,13 +86,15 @@ The ARBAC checks when enabled, include the following:
a. All service invocations, except AccessMgr and DelAccessMgr, perform an ADMIN permission check automatically corresponding with the exact service/API being called.

For example, the permission with an objectName: **org.apache.directory.fortress.core.impl.AdminMgrImpl** and operation name: **addUser** is automatically checked
during the call to the **userAdd** service.
during the call to the **userAdd** service.

This means at least one ADMIN role must be activated for the user calling the service that has been granted the required permission.
The entire list of permissions, and their mappings to services are listed in the table that follows.

b. Some services (#'s 1 - 12 listed below) perform organizational verification, comparing the org on the ADMIN role with that on the target user or permission in the HTTP request.

There are two types of organziations being checked, User and Permission. For example, **roleAsgn** and **roleDeasgn** (9 and 10 below) will verify that the caller has an ADMIN role with a user org unit that matches the ou of the target user.
There are two types of organziations being checked, User and Permission.

For example, **roleAsgn** and **roleDeasgn** (9 and 10 below) will verify that the caller has an ADMIN role with a user org unit that matches the ou of the target user.
There is a similar check on **roleGrant** and **roleRevoke** (11 and 12) verifying the caller has an activated ADMIN role with a perm org unit that matches the ou on the target permission.

c. Some services (#'s 9,10,11,12) perform a range check on the target RBAC role to verify user has matching ADMIN role with authority to assign to user or grant to permission.

0 comments on commit 0f2563d

Please sign in to comment.