[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: Another Group - Role Distinction?
> Is it the case that groups propagate "up" whereas roles propagate "down" for > security purposes? i believe it is the case that: authorizations granted to groups always propagate to their members (subgroups and users) authorizations granted to roles can propagate to their subroles (you may not always want propagation to preserve least privilege). Not having propagation can be ok for roles, while it is not applicable for groups. When talking about identities, a user always connect as him/herself (i.e., the subject you will have to check is always a minimal element of the user-group hierarchy). However, it is not so for roles: a user can activate a role which is nonminimal in the role hierarchy. In such a context authorization propagation when dealing with roles can have an additional aspect: if a user is authorized to activate a role s/he can also activate roles that are generalization of it. -p
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC