Ask Your Question
1

User vs Group role precedence

asked 2015-02-13 14:15:05 -0500

twichert gravatar image

If user "jimmy tables" is assigned Role A, group "comic admins" assigned Role B, and jimmy tables is assigned group comic admins, then how are conflicts between Role A and Role B resolved?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted
0

answered 2015-02-15 11:53:40 -0500

jeffrey-olsen gravatar image

Your question is a little unclear and I don't know how I would respond to it. However, I would suggest taking a look at the Identity Management docs.

Identity Management Doc

edit flag offensive delete link more
0

answered 2015-02-15 22:00:31 -0500

updated 2015-02-17 16:03:25 -0500

User's and groups are not directly assigned roles, they are assigned role on a tenant. So when you think of role assigment, there will be three actors. They are either (user, role, tenant) or ( group, role, tenant).

Consider your example and assumming the tenant is TenantA

1) User "Jimmy Tables" has a role "RoleA on Tenant "TenantA"

2) User "Jimmy Tables" is part of group "Comic Admins"

3) Group "Cominc Admins" is assigned a role "RoleB" on Tenant "TenantA"

So effective role assignment is SET( role assignent of user on TenantA + role assignment of groups to which the user belongs to on TenantA)

In your example, there is no conflict. You are going to get SET( RoleA, RoleB)

Assuming Group "Comic Admins" also has role assignment "RoleA" on Tenant A, then effective role assignment is SET( RoleA, RoleB, RoleA) which is same as "RoleA, RoleB"

edit flag offensive delete link more

Comments

Thank you, this is exactly what I needed to clarify how roles work. From further reading, I have found that OpenStack's access control system provides only "allow" masks, which voids the complexities created when "deny" masks are present in an access control system.

twichert gravatar imagetwichert ( 2015-02-17 13:18:03 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

Stats

Asked: 2015-02-13 14:15:05 -0500

Seen: 340 times

Last updated: Feb 17 '15