Ask Your Question

User vs Group role precedence

asked 2015-02-13 14:15:05 -0600

twichert gravatar image

If user "jimmy tables" is assigned Role A, group "comic admins" assigned Role B, and jimmy tables is assigned group comic admins, then how are conflicts between Role A and Role B resolved?

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2015-02-15 11:53:40 -0600

jeffrey-olsen gravatar image

Your question is a little unclear and I don't know how I would respond to it. However, I would suggest taking a look at the Identity Management docs.

Identity Management Doc

edit flag offensive delete link more

answered 2015-02-15 22:00:31 -0600

updated 2015-02-17 16:03:25 -0600

User's and groups are not directly assigned roles, they are assigned role on a tenant. So when you think of role assigment, there will be three actors. They are either (user, role, tenant) or ( group, role, tenant).

Consider your example and assumming the tenant is TenantA

1) User "Jimmy Tables" has a role "RoleA on Tenant "TenantA"

2) User "Jimmy Tables" is part of group "Comic Admins"

3) Group "Cominc Admins" is assigned a role "RoleB" on Tenant "TenantA"

So effective role assignment is SET( role assignent of user on TenantA + role assignment of groups to which the user belongs to on TenantA)

In your example, there is no conflict. You are going to get SET( RoleA, RoleB)

Assuming Group "Comic Admins" also has role assignment "RoleA" on Tenant A, then effective role assignment is SET( RoleA, RoleB, RoleA) which is same as "RoleA, RoleB"

edit flag offensive delete link more


Thank you, this is exactly what I needed to clarify how roles work. From further reading, I have found that OpenStack's access control system provides only "allow" masks, which voids the complexities created when "deny" masks are present in an access control system.

twichert gravatar imagetwichert ( 2015-02-17 13:18:03 -0600 )edit

Get to know Ask OpenStack

Resources for moderators

Question Tools


Asked: 2015-02-13 14:15:05 -0600

Seen: 419 times

Last updated: Feb 17 '15