sharing a subject between roles
Posted: Mon Sep 10, 2007 3:46 pmHello,
Can I share a subject between roles ? Probably not.
I have hundreds or thousands of users, which
should have actually the same policy for all
subject, except, for example, their home dir
(actually, except set of directories, which will
contains e.g.
/home/%USERNAME%,
/other/%USERNAME%,
/else/%USERNAME%
but forget it for the sake of concept simplicity.)
So John and Mary should have exactly the same
permissions in the system, except john should have
relaxed rights for /home/john, and mary - respectively,
it is the only difference between their roles I want.
I could define a group for them, just to assign the
privileges for both of them, but, if automatic role
search goes from user->group->default, this will
probably mean, that if I want such group role to be
effective, I'll have to ensure, that there's no role
for "john" and "mary", because in such situation
a group role wouldn't ever "match".
So - that's the question: How to implement such policy
in some wise way? Maybe the most reasonable, would
be using "include" and keep subjects in separate
files simply included in many roles?
BTW, what about user belonging to two or more groups,
while the roles of these groups have coincidental policies?
Does it mean a "group" means user primary group only?
Or group role's policies are inherited in some order ?
Other solution to define a "shared" subject could be
some usage of a special token like literal %USERNAME%, %UID%, etc.
while the subject should belong to a special non-user-group role,
which should be inherited inclusively (with highest priority)
into other roles.
Have you ever consider "role server" for sharing roles between
servers? Actually a policy is read just once, when enabling (reloading)
RBAC, isn't it?
Regards,
Piotr
Can I share a subject between roles ? Probably not.
I have hundreds or thousands of users, which
should have actually the same policy for all
subject, except, for example, their home dir
(actually, except set of directories, which will
contains e.g.
/home/%USERNAME%,
/other/%USERNAME%,
/else/%USERNAME%
but forget it for the sake of concept simplicity.)
So John and Mary should have exactly the same
permissions in the system, except john should have
relaxed rights for /home/john, and mary - respectively,
it is the only difference between their roles I want.
I could define a group for them, just to assign the
privileges for both of them, but, if automatic role
search goes from user->group->default, this will
probably mean, that if I want such group role to be
effective, I'll have to ensure, that there's no role
for "john" and "mary", because in such situation
a group role wouldn't ever "match".
So - that's the question: How to implement such policy
in some wise way? Maybe the most reasonable, would
be using "include" and keep subjects in separate
files simply included in many roles?
BTW, what about user belonging to two or more groups,
while the roles of these groups have coincidental policies?
Does it mean a "group" means user primary group only?
Or group role's policies are inherited in some order ?
Other solution to define a "shared" subject could be
some usage of a special token like literal %USERNAME%, %UID%, etc.
while the subject should belong to a special non-user-group role,
which should be inherited inclusively (with highest priority)
into other roles.
Have you ever consider "role server" for sharing roles between
servers? Actually a policy is read just once, when enabling (reloading)
RBAC, isn't it?
Regards,
Piotr