Restrictions on User-Role Assignment
In openstack, the admin can assign a set of roles to users when they are added to a project . For instance, admin creates a user Alice , adds Alice to project DEMO and assign "member" role to Alice. Later on, admin can add more roles or delete roles from Alice. However, roles are usually dependent on each other. In other words, in order to assign one role to a user, the user must be currently in several prerequisite roles (e.g., in order to assign Alice to "manager" role, Alice must be currently assigned with "areaDirector" role). Similarly, conflict roles prevent admin to assign those roles to users at the same time (e.g., If the admin wants to assign Alice to "manager" role, Alice should NOT be currently assigned with any roles in {"director", "DeptLeader"}).
Those restrictions are useful in conflict handling and is currently not provided in Openstack. Since role creating has been provided, this proposal provides the mechanism (GUI ) to specify dependencies and conflicts among globally created roles in each project. That means, there could be different restrictions different projects. When admin assigns roles to users, those restrictions are enforced.
Blueprint information
- Status:
- Complete
- Approver:
- None
- Priority:
- Undefined
- Drafter:
- Xin Jin
- Direction:
- Needs approval
- Assignee:
- Xin Jin
- Definition:
- Superseded
- Series goal:
- None
- Implementation:
-
Unknown
- Milestone target:
- None
- Started by
- Completed by
- Morgan Fainberg
Related branches
Related bugs
Sprints
Whiteboard
Related Paper: Sandhu, Ravi, Venkata Bhamidipati, and Qamar Munawer. "The ARBAC97 model for role-based administration of roles." ACM Transactions on Information and System Security (TISSEC) 2.1 (1999): 105-135.
(morganfainberg): I am going to mark this as superseded as we will have a direction on how all of this will need to be addressed for reseller use-case post Kilo summit.
