[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: role based authorization -> dynacl module?

To: Daniel Tröder <troeder@univention.de>, openldap-technical@openldap.org
Subject: Re: role based authorization -> dynacl module?
From: Howard Chu <hyc@symas.com>
Date: Sun, 22 Apr 2018 04:57:20 +0100
In-reply-to: <feb332f1-c05d-ba57-3d3b-63887434d6f9@univention.de>
References: <feb332f1-c05d-ba57-3d3b-63887434d6f9@univention.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0 SeaMonkey/2.53a1

Daniel Tröder wrote:

Hello everyone,

I am in the process of implementing a role concept via ACLs and hope for
a hint so that I don't invent the wheel a second time.

Specifically, it is about identity management for schools. A user
(object) can have several roles in multiple schools. Permissions on
other LDAP objects can thus differ depending on the role(s) the user and
the object have in the same school(s).

For example, a user could have been assigned the following roles that
are scattered over several schools:
→ "Teacher" in school 1
→ "School admin" in school 2
→ "Parent" in school 3
→ both "Teacher" and "Staff" in school 4

ACLs should now be defined accordingly, e.g.
→ the role "teacher" at school X can reset the password for the role
"student" at school X
→ the role "teacher" at school X *cannot* reset the password for the
role "student" of school Y
→ the role "school administrator" at school X can reset the password for
the roles "student" and "teacher" at school X
→ ...

So far I have not seen any way to map such a construct via groups or
sets without including a separate ACL for each group, which is a
performance issue.
Is there another way to map the role concept besides implementing an own
  dynacl module?

I think a dynacl module is your only choice. Most people miss the differencebetween roles and groups - group membership applies all the time. Once you'rea member of a group, the privileges of that group are omnipresent.

Whereas, membership in a role grants you these privileges *only for as long asyou assert that role* and adopting a role is a temporary, bounded activity.

So you need, at the least, in an LDAP context, an exop that says "assume roleX" and the corresponding "drop role X". Without these two primitives, youdon't actually have roles or role-based access control. LDAP's spec for proxyauthorization might be sufficient for this purpose.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: role based authorization -> dynacl module?
  - From: Michael Ströder <michael@stroeder.com>
- Re: role based authorization -> dynacl module?
  - From: Daniel Tröder <troeder@univention.de>

References:
- role based authorization -> dynacl module?
  - From: Daniel Tröder <troeder@univention.de>

Prev by Date: role based authorization -> dynacl module?
Next by Date: Re: exempt some users from OpenLDAP password policy
Index(es):
- Chronological
- Thread