Access roles are not inherited
Assuming, we defined the following three ACL roles in
"Auditor" should be the lowest level, "administrator" the highest. A typical example would be: admin has access to everything (incl. user management features), "manager" and "auditor" have access to low level features. Therefore, a good approach would be to inherit all privileges an "auditor" has, to the "manager" role and all privileges a "manager" has, to "administrator".
The attached document shows the entries in "
Policy.yaml" as an example. Note the two/four lines highlighted in red (at "acl" section). You would expect that you need those lines, because "manager" already has access to Meter/Asset (inherited by "auditor"), as well as "administrator".
But if these lines are removed, an "Access denied" exception is thrown when trying to access Asset/Meters with a "manager" or "administrator" user.
Privileges are not inherited. In this example: GRANT for role "auditor" is not passed to "manager" (and "administrator" in the next level).
Assign all "admin" users to "auditor" and/or "manager" roles, too. Or: include the additional lines in
Policy.yaml as shown in attached document.
Updated by Andreas Förthner over 11 years ago
- Category set to Security
- Status changed from New to Accepted
- Assignee set to Andreas Förthner
This feature got probably lost in the last refactoring of the security context. The getRoles() method of the context has to take inheritance into account.
I will take care asap.