Task #8427
Access roles are not inherited
100%
Description
Assuming, we defined the following three ACL roles in Policy.yaml:
- administrator
- manager
- auditor
"Auditor" should be the lowest level, "administrator" the highest. A typical example would be: admin has access to everything (incl. user management features), "manager" and "auditor" have access to low level features. Therefore, a good approach would be to inherit all privileges an "auditor" has, to the "manager" role and all privileges a "manager" has, to "administrator".
The attached document shows the entries in "Policy.yaml" as an example. Note the two/four lines highlighted in red (at "acl" section). You would expect that you do NOT need those lines, because "manager" already has access to Meter/Asset (inherited by "auditor"), as well as "administrator".
But if these lines are removed, an "Access denied" exception is thrown when trying to access Asset/Meters with a "manager" or "administrator" user.
Assumption:¶
Privileges are not inherited. In this example: GRANT for role "auditor" is not passed to "manager" (and "administrator" in the next level).
Workaround:¶
Assign all "admin" users to "auditor" and/or "manager" roles, too. Or: include the additional lines in Policy.yaml as shown in attached document.
Files
Updated by Michael Schams almost 12 years ago
Updated by
Updated by Andreas Förthner almost 12 years ago
- Category set to Security
- Status changed from New to Accepted
- Assignee set to Andreas Förthner
This feature got probably lost in the last refactoring of the security context. The getRoles() method of the context has to take inheritance into account.
I will take care asap.
Updated by Andreas Förthner almost 12 years ago
- Status changed from Accepted to Resolved
- % Done changed from 0 to 100
Applied in changeset r4624.