[jboss-jira] [JBoss JIRA] Updated: (JBRULES-428) Access Control List - each node to be protected

[Fernando Meyer (JIRA)]

     [ http://jira.jboss.com/jira/browse/JBRULES-428?page=all ]

Fernando Meyer updated JBRULES-428:
-----------------------------------

    Description: 
Rule nodes (at least) need to have an ACL: what groups can access it in what capacity. First need to have a structure for ACLs to be stored.

They should be tied to user groups/roles, not individual logins. 

JAAS should provide the user name and the users context (group membership) I believe. 

When there is an ACL, it must be checked to see if the user (via their group membership) can do one of the following:

Edit, change status, view, delete. 

If they can't view, ideally it will not be shown in any "lists", but if that is not feasable, it would be acceptable to list it, but not show the contents. 
Will need to be able to set permission from within an admin facility of the application.

see http://wiki.jboss.org/wiki/Wiki.jsp?page=RulesRepositoryRoleAuthorization for more details

  was:
Rule nodes (at least) need to have an ACL: what groups can access it in what capacity. First need to have a structure for ACLs to be stored.

They should be tied to user groups/roles, not individual logins. 

JAAS should provide the user name and the users context (group membership) I believe. 

When there is an ACL, it must be checked to see if the user (via their group membership) can do one of the following:

Edit, change status, view, delete. 

If they can't view, ideally it will not be shown in any "lists", but if that is not feasable, it would be acceptable to list it, but not show the contents. 
Will need to be able to set permission from within an admin facility of the application.


> Access Control List  - each node to be protected
> ------------------------------------------------
>
>                 Key: JBRULES-428
>                 URL: http://jira.jboss.com/jira/browse/JBRULES-428
>             Project: JBoss Drools
>          Issue Type: Sub-task
>      Security Level: Public(Everyone can see) 
>          Components: drools-brms
>            Reporter: Michael Neale
>         Assigned To: Fernando Meyer
>
> Rule nodes (at least) need to have an ACL: what groups can access it in what capacity. First need to have a structure for ACLs to be stored.
> They should be tied to user groups/roles, not individual logins. 
> JAAS should provide the user name and the users context (group membership) I believe. 
> When there is an ACL, it must be checked to see if the user (via their group membership) can do one of the following:
> Edit, change status, view, delete. 
> If they can't view, ideally it will not be shown in any "lists", but if that is not feasable, it would be acceptable to list it, but not show the contents. 
> Will need to be able to set permission from within an admin facility of the application.
> see http://wiki.jboss.org/wiki/Wiki.jsp?page=RulesRepositoryRoleAuthorization for more details

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira