Limitations/rules: adding roles to a subject

When adding a role to a subject, the application applies rules binding the type and role of the modification-initiating subject to the target type of the subject being assigned the role.

By adding roles, you can dynamically (during execution) expand the permissions of subjects.

The add_role element can contain multiple rules. Rules are applied sequentially (the order is important) until the first rule that does not conflict with the combination of source_type, source_role, and target_type values is found. In other words, to apply a rule, the following is required:

The type of initiating subject matches a type indicated in source_type.
One of the roles of the initiating subject matches one of the roles indicated in source_role.
The type of the modified subject matches one of the types indicated in target_type.

Options for assigning a type to the subject that initiated addition of roles (source_type element):

Specific type: source_type: core
List of types: source_type: [core, dispatcher]
Any type: source_type: @any

Options for assigning a role to the subject that initiated addition of roles (source_role element):

Specific role: source_role: system
List of roles: source_role: [system, user]
Any role: source_role: @any

Options for assigning the original type to the target subject (target_type element):

Specific type: original_type: core
Type corresponding to the type of initiating entity: original_type : @source_type
List of types: original_type: [core, dispatcher, @source_type]
Any type: original_type: @any

Options for assigning permissible roles to the target subject (target_role element):

Specific role: target_role: core
Roles matching the roles of the initiating entity: target_role: @source_role
List of roles: target_role: [core, dispatcher]
*any role: target_role: @any

Example

add_role : [

{ source_type: dispatcher

, source_role: system

, target_type: [auditservice, fileservice]

, target_role: [user, admin]

]

Page top