Bug 1041943

Summary: [RFE][keystone]: Restrictions on User-Role Assignment
Product: Red Hat OpenStack Reporter: RHOS Integration <rhos-integ>
Component: RFEsAssignee: RHOS Maint <rhos-maint>
Status: CLOSED UPSTREAM QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: markmc, yeylon
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://blueprints.launchpad.net/keystone/+spec/prerequisite-user-role-assignment
Whiteboard: upstream_milestone_none upstream_status_unknown upstream_definition_superseded
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-19 17:44:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description RHOS Integration 2013-12-12 20:12:24 UTC 
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/prerequisite-user-role-assignment.

Description:

In openstack, the admin can assign a set of roles to users when they are added to a project . For instance, admin creates a user  Alice , adds Alice to project DEMO and assign "member" role to Alice. Later on, admin can add more roles or delete roles from Alice. However, roles are usually dependent on each other. In other words, in order to assign one role to a user, the user must be currently in several prerequisite roles (e.g., in order to assign Alice to "manager" role, Alice must be currently assigned with "areaDirector" role). Similarly, conflict roles prevent admin to assign those roles to users at the same time (e.g., If the admin wants to assign Alice to "manager" role, Alice should NOT be currently assigned with any roles in {"director", "DeptLeader"}).
Those restrictions are useful in conflict handling and is currently not provided in Openstack. Since role creating has been provided, this proposal provides the mechanism (GUI ) to specify dependencies and conflicts among globally created roles in each project. That means, there could be different restrictions different projects. When admin assigns roles to users, those restrictions are enforced. 

Specification URL (additional information):

None