Bug 1041943 - [RFE][keystone]: Restrictions on User-Role Assignment
Summary: [RFE][keystone]: Restrictions on User-Role Assignment
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: RFEs
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: RHOS Maint
QA Contact:
URL: https://blueprints.launchpad.net/keys...
Whiteboard: upstream_milestone_none upstream_stat...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-12 20:12 UTC by RHOS Integration
Modified: 2015-03-19 17:44 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-19 17:44:38 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description RHOS Integration 2013-12-12 20:12:24 UTC
Cloned from launchpad blueprint https://blueprints.launchpad.net/keystone/+spec/prerequisite-user-role-assignment.

Description:

In openstack, the admin can assign a set of roles to users when they are added to a project . For instance, admin creates a user  Alice , adds Alice to project DEMO and assign "member" role to Alice. Later on, admin can add more roles or delete roles from Alice. However, roles are usually dependent on each other. In other words, in order to assign one role to a user, the user must be currently in several prerequisite roles (e.g., in order to assign Alice to "manager" role, Alice must be currently assigned with "areaDirector" role). Similarly, conflict roles prevent admin to assign those roles to users at the same time (e.g., If the admin wants to assign Alice to "manager" role, Alice should NOT be currently assigned with any roles in {"director", "DeptLeader"}).
Those restrictions are useful in conflict handling and is currently not provided in Openstack. Since role creating has been provided, this proposal provides the mechanism (GUI ) to specify dependencies and conflicts among globally created roles in each project. That means, there could be different restrictions different projects. When admin assigns roles to users, those restrictions are enforced. 

Specification URL (additional information):

None


Note You need to log in before you can comment on or make changes to this bug.