Note that implied roles are used for domain specific roles. Thus, a domain admin should be able to create an rule where the explicit role is a domain specific role and the implied role is a global role or another domain specific role.
Given the following sample data, and assume role names and IDs are identical:
Domain Specific ROles:
Dom1R1
Dom2R2
Dom1R2
Dom2R2
Global Roles:
GlobalR1
Admin
Assignments:
User0 Admin Scoped to System
User1 Admin on Dom1
User2 Admin on Dom2
The following should be legal:
User1 can create a role Dom1R1 implies Admin
User1 can create a role Dom1R1 implies Dom1R2
User2 can create a role Dom2R1 implies Admin
User2 can create a role Dom2R2 implies Dom1R1
User0 can create a role Admin implies GlobalR1
The following should be enforced:
User1 cannot create a role Dom2R1 implies Admin
User1 cannot create a role Dom2R2 implies Dom1R1
User2 cannot create a role Dom1R1 implies Admin
User2 cannot create a role Dom1R1 implies Dom1R2
User1 or User2 cannnot create a role Admin implies GlobalR1
Note that implied roles are used for domain specific roles. Thus, a domain admin should be able to create an rule where the explicit role is a domain specific role and the implied role is a global role or another domain specific role.
Given the following sample data, and assume role names and IDs are identical:
Domain Specific ROles:
Dom1R1
Dom2R2
Dom1R2
Dom2R2
Global Roles:
GlobalR1
Admin
Assignments:
User0 Admin Scoped to System
User1 Admin on Dom1
User2 Admin on Dom2
The following should be legal:
User1 can create a role Dom1R1 implies Admin
User1 can create a role Dom1R1 implies Dom1R2
User2 can create a role Dom2R1 implies Admin
User2 can create a role Dom2R2 implies Dom1R1
User0 can create a role Admin implies GlobalR1
The following should be enforced:
User1 cannot create a role Dom2R1 implies Admin
User1 cannot create a role Dom2R2 implies Dom1R1
User2 cannot create a role Dom1R1 implies Admin
User2 cannot create a role Dom1R1 implies Dom1R2
User1 or User2 cannnot create a role Admin implies GlobalR1