As we saw in the last post, the ACL execution plan adds great value in helping admins understand the access control processing model. Another possibly confusing area involves the way users inherit group memberships and security roles. Let's take a look at how the new Role Inheritance Map in Geneva can help visualize a user's inheritance model and save us a lot of clicking around.
Disclaimer 1: This feature requires the Contextual Security: Role Management Enhancements plugin. This may not be activated in your instance, it can be easily be installed by an admin.
Let's take a look at an example. Meet Chuck, he's a pretty cool dude with some unusual roles.
It's clear from the user related list of roles, that he has a few roles that most aviators could only dream of acquiring. We can also see that all of the roles are inherited, they are not explicitly granted to his user account. This list of roles is a "flattened" model of all role the user has, regardless of how they got them.
Roles can be acquired in a number of ways:
- Explicit on user account
- Inherited from a group the user is a member of
- Inherited from a group that is a child of a group that the user is a member of
- Inherited from another role that the user has acquired explicitly or from group inheritance
Now you can imagine how confusing this can be if you needed to understand why a user has access to a role. This need can occasionally come up during an application access audit.
From the user form, we can view the list of direct groups the user is a member of.
Prior to the Geneva release, you'd have to click through all of the user's groups, nested groups, roles, and nested roles to understand the inheritance hierarchy.
Let's see how the new inheritance map can help streamline the investigation.
Disclaimer 2: The Role Inheritance Map UI Action wasn't visible in my instance for some reason. You might have to check the "list context" option on the action if you don't see if after activating the plugin.
From the related list of roles on a user form, you can right-click a role to access the new action and view the role inheritance map.
If we view the map for the base_access role, we can see that the role has been granted to the Air Force group, which Chuck is a member of. A pretty simple case so let's go a little deeper.
Now let's look at the map for the Experimental role that Chuck has also inherited. From this single view we can quickly learn that:
- Chuck is a member of the Experimental Pilots
- Experimental Pilots are granted the High Altitude role (we can also see this from the user form)
- High Altitude role contains the Experimental Role
This is still a relatively simple model compared to some of the real world examples I've seen in large enterprise customers, but at least this gives you a taste of what's possible.