x-eye/rbac.txt

## rbac.txt
Here and below "resource" means a project and whatever else that can be protected by policy enforcement.
Enforce means checking if the requested action is permitted on the resource.
Policy means a rule describing access requirement based on role permissions to act on a resource.
Role means an identity's assignable attribute serving for access control purposes.
Identity is an image of an actor that assosiates himself to identity through authentication.

There are 2 parts doing it: oslo.policy.enforce and keystone token stuff.

Enforce checks if the scope provided along with identity in the token contains a role and resource matching role and resource
in the policy in order to allow access to perform certain operation.
Token with the scope is obtained as a result of authorization operation.
Autorization is a check if the identity has a role assosiated with resource resulting in scoped token.

So the authorization operation is only required to obtain a scope to be passed to the enforcement.
It may be omitted if enforcment is done by the service owning both role assignments and policies.
In this case the workflow will change:
to check if an identity is permitted certain operation on a resource, enforce needs to check:
"if the identity has the assigned role on the resource that is required to perform certain operation".
	Here and below "resource" means a project and whatever else that can be protected by policy enforcement.
	Enforce means checking if the requested action is permitted on the resource.
	Policy means a rule describing access requirement based on role permissions to act on a resource.
	Role means an identity's assignable attribute serving for access control purposes.
	Identity is an image of an actor that assosiates himself to identity through authentication.

	There are 2 parts doing it: oslo.policy.enforce and keystone token stuff.

	Enforce checks if the scope provided along with identity in the token contains a role and resource matching role and resource
	in the policy in order to allow access to perform certain operation.
	Token with the scope is obtained as a result of authorization operation.
	Autorization is a check if the identity has a role assosiated with resource resulting in scoped token.

	So the authorization operation is only required to obtain a scope to be passed to the enforcement.
	It may be omitted if enforcment is done by the service owning both role assignments and policies.
	In this case the workflow will change:
	to check if an identity is permitted certain operation on a resource, enforce needs to check:
	"if the identity has the assigned role on the resource that is required to perform certain operation".